The HIPAA Security Rule requires covered entities (CEs) and business associates (BAs) to implement administrative safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). As part of this implementation, covered entities and business associates should develop HIPAA contingency plans.

What is the Purpose of HIPAA Contingency Plans?

Disruptions to a business can be caused by a number of events. These include:

• Natural disasters (e.g.,  hurricanes and tornadoes) 
• Vandalism
• Cyberattacks
• Fire

These events can result in loss of access to vital systems and information, making disaster contingency plans a necessity.

Covered entities and business associates must develop HIPAA contingency plans, to ensure that when a disaster hits, the organization knows exactly what recovery steps to take, and in exactly what order they must be taken. Developing an effective, HIPAA-compliant contingency plan ensures that healthcare organizations return to normal operations as quickly as possible, and that the confidentiality, integrity, and availability of ePHI is safeguarded.

No two disasters are exactly alike – each disruption caused by a disaster, poses unique recovery concerns. As such, a specific, tailored-to-the-particular-emergency contingency plan should be developed for each potential business disruption. A fire disaster contingency plan under HIPAA, for example, should contain procedures incorporating fire recovery principles, while a HIPAA cyberattack contingency plan should contain procedures incorporating cybersecurity recovery principles.  

In addition, HIPAA Security Rule contingency plans should be continually tested, checked, and if necessary, updated, to ensure that they remain both up-to-date and effective.

Compliancy Group can help you develop an effective contingency plan with HIPAA compliance.

What Are the Contents of a HIPAA Contingency Plan?

The HIPAA Security Rule requires that a HIPAA disaster contingency plan contains the following components:

HIPAA Contingency Plan Element 1: A Data Backup Plan

Having a data backup plan ensures that ePHI is not lost or destroyed if a disaster strikes. Data should be backed up by creating a viable copy of all ePHI. The copy that is created must allow for restoration of exact copies of ePHI in all of its forms (e.g., diagnostic images, medical charts and records, and results of medical tests). More than one backup copy of ePHI should be created; in addition, the copies should each be stored on different media. To ensure that a backup plan works – that is, allows for recovery of ePHI data – the backups you create must be tested.  

HIPAA Contingency Plan Element 2: A Disaster Recovery Plan

A disaster recovery plan establishes the step-by-step procedures to be followed to restore access to ePHI data. The plan should specify how files should be restored from the backed-up data. Copies of the plan should be readily available, to ensure easy reference by staff.

HIPAA Contingency Plan Element 3: An Emergency Mode Operation Plan

The emergency mode operation plan specifies what critical business processes must continue to operate in an emergency, to ensure that ePHI remains secure. 

HIPAA Contingency Plan Element 4: Procedures for Testing and Revision of Contingency Plans

Each component of your contingency plan should be tested on a regular basis, and revised as necessary. Testing scenarios may include scenario-based “walkthroughs” as well as actual, live tests. You should develop written procedures explaining what roles employees must serve in a given testing scenario. 

HIPAA Contingency Plan Element 5: An Application and Data Criticality Analysis

This analysis consists of assessing all software applications that create, store, maintain, or transmit ePHI, to determine the level of each application’s criticality (importance) to overall business functions. As a general matter, restoration of those applications that are most critical to a business being able to operate, should be effected before restoration of those applications that are less critical. 

Compliancy Group Simplifies HIPAA Compliance

Covered entities can address their obligations under the HIPAA Security Rule by working with Compliancy Group to develop required Security Rule safeguards, including administrative safeguards.  

Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address HIPAA Security Rule standards  – including the tools to develop effective HIPAA Contingency Plans – so they can get back to confidently running their business, even in the wake of a business disruption.