In its March 2018 cybersecurity newsletter, OCR explained the HIPAA Rules on contingency planning and urged healthcare organizations to plan for emergencies to ensure a return to normal operations can be achieved in the shortest possible time frame.
A contingency plan is required to ensure that when disaster strikes, organizations know exactly what steps must be taken and in what order.
What are the HIPAA Rules on Contingency Planning?
HIPAA Rules on contingency planning can be found in the Security Rule administrative safeguards -45 CFR § 164.308(a)(7)(ii)(A-E).
- Develop and Implement a Data Backup Plan – 308(a)(7)(ii)(A)
- Develop a Disaster Recovery Plan – 308(a)(7)(ii)(B)
- Develop and Emergency Mode Operation Plan – 308(a)(7)(ii)(C)
- Develop and Implement Procedures for Testing and Revision of Contingency Plans – 308(a)(7)(ii)(D)
- Perform an Application and Data Criticality Analysis – 308(a)(7)(ii)(E)
A data backup plan ensures that when disaster strikes, PHI is not lost or destroyed. A viable copy of all ePHI must be created that allows exact copies of ePHI to be restored, which includes all forms of ePHI such as medical records, diagnostic images, test results, case management information, and accounting systems. It is a good best practice to adopt a 3-2-1 approach for backups: Create three copies of data, store them on at least two different media, and have one copy stored securely offsite. Backups must also be tested to ensure the recovery of data is possible.
A disaster recovery plan should establish the procedures that must be followed to restore access to data, including how files should be restored from backups. A copy of the plan should be readily available and stored in more than one location.
Summary of Key Elements of Contingency Planning
OCR has provided a summary of the key elements of contingency planning:
- The primary goal is to maintain critical operations and minimize loss.
- Define time periods – What must be done during the first hour, day, or week?
- Establish Plan Activation – What event(s) will cause the activation of the contingency plan? Who has the authority to activate the contingency plan?
- Ensure the contingency plan can be understood by all types of employees.
- Communicate and share the plan and roles and responsibilities with the organization.
- Establish a testing schedule for the plan to identify gaps.
- Ensure updates for plan effectiveness and increase organizational awareness
- Review the plan on a regular basis and situationally when there are technical, operational, environmental, or personnel changes in the organization.
How Braver can ensure your Disaster Recovery Plan is HIPAA compliant
With Braver, you can rest assured that your data is safe and secure with our Ready Vault Quickstart: Backup and Recovery Service. Our bullet-proof system not only backs up your data as often as every fifteen minutes but in the event of a server malfunction, it can assume the role of that server, while still performing incremental backups. This means your network is still up while your server is being fixed and parts are being ordered.
To ensure that your data is protected in any disaster, the Ready Vault device encrypts and can archive your data at our off-site data centers incrementally
Please contact us for more information on creating a Disaster Recovery Plan for your business.
Published with permission from HIPAAJournal.com. Source