One of the areas we review on all audits and assessments of the HIPAA Security Rule is HIPAA’s requirements concerning contingency plans. These requirements are found in the Administrative Safeguards section of the Security Rule under the Contingency Plan standard (See § 164.308(a)(7)):
Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
Under this standard, the regulation lists a mix of required and addressable implementation specifications to further elaborate on what HIPAA is looking for in a contingency plan:
- Data Backup Plan (Required) – Procedures to create and maintain retrievable exact copies of electronic protected health information.
- Disaster Recovery Plan (Required) – Procedures to restore any loss of data, including specific timeframes for restoring critical services, identification of cross-functional dependencies, resource requirements, dependencies on third parties and key contacts inside and outside the organization.
- Emergency Mode Operation Plan (Required) – Procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode during and immediately after a crisis situation.
- Testing and Revision Procedure (Addressable) – Procedures for periodic testing and revision of the contingency plan, including training of personnel.
- Applications and Data Criticality Analysis (Addressable) – Assess the relative criticality of specific applications and data in support of other contingency plan components.
The focus of the HIPAA contingency plan is ensuring that a covered entity or business associate can recover from a disruption of access to electronic protected health information (ePHI). Its all good advice whether the focus is ePHI, personal identifying information or just company records. When we review this area, we look for the following artifacts or evidence:
- A formal contingency plan with defined objectives and sections for or coverage of the data backup plan, disaster recovery plan, emergency mode operations plan, testing and revision procedure, and applications and data criticality analysis.
- Plan documentation identifying the critical applications, data, operations, and manual and automated processes involving ePHI.
- Plan documentation specifying roles and responsibilities throughout the organization.
- Evidence of plan review and approval on a periodic basis (e.g., at least annually).
- Plan documentation specifying backup and recovery plans supported by technology-based backup and recovery software tools and processes.
- Plan documentation specifically mentioning required security safeguards, both physical and logical, to ensure ePHI is protected throughout the emergency. This is the intent and purpose of the emergency mode operation plan.
- Contingency operations procedures to allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
- Plan documentation specifying periodic testing and revision of the plan (e.g., at least annually).
- Evidence that the plan is tested. Testing can occur through team training exercises to walk through disaster scenarios. But testing should also include demonstrating that ePHI is backed up, the backup copy is stored offsite and that ePHI can be restored from the backup copy.