The most recent OCR publication stresses the importance of a contingency plan for your organization to return to its daily operations as quickly as possible after an unforeseen event. The contingency plan protects resources, minimizes patient inconvenience and identifies key staff, assigning specific responsibilities in the context of the recovery.
What does a contingency plan do? A contingency Plan is focused on the steps to respond and recover operations in the event of an emergency or other disruption to normal operations. Its major objectives are to ensure: (1) the containment of damage or injury to, or loss of, property, personnel, and data; and (2) the continuity of the key operations of the organization.
Contingency plans aren’t just a good idea; HIPAA regulations requires that HIPAA covered entities and business associates establish and implement a contingency plan, according to 45 CFR Section 164.308(a)(7).
What’s required for a HIPAA compliant contingency plan? The HIPAA compliant contingency plan will include:
- Disaster Recovery Plan: Focused on restoring an organization’s PHI.
- Emergency Mode Operation Plan (or Continuity of Operations): Focused on maintaining and protecting critical functions that protect the security of protected health data.
- Data Backup Plan: Focused on regularly copying protected health data to ensure it can be restored in the event of a loss or disruption.
The HIPAA compliant contingency plan will also address:
- Applications and Data Criticality Analysis: Focused on identifying what applications and data are critical for the contingency plan.
- Testing and Revisions: Focused on testing your contingency plan and revising any identified deficiencies.
Key Steps to develop a HIPAA compliant contingency plan:
- Make it Policy: A formal policy provides the authority and guidance necessary to develop an effective HIPAA contingency plan.
- Identify what is Critical: Knowing what systems and data are critical to operations will help prioritize contingency planning and minimize losses.
- Identify Risks, Threats and Preventative Controls: Perform a risk analysis to identify the various risks that your business may face. What has the potential to significantly disrupt or harm your operations and data?
What is the result of a contingency plan and risk analysis? The need for contingency plans appears as a result of a thorough and accurate analysis of the risks that your organization faces. The end result of a risk analysis can provide a list of potential threats, risks, and preventative controls. Prioritization of critical systems and information will help identify where to focus planning efforts.
Don’t wait for a disaster to happen before designing and implementing a contingency plan.
Additional Contingency Planning Resources:
Office for Civil Rights (OCR):
National Institute of Standards and Technology (NIST):
- https://csrc.nist.gov/Topics/Security-and-Privacy/security-programs-and-operations/contingency-planning
- https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final (SP 800-34 rev1 and Supplemental Material)
Assistant Secretary for Preparedness and Response:
https://www.phe.gov/Preparedness/planning/hpp/reports/Documents/hc-coop2-recovery
