06-19-13 | Blog Post

Components of a HIPAA Compliant IT Contingency Plan

Blog Posts

Planning for the unexpected is particularly important for healthcare organizations that need to both ensure electronic protected health information (ePHI) security and meet HIPAA compliance requirements. To help organizations fulfill requirement 164.308(a)(7) of creating a contingency plan, the Dept. of Health and Human Services (HHS) has provided an Information Technology (IT) Contingency Plan template to be customized per organizational needs.

Within the HIPAA-required contingency plan, requirements for a data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedure, and applications and data criticality analysis plan are all essential subsections. A HIPAA contingency plan is to respond to business disruptions or disasters, not necessarily data breaches. To summarize the actual IT Contingency Plan document, here’s what you need to create a comprehensive, HIPAA compliant data recovery plan:


  • The scope of your contingency plan, including identifying the alternate site you will use for disaster recovery
  • Assumptions listing each component of the plan including preventative controls, equipment, hardware and software, offsite backup facility and service agreements

Concept of Operations

  • Description of your system architecture, including the operating environment, physical location, user location and third-party partnerships, i.e. a HIPAA hosting provider
  • Include technical considerations, such as backup procedures
  • Include an IT architecture diagram depicting security controls and telecommunications connections [below is a diagram of a HIPAA compliant IT infrastructure made possible with the support of a HIPAA compliant data center – to learn more about each component, download our HIPAA Compliant Hosting white paper:]

HIPAA Compliant IT Architecture

  • Line of succession, meaning a contact list ordered by level of decision-making authority with office/home phone numbers and email addresses
  • A description and hierarchical diagram of recovery teams, including their responsibilities, such as operations recovery, computer environment/application recovery and daily operations recovery
  • Testing and maintenance schedule, including a description of technical testing: processing from backup systems at the alternate site, restoring system using backups and switching voice/data telecommunications to the alternate processing site

Notification and Activation

  • A description of the notification sequence, meaning who notifies who in the event of a disaster; i.e., the first responder notifies the Contingency Planning Coordinator, the Systems Manager contacts the Damage Assessment Team, etc.
  • Detailed damage assessment procedures, including the cause of the disruption, affected physical area/infrastructure, status of IT equipment, etc.
  • Alternate assessment procedures
  • Criteria that outlines when and under what conditions the contingency plan is to be activated

Recovery Operations

  • List the procedures for recovering applications at an alternate site
  • Describe each recovery objective of each team/person involved in the recovery goals

Return to Normal Operations

  • Procedures of the original or new site restoration so that normal operations may be transferred, including the testing of IT equipment and telecommunications
  • Concurrent processing – including procedures of operating the system in coordination with the system at the original or new site
  • Procedures of the plan deactivation, including clearing up the alternative site of equipment, materials and backup media

HHS Contingency Plan Template (Word Document)

Related Links:
Seeking a Disaster Recovery Solution? Five Questions to Ask Your DR Provider
Disaster recovery plans have become crucial for nearly every industry that relies on connectivity and uptime for business survival. According to the Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey, a few of the top business drivers for creating an IT … Continue reading →

Business Continuity and Disaster Recovery
When considering business continuity and disaster recovery options, there’s really only one constant from business to business: it’s important to have. No matter how small or large your business, if something happens and there isn’t a plan, your company may … Continue reading →

HIPAA Breach Lessons Learned: Store PHI in HIPAA Compliant Data Centers; Not Locally
While no records were broken when it comes to number of health records disclosed per data breach, the top HIPAA breaches of last year still come with some hard lessons learned about technical and physical security. Learn from their mistakes … Continue reading →

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved