Planning for the unexpected is particularly important for healthcare organizations that need to both ensure electronic protected health information (ePHI) security and meet HIPAA compliance requirements. To help organizations fulfill requirement 164.308(a)(7) of creating a contingency plan, the Dept. of Health and Human Services (HHS) has provided an Information Technology (IT) Contingency Plan template to be customized per organizational needs.
Within the HIPAA-required contingency plan, requirements for a data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedure, and applications and data criticality analysis plan are all essential subsections. A HIPAA contingency plan is to respond to business disruptions or disasters, not necessarily data breaches. To summarize the actual IT Contingency Plan document, here’s what you need to create a comprehensive, HIPAA compliant data recovery plan:
The scope of your contingency plan, including identifying the alternate site you will use for disaster recovery
Assumptions listing each component of the plan including preventative controls, equipment, hardware and software, offsite backup facility and service agreements
Concept of Operations
Description of your system architecture, including the operating environment, physical location, user location and third-party partnerships, i.e. a HIPAA hosting provider
Include technical considerations, such as backup procedures
Line of succession, meaning a contact list ordered by level of decision-making authority with office/home phone numbers and email addresses
A description and hierarchical diagram of recovery teams, including their responsibilities, such as operations recovery, computer environment/application recovery and daily operations recovery
Testing and maintenance schedule, including a description of technical testing: processing from backup systems at the alternate site, restoring system using backups and switching voice/data telecommunications to the alternate processing site
Notification and Activation
A description of the notification sequence, meaning who notifies who in the event of a disaster; i.e., the first responder notifies the Contingency Planning Coordinator, the Systems Manager contacts the Damage Assessment Team, etc.
Detailed damage assessment procedures, including the cause of the disruption, affected physical area/infrastructure, status of IT equipment, etc.
Alternate assessment procedures
Criteria that outlines when and under what conditions the contingency plan is to be activated
List the procedures for recovering applications at an alternate site
Describe each recovery objective of each team/person involved in the recovery goals
Return to Normal Operations
Procedures of the original or new site restoration so that normal operations may be transferred, including the testing of IT equipment and telecommunications
Concurrent processing – including procedures of operating the system in coordination with the system at the original or new site
Procedures of the plan deactivation, including clearing up the alternative site of equipment, materials and backup media
Business Continuity and Disaster Recovery
When considering business continuity and disaster recovery options, there’s really only one constant from business to business: it’s important to have. No matter how small or large your business, if something happens and there isn’t a plan, your company may … Continue reading →