Components of a HIPAA Compliant IT Contingency Plan

Posted 6.19.13 by

Any copy that should appear below the title and before the body of content of the resource.

Planning for the unexpected is particularly important for healthcare organizations that need to both ensure electronic protected health information (ePHI) security and meet HIPAA compliance requirements. To help organizations fulfill requirement 164.308(a)(7) of creating a contingency plan, the Dept. of Health and Human Services (HHS) has provided an Information Technology (IT) Contingency Plan template to be customized per organizational needs.

Within the HIPAA-required contingency plan, requirements for a data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedure, and applications and data criticality analysis plan are all essential subsections. A HIPAA contingency plan is to respond to business disruptions or disasters, not necessarily data breaches. To summarize the actual IT Contingency Plan document, here’s what you need to create a comprehensive, HIPAA compliant data recovery plan:


  • The scope of your contingency plan, including identifying the alternate site you will use for disaster recovery
  • Assumptions listing each component of the plan including preventative controls, equipment, hardware and software, offsite backup facility and service agreements

Concept of Operations

  • Description of your system architecture, including the operating environment, physical location, user location and third-party partnerships, i.e. a HIPAA hosting provider
  • Include technical considerations, such as backup procedures
  • Include an IT architecture diagram depicting security controls and telecommunications connections [below is a diagram of a HIPAA compliant IT infrastructure made possible with the support of a HIPAA compliant data center – to learn more about each component, download our HIPAA Compliant Hosting white paper:]

HIPAA Compliant IT Architecture

  • Line of succession, meaning a contact list ordered by level of decision-making authority with office/home phone numbers and email addresses
  • A description and hierarchical diagram of recovery teams, including their responsibilities, such as operations recovery, computer environment/application recovery and daily operations recovery
  • Testing and maintenance schedule, including a description of technical testing: processing from backup systems at the alternate site, restoring system using backups and switching voice/data telecommunications to the alternate processing site

Notification and Activation

  • A description of the notification sequence, meaning who notifies who in the event of a disaster; i.e., the first responder notifies the Contingency Planning Coordinator, the Systems Manager contacts the Damage Assessment Team, etc.
  • Detailed damage assessment procedures, including the cause of the disruption, affected physical area/infrastructure, status of IT equipment, etc.
  • Alternate assessment procedures
  • Criteria that outlines when and under what conditions the contingency plan is to be activated

Recovery Operations

  • List the procedures for recovering applications at an alternate site
  • Describe each recovery objective of each team/person involved in the recovery goals

Return to Normal Operations

  • Procedures of the original or new site restoration so that normal operations may be transferred, including the testing of IT equipment and telecommunications
  • Concurrent processing – including procedures of operating the system in coordination with the system at the original or new site
  • Procedures of the plan deactivation, including clearing up the alternative site of equipment, materials and backup media

HHS Contingency Plan Template (Word Document)

Related Links:
Seeking a Disaster Recovery Solution? Five Questions to Ask Your DR Provider
Disaster recovery plans have become crucial for nearly every industry that relies on connectivity and uptime for business survival. According to the Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey, a few of the top business drivers for creating an IT … Continue reading →

Business Continuity and Disaster Recovery
When considering business continuity and disaster recovery options, there’s really only one constant from business to business: it’s important to have. No matter how small or large your business, if something happens and there isn’t a plan, your company may … Continue reading →

HIPAA Breach Lessons Learned: Store PHI in HIPAA Compliant Data Centers; Not Locally
While no records were broken when it comes to number of health records disclosed per data breach, the top HIPAA breaches of last year still come with some hard lessons learned about technical and physical security. Learn from their mistakes … Continue reading →

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get in touch with an Otava Rep today – just provide us with a bit of information below to get started and we’ll reach out to you shortly!