A contingency plan is a key standard as stipulated in the HIPAA Security Rule 164.308 (a) (7) (i) under administrative safeguards. The HIPAA contingency plans are meant to address the security principle of “availability.” This availability principle addresses risks that relate to business disruption with aims of ensuring that authorized personnel can still access vital systems and data in spite of the disruption.
This contingency plan consists of laid out strategies on how to implement various technical measures, procedures, and plans to ensure the recovery of networking systems, data, and operations in the event of a disruption. The Business Continuity Planning and Disaster Recovery planning is the development process of creating necessary measures and procedures in ensuring your business is able to resume to its normal functions in event of a crisis, disaster or disruption. Well, the whole idea is to cut down on costs related to such risks and still remain functional to your suppliers, staff, and customers.
The core objective of the Business Impact Analysis is normally done at the beginning of continuity planning and disaster to recovery with the main objective being to identify some of the places to be worst hit financially in the event of a disruption or disaster. The identification of sensitive systems is necessary to ensure the continuity of your business in case of such an event.
Contingency plans are a required standard according to HIPAA Security rule under the Administrative Safeguards Section. It is also notable that the HIPAA Contingency plan and requirements are a part of implementation specifications in the HIPAA laws under the Physical Safeguards Sections and the Technical Safeguards section.
|HIPAA Citation||HIPAA Security Rule Standard Implementation Specification||Implementation|
|164.308(a)(7)(ii)(A)||Data Backup Plan||Required|
|164.308(a)(7)(ii)(B)||Disaster Recovery Plan||Required|
|164.308(a)(7)(ii)(C)||Emergency Mode Operation Plan||Required|
|164.308(a)(7)(ii)(D)||Testing and Revision Procedures||Addressable|
|164.308(a)(7)(ii)(E)||Applications and Data Criticality Analysis||Addressable|
|164.310(a)(1)||Facility Access Controls||-|
|164.310(d)(1)||Device and Media Controls||-|
|164.310(d)(2)(iv)||Data Backup and Storage||Addressable|
|164.312(a)(2)(ii)||Emergency Access Procedure||Required|
The data backup plan is an implementation specification of the HIPAA security rule under the HIPAA Contingency plan within the Administrative Safeguards section. The goal of the Data backup plan is to formulate and implement necessary procedures needed to create and ensure maintenance of retrievable copies of protected eHealth information. This procedure is done periodically to ensure that such information remains updated and will be up to date for the recovery and restoration time. Otherwise, for a business to be successful on this it would normally depend on its activities, procedures and maintenance systems.
One of the key implementation specifications is the disaster recovery plan of the HIPAA security rule under HIPAA Contingency Plan standard in the Administrative Safeguard portion. The main objective of having a disaster recovery plan is to ensure that relevant procedures are put in place to ensure the restoration of any lost data. The disaster recovery plan consists of a contingency plan that will ensure that in the event of fire, vandalism, system failure or natural catastrophe the lost data can be restored.
The disaster recovery plan is applicable to all major events that may require a facility to be non-operational over a long period of time including disasters. Otherwise, the disaster recovery plan is a focused IT plan designed in a way a system can be restored to a former time or to the time of the emergency.
Therefore, the disaster recovery plan should be able to restore a business’s critical processes through the various actions, resources and data needed to revamp a damaged system. It is important to create critical data and vital systems as well as documented details on procedures necessary restore the information system to a former state.
The emergency mode operation plan is one of the necessary implementation specifications of the HIPAA security rule under HIPAA Contingency Plan standard found in the Administrative Safeguards Section.
The main aim of the emergency mode operation plan is to determine procedures necessary to ensure continuity of business processes and protection of eHealth information while operating in emergency mode. The emergency mode operation plan is contingency plan that will ensure the continuity of the business’s continuity in the event of a system failure, catastrophe, and vandalism. It is also important to test the effectiveness of the disaster recovery plans, budgets, and schedules in an emergency mode operation.
The testing and revision procedures are a part and parcel of the implementation specification of the HIPAA Security Rule under the HIPAA Contingency Plan found in the Administrative Safeguards section.
The main objective of the testing and revision processes is to employ procedures necessary for the periodic tests and contingency plans revisions. The whole process involves reviews of the periodic tests done on written contingency plans and watching out for potential weaknesses. These processes are necessary to effective testing.
Applications and data criticality analysis are a part of the implementation specification of the HIPAA Security Rule under the HIPAA Contingency Plan found in the Administrative Safeguards section.
The main objective of the application and data criticality analysis is to evaluate the specific applications necessary or needed to support the other contingency plan components. The idea is to assess the entities’ capacity to keep its data secure and the risks facing any data stored, received, transmitted in its systems. Otherwise, the whole process starts with an application and data inventory.
Contingency Operations is one of the implementation specifications under the HIPAA Security Rule in the Facility Controls Standards within the Physical Safeguards section. The aim of contingency operations is to employ procedures that will help the facility access the restored data that was lost in the emergency mode operation plan and discovery recovery place in case of a real emergency.
Physical security is a vital component in the continuity of Business in the event of a disaster. Otherwise, necessary administrative controls must be put in place to ensure physical access to the contingency plans for procedures to work out as planned.
Data backup and storage is among the implementation specification of the HIPAA Security Rule under the Device and Media controls standard within the Physical safeguards section. A covered entity must be able to develop a retrievable of the protected eHealth information when required to do so before moving the equipment. Otherwise, it is mandatory to ensure consistent updates on your backup since you will need this backup in case of a disaster.
Emergency access procedure is an implementation specification requirement under the HIPAA security rule under the Access Control standard found in Technical Safeguards section. The main aim of the emergency access procedure is to determine the appropriate procedures to be used to access protected eHealth information in the event of an emergency. It is important to note that emergency access plays a significant role in determining an organization’s efficiency in accessing its data in the event of a disaster
The National Institute of Standards and Technology (NIST) normally recommend the following steps as necessary in addressing contingency planning requirements. These key steps are:
Let us help you with your Contingency planning project.
Please contact us for more information at Bob@hipaatraining.net or call (515) 865-4591.