This is the seventh Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has five implementation specifications: Data backup plan; Disaster recovery plan; Emergency mode operation plan; Testing and revision procedures; and Applications and data criticality analysis. The first three are required; the last two are addressable. Addressable does not mean optional. Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.
If a fire swept through a covered entity’s facility, the covered entity would need a plan to recover patient and billing files and to contact workforce members, patients, and business associate vendors to inform them of how it would stay in business.
This standard requires covered entities to establish contingency plans to respond to emergencies that could adversely impact electronic protected health information. The list of potential emergencies needs to be compiled during the covered entity’s required risk analysis, and may include, but is not limited to, power outage, vandalism, system failure, theft, disk crash, fire, chemical spill, and natural disasters such as tornado, earthquake, flood, and hurricane. Contingency plans focus on safeguarding electronic protected health information and recovery for systems that may be impaired as the result of an emergency.
With growing use of electronic business systems by covered entities, increasing attention must not only be placed on having a contingency plan, but also periodically testing and updating the plan. This Contingency Plan standard reflects the importance of that attention, to say nothing of the increased penalties for failure that are included in the HITECH provisions that were enacted as part of the American Recovery and Reinvestment Act (ARRA) signed by President Obama on February 17, 2009.
The Contingency Plan standard requires covered entities to develop and implement data backup, disaster recovery, and emergency mode operation plans. Even in the absence of the required Contingency Plan standard of the Security Rule, it would be prudent business practice to do such development and implementation with electronic business systems. During the risk assessment, for preparation of the Contingency Plan by a covered entity, key questions would be:
» What are likely losses that could occur, and from what source?
» How would the covered entity’s customers be affected?
» What impact would there be on a covered entity’s reputation from a loss?
» What are likely costs associated with any loss?
» What are efforts, costs, and time needed to recover?
» What is the impact on the covered entity’s viability as a business?
In general, the following steps will assist any covered entity develop and implement a Contingency Plan:
» The covered entity establishes a contingency planning group in the covered entity, chaired by the Security Official.
» The planning group assesses threats and vulnerabilities as part of the covered entity’s required risk analysis.
» The planning group assigns priorities to threats and vulnerabilities that may impact computer systems and electronic protected health information.
» The Security Official, with assistance of the planning group, develops policies and procedures for contingency recovery strategies.
» The Security Official implements contingency recovery plans, discusses these plans with workforce members, trains key workforce members to implement plan provisions in the event of a contingency, and periodically tests workforce member compliance and performance with plan provisions.
» The Security Official reviews and updates the covered entity’s contingency plans periodically.