• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Contingency Plan: Sample Policy and Procedures

April 2, 2009 Security No Comments

This is the seventh Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has five implementation specifications: Data backup plan; Disaster recovery plan; Emergency mode operation plan; Testing and revision procedures; and Applications and data criticality analysis. The first three are required; the last two are addressable. Addressable does not mean optional. Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.

HIPAA.com will outline What to do and How to do it for each of the five contingency plan implementation specifications. Here, we describe sample policy and procedures for contingency plan. The inputs for your contingency plan and each of the implementation specifications will be outputs of your covered entity’s risk analysis.

Sample Policy

Our covered entity responds to emergencies that may impair our computer systems and electronic protected health information. Workforce members are responsible for complying with these policies and procedures.

Sample Procedures

Our covered entity’s Security Official has identified key elements of our contingency plan. These are:

Contingency Planning Group

Our covered entity’s Security Official defines the mission of this contingency planning group, chairs the group, and assigns workforce members to the group.

Operating Environment and Core Applications

Examples may include, but are not limited to: electronic protected health information; application and database servers; telephone and other communication systems; operational business systems (e.g., patient scheduling systems, practice management systems, e-prescribing systems, claims adjudication systems, clearinghouse systems); internet systems and applications; email exchange servers; desktop systems; workstations, laptops, tablets, and personal data assistants (PDAs); network servers, scanners, and printers.

Facility Locations

Covered entity physical location(s) and contingency recovery sites, including secure offsite application, electronic protected health information database, and hardware locations.

Key Covered Entity Workforce Members Responsible for Achieving Contingency Recovery

Names and contact information for 24/7 accessibility; name of party or parties responsible for declaring a contingency and invoking contingency recovery plan; and outline of steps to achieve contingency recovery.

Tags: 2010addressableAdministrative Safeguard Standardapplications and data criticality analysisbusiness associatescontingency plancontingency planning groupcovered entitydata backup plandisaster recovery planelectronic protected health informationemergency mode operation planFebruary 17HIPAA Administrative SimplificationHow to do itimplementation specificationsrequiredRisk AnalysisSample policies and proceduresSecurity OfficialSecurity Ruletesting and revision proceduresWhat to doworkforce members
No Comments
Share
0

You also might be interested in

HIPAA Final Rule: Genetic Information Nondiscrimination Act: Underwriting Prohibitions

Feb 18, 2013

February 18, 2013.  Today, we examine underwriting prohibitions as they[...]

Are You Subject to HIPAA Privacy Rules when Publishing Confidential Health Information on a Social Network?

Feb 13, 2009

It’s unlikely the social networking sites are health care providers,[...]

Final HIPAA Enforcement Rule

Jan 19, 2009

DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next