In our series on the HIPAA Administrative Simplification Security Rule, this is the fourth implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.
What to Do
Implement procedures for periodic testing and revision of contingency plans.
How to Do It
Testing a revision procedures call for covered entities to develop and implement procedures for periodic testing and revision of the contingency plans discussed earlier for the Contingency Rule standard. The definition of periodic, relating to frequency of testing, will be an outcome of the covered entity’s risk analysis. A covered entity that changes its electronic systems or requirements relatively often will need to test more frequently than a covered entity that has a more static technology environment. Similarly, a covered entity with a high turnover of workforce members or a relatively high frequency of emergency situations will need to test and review security safeguards more frequently than covered entities not experiencing those conditions.
Testing is a measure of plan effectiveness. Testing should involve all workforce members, but should be conducted outside of normal business operation hours. During testing, the Security Official should document successes, identify any deficiencies that result in test failures for plan remediation and further workforce member training, and calculate response times to recovery plan provisions. After testing, the Security Official should revise the contingency plan to reflect any modifications, inform workforce members of modifications, and conduct necessary training.
Testing of data backup, disaster recovery, and emergency mode operation plans should take place at least annually, with all actions documented in writing. The value of testing is that it permits the covered entity to evaluate the effectiveness of its recovery efforts, especially if previous modifications have been adequately accounted for in training, response times, timely restoration of business operations, and safeguarding of electronic protected health information.