DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Under the HIPAA Security Rule, a contingency plan has five components. Of these five, three components are required. The remaining two are “addressable,” meaning that an organization must adopt them if it is reasonable and appropriate to do so. If it is not reasonable and appropriate to do so, the organization (covered entity or business associate) must document why this is the case, and develop an equivalent reasonable and appropriate measure.
The five components of a HIPAA Security Rule Contingency Plan are:
Component #1: Data backup plan (required):
This component of contingency planning requires a CE or BA to establish and implement procedures to create and maintain retrievable copies of all ePHI stored in their system so that if the office data is lost, corrupted, or destroyed, it can be recovered.
Component #2: Disaster recovery plan (required):
Covered entities and business associates must establish and implement policies and procedures to restore ePHI lost in the event of a disaster. For example, a disaster recovery plan should encompass procedures such as developing an employee phone list to use in an emergency, and procedures for patient contact in the event that appointments need to be verified or rescheduled.
Component #3: Emergency Mode Operation Plan (required):
This component of the contingency plan requires CEs and BAs to establish and implement procedures to enable the continuation of critical practice activities, including the protection of ePHI, while operating in an emergency mode. CEs and BAs must adopt a plan that, among other requirements, notifies employees of what to do if they are involved in an emergency situation, and who they should contact to assess the seriousness of the situation.
Component #4: Testing and Revision Procedures (addressable):
Backup, disaster, and emergency operations mode plans are of no use if they are unrealistic or fail to accomplish the goals of restoring ePHI systems. Testing and revision procedures should be developed to ensure regular testing of the contingency plan components mentioned above. Contingency plan testing should focus on an organization’s ability to: access alternative computers and sites in a timely fashion; load and run any necessary software programs; and load, view, and use backup data.
Component #5: Applications and Data Criticality Analysis (addressable):
This component requires CEs and BAs to assess the relative criticality of specific applications and data in support of other contingency plan components.
To complete this assessment, an organization should identify any and all ePHI-containing computers, systems, applications, devices, and other sources of ePH (“Systems, Applications, and Data,” that are critical to its operation. Systems, applications, and data that are critical to the organization’s operation are those systems, applications, and data without which, the Organization could not function should a failure happen.
The organization should determine how long it can function without the application or data before it would be absolutely necessary to have it functioning. The organization should use the results of its security risk analysis to determine which of these systems, applications, and data are most-to-least critical. Restoration priority should be given to the most critical systems, applications, and data.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article