What is a HIPAA IT Disaster Recovery Plan?

Modified on Tue, 1 Jul at 11:06 AM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

What is a HIPAA IT Disaster Recovery Plan?
A HIPAA IT Disaster Recovery plan is a component of the HIPAA Contingency Plan requirement. The HIPAA Security Rule's Contingency Plan Standard requires covered entities and business associates to " Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information."  

The IT Disaster Recovery Plan requirement, obligates covered entities and business associates to  "Establish (and implement as needed) procedures to restore any loss of data."

What are the Components of a HIPAA IT Disaster Recovery Plan?

The HIPAA regulations do not specify the precise components of an IT disaster recovery plan. Best practices taken from contingency planning concepts can be used to develop the IT disaster recovery plan. These include:

Step 1: Performing a Business Impact Analysis (BIA)

A business impact analysis (BIA) is a thorough assessment and inventorying of an organization’s virtual environment. In this process, the organization must take into account the volume and type of data that is being managed; where the data is being stored; how much in terms of resources and time must be expended to restore access to different types of data; and how critical each type of data is to business operations. The more vital the data is to the business’s ability to function, the higher that data’s priority of restoration, and resource allocation, should be.

Step 2: Performing a Risk Assessment

Conducting a risk assessment consists of running and evaluating hypothetical external situations that can hurt your business. External situations that can damage your business include natural disasters, such as hurricanes and blizzards. External situations also include man-made events, such as active shooter situations and acts of terror. 

When conducting the risk assessment, an organization should consider all potential external incident types, and the likelihood of their occurrence. The organization should also consider the nature and severity of the impact each incident may have on the organization’s ability to continue normal operations. It is necessary to consider all the possible incident types, as well as the impact each may have on the organization’s ability to continue to deliver its normal business services. In preparing the risk assessment, organizations should review all records and sources of information at their disposal to assess the threat posed by each instance. Records and sources of information can include, for example:

  • Employee recollection of prior disruptive events and how they affected business operations;
  • First-responder organizations advice; and
  • Disaster recovery resource libraries from government agencies, such as the Federal Emergency Management Agency (FEMA).

Step 3: Create a Risk Management Strategy

Once you have identified data processes and the business impacts of disruptions to them, combined with likelihood of a given disaster taking place, you should develop a risk mitigation strategy. This strategy should provide for specific backup solutions and disaster recovery procedures for critical data.

Factors to consider in developing a strategy (among others) include legal factors (laws may restrict where data can be stored); recovery point objectives (RPOs), which measure how much data an organization can afford to lose as the result of a disaster; and recovery time objectives (RTOs), which are metrics that calculate how quickly an organization needs to recover IT services and infrastructure after a disaster to maintain business continuity. 

Step 4: Configure and Run Testing Exercises on Your Disaster Recovery Plan

Once the risk management strategy is in place, you must engage in testing scenarios to ensure that strategy is properly configured. Testing exercises can differ in complexity. The goal of any testing exercise is to ensure that data has been backed up in accordance with your recovery point objectives, and to ensure that the strategy actually worksOnce testing has confirmed that the risk management strategy is sound, the strategy is “ready to use.” Bear in mind, however, that testing should not be conducted only before strategy rollout. Testing should be performed continuously – especially after an incident occurs. This way, you can refine and make changes to the strategy you deploy.


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article