The contingency plan falls under the HIPAA Security Rule 164.308(a)(7)(i) which is under the Administrative Safeguards. The plan addresses the security principle of “availability” which addresses some of the risks and threats related to business disruption and ensuring protected information can still be accessed by authorized individuals whenever necessary.
The contingency planning or Business Continuity Planning (BCP) of an organization is about the implementation and use of strategies involving, procedures, technical measures, and plans necessary for the recovery of lost data, operations, and systems in the event of a business disruption. The BCP is all about developing particular procedures, policies, and processes that are necessary for hastening the recovery of a business’s systems and operations within a targeted time frame. Well, the main aim is to ensure that the risk levels are at a manageable level without compromising on costs that may otherwise, have an impact on your workforce, customers, and suppliers.
A Business Impact Analysis is normally carried out at the start of the disaster recovery or continuity planning to ensure any areas that could be a serious threat to an entity’s financial status or operations in case of disruption are arrested on time. This is normally to identify areas that are crucial to the running and operation of any business and assess the time taken for the business to recover fully in case of such a loss.
The contingency plan standard definition is in the HIPAA Security Rule under the Administrative Safeguards section. Other related requirements of the Contingency Plan are found in the implementation specification under the Physical Safeguards and Technical safeguards Section according to the HIPAA Laws.
HIPAA Citation | HIPAA Security Rule Standard Implementation Specification | Implementation |
ADMINISTRATIVE SAFEGUARDS | ||
164.308(a)(7)(i) | Contingency Plan | – |
164.308(a)(7)(ii)(A) | Data Backup Plan | Required |
164.308(a)(7)(ii)(B) | Disaster Recovery Plan | Required |
164.308(a)(7)(ii)(C) | Emergency Mode Operation Plan | Required |
164.308(a)(7)(ii)(D) | Testing and Revision Procedures | Addressable |
164.308(a)(7)(ii)(E) | Applications and Data Criticality Analysis | Addressable |
PHYSICAL SAFEGUARDS | ||
164.310(a)(1) | Facility Access Controls | – |
164.310(a)(2)(i) | Contingency Operations | Addressable |
164.310(d)(1) | Device and Media Controls | – |
164.310(d)(2)(iv) | Data Backup and Storage | Addressable |
TECHNICAL SAFEGUARDS | ||
164.312(a)(1) | Access Control | – |
164.312(a)(2)(ii) | Emergency Access Procedure | Required |
Data Backup Plan is a Contingency Plan standard which is a required implementation specification according to the HIPAA Security rule under the Administrative Safeguards section.
The core objective of the Data backup plan is to create and establish procedures necessary to ensure the maintenance and retrievable exact copies of stored EPHI. Therefore, this is an updated and documented plan that will ensure the creation and maintenance of data that can be retrieved as an exact copy in event of a disruption. Otherwise, a successful backup plan is normally dependent on an entity’s processes and batch activities.
The disaster recovery plan is one of the Contingency Plan standards and an implementation specification requirement of the HIPAA security rule under the Administrative Safeguards section.
Therefore, the core objective of the Data backup plan is to create procedures and processes that will assist the restoration of any lost data in case of disaster, vandalism, or system failure. This plan is crucial especially in the case of natural catastrophes which may disrupt access to such data for a long period of time. This should also mean that the recovery plan which uses a designed IT plan should ensure the restoration of a system, computer, or application to a former state after the emergency.
The recovery plan also explains some of the data, processes, and actions necessary to ensure the restoration of a business’s operations after a disaster. This will also entail creating an inventory of all the sensitive data and systems that will be necessary to foster the restoration of an entity’s activity to an alternate state.
The emergency mode operation plan is one of the implementation specification requirements of Contingency Plan standards of the HIPAA Security rule under the Administrative Safeguards section.
The emergency mode operation plan is to ensure the continuity of a business’s operations through established rules and procedures and still ensure the protection of EPHI while in the emergency mode. Otherwise, this operation plan is meant to assist an entity in resuming its normal operations in the event of a disaster, emergency, vandalism, or system failure. It is usually advisable that you plan adequately for the emergency mode operation testing in terms of allocation of resources, budgeting, and creating a schedule.
This is a contingency plan standard and an addressable implementation specification of the HIPAA security rule under the Administrative Safeguards section.
The main aim of these procedures is to ensure that there are procedures put in place for the revision and testing of contingency plans. The main goal should be to process the periodic testing of written contingency plans to identify weaknesses and make necessary revisions to the documentation. Otherwise, without such testing, there is no telling how successful a test will be.
This is an addressable implementation specification according to the contingency plan standard of the HIPAA security rule under the Administrative Safeguards section.
The Criticality Analysis forms the basis or platform in which specific applications and data can be assessed in terms of their support and criticality to other contingency plan components. This is meant to assess the sensitivity of risks, weaknesses, and security of the information the entities can access, use, store or transmit. The procedure starts with data inventory and an application.
The Contingency operation is one of the addressable implementation specifications of the HIPAA security rule and a standard of the Facility Access Controls under the Physical Safeguards section.
The main aim of contingency operations is to work on processes that can assist the facility to access its restored data under the emergency operation mode plan and the disaster recovery plan in case of an emergency. On the other hand, physical security cannot be overlooked when it comes to disaster and business continuity planning. In addition, administrative controls necessary for physical access must be established to ensure contingency operations run as planned in the plans.
The Data backup and storage is one of the Device and Media control standards and an implementation specification of the HIPAA security rule under the Physical Safeguards sections.
One of the key standards of this rule is that a covered entity has to ensure that it has a retrievable exact copy of EPHI whenever it is needed before moving equipment. It is important to ensure consistent backup of any data to ensure that the organization can still access its latest data in the event of a disaster or system failure. In addition, this will reduce the risks of losing critical data which is quite common if a database is not updated consistently.
The Emergency Access Procedure is a key implementation specification requirement of the HIPAA security rule under the Technical Safeguards section within the Access Control Standard.
The main aim of the Emergency Access Procedure is to foster procedures that will assist access of EPHI during an emergency. Even though Emergency access is quite different from access in normal situations they are a key to access control and specifically during emergencies.
Some of the seven steps recommended by the Nation Institutes of Standards and Technology are as follows:
We can help you in three different ways depending on your need, involvement, time, available resources, and budget.
OPTION 1: If you are in a hurry to complete the HIPAA Security Contingency Plan and you don’t have internal resources to completely devote to this project then we can independently complete the project for you. The only involvement required will be providing information about your infrastructure, policies, processes, and current contingency plan, if any.
OPTION 2: If you have internal staff members who can completely devote their time to this project but don’t know the methodology, we will provide a project manager to work with your team and help to complete the Contingency plan document.
OPTION 3: If you have all the necessary resources for Business Continuity Planning and BIA project but need to save time on documentation, you can use our HIPAA Contingency Plan Template Suite documents. Many IT Security consulting companies, HIPAA consultants, and hospitals are using our HIPAA Contingency plan templates in their projects.
View HIPAA Security Policies and Procedures
Let us help you with your Contingency planning project.
Please contact us for more information at Bob@supremusgroup.com or call (515) 865-4591