OCR explained in its March 2018 cybersecurity newsletter the importance of contingency planning. The HIPAA Rules require healthcare organizations to plan for emergencies so that they can go back to normal operations in the shortest time possible. A contingency plan details what organizations need to do in a particular order when a disaster happens. It needs to address different types of emergencies including fires, system failures, vandalism, cyberattacks, ransomware attacks and natural disasters. Steps to be taken in different emergency situations are not all the same. Hence, the plan should have specific procedures for a particular type of disaster.
Contingency planning, as a requirement of the HIPAA Security Rule, is not just done once. It is a continuing process. Plans must be checked, updated and tested regularly so that deficiencies can be identified and corrected immediately.
The HIPAA Rules on contingency planning are stipulated in the Security Rule administrative safeguards -45 CFR § 164.308(a)(7)(ii)(A-E). A contingency plan includes developing
- A Data Backup Plan – 308(1)7(ii)(A) – Having a data backup plan gives the assurance that PHI is not lost or destroyed in case a disaster hits. A copy of the ePHI makes it possible to restore missing copies of medical records, which may include diagnostic images, medical records, case management information, test results and accounting systems. The best practice for making backups follows the 3-2-1 approach. Make three copies of the data, store two on separate locations and store one copy offsite. Test the backups to make sure they’re good copies with recoverable data.
- A Disaster Recovery Plan – 308(a)(7)(ii)(B) – The disaster recovery plan establishes the procedures for restoring access to data. It includes the steps for recovering files from backups. A copy of this plan should be available at all times and must be stored in several locations.
- An Emergency Mode Operation Plan – 308(a)(7)(ii)(C) – The emergency mode operation plan ensures the continuity of critical business processes while keeping ePHI secure when the organization is operating in emergency mode, such as when there’s power outage or system failure.
- Procedures for Testing and Revision of Contingency Plans – 308(a)(7)(ii)(D) – Live tests and scenario-based walkthroughs may be used to test the completed contingency plan and revision should be done as necessary.
- An Application and Data Criticality Analysis – 308(a)(7)(ii)(E) – Specific software applications used to support data or ePHI storage, maintenance and transmission must be assessed to know their criticality to business functions.
OCR summarized the key elements of contingency planning as follows:
- The main goal of the plan is to maintain critical operations and reduce loss.
- Set a timeline – know the to-dos during the first hour, day, or week.
- Establish Plan Activation – What events will warrant the activation of the contingency plan? Who can activate the contingency plan?
- Make the contingency plan clear to all types of employees.
- Communicate the roles and responsibilities that the plan demands from the organization.
- Schedule the testing of the plan to identify deficiencies.
- Update the plan for effectiveness and raise organizational awareness.
- Review the plan regularly and situationally when there are changes in the operations, environment or personnel of the organization.