The most recent Office of Civil Rights (OCR) publication stresses the importance of a contingency plan for your organization to return to its daily operations as quickly as possible after an unforeseen event. A HIPAA-compliant contingency plan for your healthcare practice protects resources, minimizes patient inconvenience, and identifies key staff, assigning specific responsibilities in the context of the recovery.
What does a contingency plan do?
A contingency plan is focused on the steps to respond and recover operations in the event of an emergency or other disruption to normal operations. Its major objectives are to ensure: (1) the containment of damage or injury to, or loss of, property, personnel, and data; and (2) the continuity of the key operations of the organization.
Contingency plans aren’t just a good idea; HIPAA regulations requires that HIPAA-covered entities and business associates establish and implement a contingency plan, according to 45 CFR Section 164.308(a)(7).
What’s required for a HIPAA-compliant plan?
The HIPAA compliant contingency plan will include:
- Disaster Recovery Plan: Focus on restoring an organization’s PHI.
- Emergency Mode Operation Plan (or Continuity of Operations): Focus on maintaining and protecting critical functions that protect the security of protected health data.
- Data Backup Plan: Focus on regularly copying protected health data to ensure it can be restored in the event of a loss or disruption.
- Applications and Data Criticality Analysis: Focus on identifying what applications and data are critical for the contingency plan.
- Testing and Revisions: Focus on testing your contingency plan and revising any identified deficiencies.
Key steps to develop a HIPAA-compliant contingency plan
- Make it Policy: A formal policy provides the authority and guidance necessary to develop an effective HIPAA contingency plan.
- Identify what is Critical: Knowing what systems and data are critical to operations will help prioritize contingency planning and minimize losses.
- Identify Risks, Threats and Preventative Controls: Perform a risk analysis to identify the various risks that your business may face. What has the potential to significantly disrupt or harm your operations and data?
What is the result of a contingency plan and risk analysis?
The need for contingency plans appears as a result of a thorough and accurate analysis of the risks that your organization faces. The end result of a risk analysis can provide a list of potential threats, risks, and preventative controls. Prioritization of critical systems and information will help identify where to focus planning efforts.
Don’t wait for a disaster to happen before designing and implementing a contingency plan.
Additional resources:
Office for Civil Rights (OCR):
National Institute of Standards and Technology (NIST):
Assistant Secretary for Preparedness and Response: