CompuGroup Medical
Synchronizing Healthcare

Find out everything about the vision, mission, and the people who shape CompuGroup Medical worldwide. Investors will also find helpful information, documents, and other publications.

About Us
Press Releases

Office of Civil Rights puts HIPAA contingency plans on the front burner

October 2, 2018
A page from a binder at a healthcare practice that reads business continuity plan.

The most recent Office of Civil Rights (OCR) publication stresses the importance of a contingency plan for your organization to return to its daily operations as quickly as possible after an unforeseen event. A HIPAA-compliant contingency plan for your healthcare practice protects resources, minimizes patient inconvenience, and identifies key staff, assigning specific responsibilities in the context of the recovery.

What does a contingency plan do?

A contingency plan is focused on the steps to respond and recover operations in the event of an emergency or other disruption to normal operations.  Its major objectives are to ensure: (1) the containment of damage or injury to, or loss of, property, personnel, and data; and (2) the continuity of the key operations of the organization.

Contingency plans aren’t just a good idea; HIPAA regulations requires that HIPAA-covered entities and business associates establish and implement a contingency plan, according to 45 CFR Section 164.308(a)(7).

What’s required for a HIPAA-compliant plan?

The HIPAA compliant contingency plan will include:

  • Disaster Recovery Plan: Focus on restoring an organization’s PHI.
  • Emergency Mode Operation Plan (or Continuity of Operations): Focus on maintaining and protecting critical functions that protect the security of protected health data.
  • Data Backup Plan: Focus on regularly copying protected health data to ensure it can be restored in the event of a loss or disruption.
  • Applications and Data Criticality Analysis: Focus on identifying what applications and data are critical for the contingency plan.
  • Testing and Revisions: Focus on testing your contingency plan and revising any identified deficiencies.

Key steps to develop a HIPAA-compliant contingency plan

  • Make it Policy: A formal policy provides the authority and guidance necessary to develop an effective HIPAA contingency plan.
  • Identify what is Critical: Knowing what systems and data are critical to operations will help prioritize contingency planning and minimize losses.
  • Identify Risks, Threats and Preventative Controls:  Perform a risk analysis to identify the various risks that your business may face. What has the potential to significantly disrupt or harm your operations and data?

What is the result of a contingency plan and risk analysis?

The need for contingency plans appears as a result of a thorough and accurate analysis of the risks that your organization faces.  The end result of a risk analysis can provide a list of potential threats, risks, and preventative controls.  Prioritization of critical systems and information will help identify where to focus planning efforts.

Don’t wait for a disaster to happen before designing and implementing a contingency plan.

Additional resources:

Office for Civil Rights (OCR):

National Institute of Standards and Technology (NIST):

Assistant Secretary for Preparedness and Response: 

Related Articles
Are Windows Server 2008 security risks affecting your lab?
Are Windows Server 2008 security risks affecting your lab?
Microsoft ends support of Windows Server 2008

After 12 years on the ...

Providers implementing best practices for revenue cycle management (RCM)
7 best practices for revenue cycle management (RCM)

Every healthcare practice's revenue cycle management is the same. It starts ...