Office of Civil Rights puts HIPAA contingency plans on the front burner

The most recent Office of Civil Rights (OCR) publication stresses the importance of a contingency plan for your organization to return to its daily operations as quickly as possible after an unforeseen event. A HIPAA-compliant contingency plan for your healthcare practice protects resources, minimizes patient inconvenience, and identifies key staff, assigning specific responsibilities in the context of the recovery.

What does a contingency plan do?

A contingency plan is focused on the steps to respond and recover operations in the event of an emergency or other disruption to normal operations.  Its major objectives are to ensure: (1) the containment of damage or injury to, or loss of, property, personnel, and data; and (2) the continuity of the key operations of the organization.

Contingency plans aren’t just a good idea; HIPAA regulations requires that HIPAA-covered entities and business associates establish and implement a contingency plan, according to 45 CFR Section 164.308(a)(7).

What’s required for a HIPAA-compliant plan?

The HIPAA compliant contingency plan will include:

• Disaster Recovery Plan: Focus on restoring an organization’s PHI.
• Emergency Mode Operation Plan (or Continuity of Operations): Focus on maintaining and protecting critical functions that protect the security of protected health data.
• Data Backup Plan: Focus on regularly copying protected health data to ensure it can be restored in the event of a loss or disruption.
• Applications and Data Criticality Analysis: Focus on identifying what applications and data are critical for the contingency plan.
• Testing and Revisions: Focus on testing your contingency plan and revising any identified deficiencies.

Key steps to develop a HIPAA-compliant contingency plan

• Make it Policy: A formal policy provides the authority and guidance necessary to develop an effective HIPAA contingency plan.
• Identify what is Critical: Knowing what systems and data are critical to operations will help prioritize contingency planning and minimize losses.
• Identify Risks, Threats and Preventative Controls:  Perform a risk analysis to identify the various risks that your business may face. What has the potential to significantly disrupt or harm your operations and data?

What is the result of a contingency plan and risk analysis?

The need for contingency plans appears as a result of a thorough and accurate analysis of the risks that your organization faces.  The end result of a risk analysis can provide a list of potential threats, risks, and preventative controls.  Prioritization of critical systems and information will help identify where to focus planning efforts.

Don’t wait for a disaster to happen before designing and implementing a contingency plan.

Additional resources:

Office for Civil Rights (OCR):

• https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf

National Institute of Standards and Technology (NIST):

• https://csrc.nist.gov/topics/security-and-privacy/security-programs-and-operations/contingency-planning
• https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final (SP 800-34 rev1 and Supplemental Material)

Assistant Secretary for Preparedness and Response: 

• https://www.phe.gov/preparedness/planning/hpp/reports/documents/hc-coop2-recovery