Security Rule requirements, Part 3 – Contingency Planning

When it comes to planning for a disaster, most people think “that won’t happen to me”. Under HIPAA, you are required to ensure the integrity, confidentiality, and available of ePHI. When creating your contingency plan, it is necessary to review what natural disasters could happen in your area, how would you handle a hacking incident, and what precautions do you have in place to protect your facility from theft? The idea is to have a “plan” in place for whatever may happen.


The Contingency Plan § 164.308(a)(7) standard has five implementation sections, three are required and two are addressable. Remember, addressable does not mean optional. Addressable gives the entity some flexibility on how to implement the requirements.


  • 164.308(a)(7)(ii)(A) Data Backup Plan  (R)

Most covered entities may have backup procedures as part of current business practices. Data backup plans are an important safeguard for all covered entities, and a required implementation specification.
“Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”


  • 164.308(a)(7)(ii)(B) Disaster Recovery Plan  (R)

When it comes to disaster recovery planning, your plan may differ from others. Be sure your plan is based on where your data is located. Review where your data is located. Is it in a cloud-based or a premise (onsite) system? Although the majority of your ePHI may be in your EHR, you may have certain programs or files that are critical to business continuity that should also be backed up.

“Establish (and implement as needed) procedures to restore any loss of data.”
Some organizations may already have a general Disaster Plan that meets this requirement; however, each entity must review the current plan to ensure that it allows them to recover ePHI.


  • 164.308(a)(7)(ii)(C) Emergency Mode Operation Plan  (R)

When an organization is operating in emergency mode due to a technical failure or power outage, security processes to protect ePHI must be maintained.
“Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.”
An emergency mode operation plan should include procedures to enable continued operations in the event of a natural disaster, fire, flood, vandalism, or a system failure while still protecting the facility and the electronic data. This may include budgeting for and scheduling outside resources.

For example:

Does the plan include a list of different types of emergencies and how to react to them?

Would your organization need a temporary location, or would you be able to use one of your other locations?

Does your organization have reasonable arrangements with your IT vendor to ensure critical systems are back up and running in an appropriate time frame?

Has your organization created an emergency process that includes procedures that can be accomplished manually that is critical to patient care and business continuity?

Has your organization secured a contract with a security company to protect the facility in the event of severe damage to the building?

Has your organization considered agreements with suppliers to provide equipment or considered a backup power source?

Has your organization created a budget and allocated for the extra expenses should an emergency arise?


  • 164.308(a)(7)(ii)(D) Testing and Revision Procedures  (A)

Where the testing and revision procedures implementation specification is a reasonable and appropriate safeguard the entity must:
“Implement procedures for periodic testing and revision of contingency plans.”
It is important to point out that this implementation specification applies to all implementation specifications under the Contingency Plan Standard, including the Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operations Plan.


  • 164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis  (A)

“Assess the relative criticality of specific applications and data in support of other contingency plan components.”

This implementation specification requires entities to identify their software applications (data applications that store, maintain or transmit ePHI) and determine how important each is to patient care or business needs, in order to prioritize for Data Backup, Disaster Recovery and/or Emergency Mode Operations Plans. A prioritized list of specific applications and data will help determine which applications or information systems be restored first and/or which must be available at all times.


In our 7 Simple-Steps to HIPAA Compliance package, we have included an outline to assist clients in completing their Contingency Plan. You may also request a plan from your IT vendor to assist you as well. Try to think outside the box to ensure all bases are covered.

If you need assistance with your HIPAA Contingency Plan or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.


“Simplifying HIPAA through Partnership, Education, and Support”

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC