In its March 2018 cybersecurity email newsletter, OCR outlined HIPAA Rules on contingency planning and advised healthcare groups to plan for emergencies to ensure a return to normal operations can be achieved in the quickest possible time frame.
A contingency plan is necessary to ensure that when disaster strikes, groups know exactly what steps must be applied and in what order.
Contingency plans should incorporate all sorts of emergencies, such as natural disasters, fires, vandalism, system failures, cyberattacks, and ransomware incidents. The measures that must be taken for each scenario could well be different, especially in the case of cyberattacks vs. natural disasters. The plan should include steps to follow for specific types of disasters.
Contingency planning is not just a best practice. It is a requirement of the HIPAA Security Rule. Contingency planning should not be thought of as a onetime checkbox item necessary for HIPAA compliance. It should be a constant process with plans regularly checked, updated, and tested to ensure any deficiencies are identified and tackled.
HIPAA Rules on Contingency Planning
HIPAA Rules on contingency planning relate to ensuring healthcare organizations return to normal operations as quickly as possible and the confidentiality, integrity, and availability of PHI is secured.
HIPAA Rules on contingency planning can are referred to in the Security Rule administrative safeguards -45 CFR § 164.308(a)(7)(ii)(A-E).
- Develop and Implement a Data Backup Plan – 308(a)(7)(ii)(A)
- Develop a Disaster Recovery Plan – 308(a)(7)(ii)(B)
- Develop and Emergency Mode Operation Plan – 308(a)(7)(ii)(C)
- Develop and Implement Procedures for Testing and Revision of Contingency Plans – 308(a)(7)(ii)(D)
- Perform an Application and Data Criticality Analysis – 308(a)(7)(ii)(E)
A data backup plan means that when disaster strikes, PHI is not lost or destroyed. A viable copy of all ePHI must be produced that allows exact copies of ePHI to be restored, which includes all forms of ePHI such as medical records, diagnostic images, test details, case management information, and accounting systems. It is a good best practice to implement a 3-2-1 approach for backups: Make three copies of data, save them on at least two different media, and have one copy held securely offsite. Backups must also be tested to ensure the recovery of data.
A disaster recovery plan should set up the procedures that must be followed to restore access to data, including how files must be restored from backups. A copy of the plan should be easily accessible and stored in more than one location.
The emergency mode operation plan must ensure important business processes continue to maintain the security of ePHI when working in emergency mode, for example when there is a technical failure or power outage.
All parts of the contingency plan must be regularly tested and revised as required. OCR recommends conducting scenario-based walkthroughs and live tests of the overall plan.
Covered groups should “assess the relative criticality of specific applications and data in support of other contingency plan components.” All software applications that are used to save, maintain, or send ePHI must be assessed to determine the level of criticality to business functions as it will be necessary to prioritize each when data is brought back.