Is Your HIPAA Contingency Plan Adequate?

Your response to this question may include one of the following answers:

1. What in the world is a Contingency Plan?
2. I think we did that, but I’m not sure where it is.
3. I know we did one a while back, but we haven’t looked at it in a while.

If any of these responses sound familiar, you will want to get to work. FAST!

HIPAA covered entities are required to protect the integrity, confidentiality and availability of electronic protected health information (ePHI).  In accordance with §164.308(a)(7) of the HIPAA regulations, covered entities are required to develop and maintain a Contingency Plan.  Specifically, covered entities are required to “establish (and implement as needed) policies and procedures for responding to an emergency or other occurrences (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” The purpose of this requirement is to ensure that entities are able to properly recover or access the accurate health information of their patients and clients during emergencies.

Entities must fulfill this requirement by satisfying “required” and “addressable” standards. Required specifications must be implemented while addressable specifications allow an entity to have more flexibility with regard to how they develop and implement the specification.

A Contingency Plan should include the following:

1. Data Backup Plan (Required)
2. Disaster Recovery Plan (Required)
3. Emergency Mode Operation Plan (Required)
4. Testing and Revision Procedures (Addressable)
5. Applications and Data Criticality Analysis (Addressable)

Data Backup Plan

Entities must have internal controls as well as a working relationship with vendors of their information systems to ensure that the entity has the ability to do an up-to-date exact copy backup of its ePHI. The entity should have mechanisms in place to ensure that the backup is performed properly. This backup process must be periodically tested to ensure the integrity of the ePHI.

Data Recovery Plan

A Data Recovery Plan for use in disasters and emergencies must be developed.  Entities should review the HIPAA Risk Analysis to consider foreseeable threats. The Data Recovery Plan should reasonably mitigate any identified threats. In many instances, the entity needs to ensure that the Data Recovery Plan allows workforce members to access ePHI no later than 24 hours after a disaster occurs or a time deemed reasonable by the entity. Employees and staff must be educated with regard to their responsibilities in instances of emergencies when data recovery is warranted.

Emergency Operations Plan

An Emergency Operations Plan must be developed and documented. Entities should solicit the assistance of vendors of information systems that house the entity’s ePHI to devise a plan for how the entity should function during emergencies. This coordination shall include identifying alternate sites for work operations. The Emergency Operations Plan should be tested periodically during increments established by the entities risk management policy.

Testing and Revision Procedures

The Contingency Plan should be assessed and the entity should identify the need for any revisions. This testing should occur at least annually. This process, as well as any revisions that occur as a result of testing, should be documented. Testing shall include, but is not limited to, the disaster recovery plan, data backup plan and emergency operations plan.

Applications and Data Criticality Analysis

The entity must develop and amend their Risk Analysis, as necessary. As threats or vulnerabilities are identified in the Risk Analysis, the entity must work to resolve identified risks. The entity must ensure that contingency plans are included in the Risk Analysis and that vulnerabilities are appropriately addressed.

Where Should You Start?

1. Develop a risk management group to oversee this process, as well as other HIPAA-related policies and procedures.
2. Determine where your ePHI is stored and utilized in your entity.
3. Consider threats to your ePHI. (Ex.) fires, flooding, hurricanes, tornadoes
4. Develop procedures for how your entity will respond to these threats.
5. Test and evaluate the procedures.

Don’t Forget to Document

Some entities invest considerable time and resources considering how they will respond to disasters and emergencies. Often, they implement procedures that are communicated orally but they fail to document the procedures and fail to develop written policies. Always remember, “if it isn’t written down, it didn’t happen.” Entities must ensure that they memorialize their contingency planning efforts by implementing written policies and procedures.

The absence of a written HIPAA Contingency Plan is indicative of an entity that has 1) not undergone a HIPAA compliant Risk Analysis or 2) has undergone an inadequate HIPAA Risk Analysis. In either case, the entity’s lack of attention to such a critical process could be detrimental to the health of its patients and the entity itself.

To ensure that your entity is complying with federal regulations, please consult a health care compliance professional.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com