Posts Tagged analysis

A HIPAA Contingency Plan: Yes, It’s Boring. Yes, You Must Do It.

A HIPAA Contingency Plan: Yes, It’s Boring. Yes, You Must Do It.

When was the last time you reviewed your entity’s Contingency Plan? If it has been awhile, or never, you need to get to work. In light of recent natural disasters and ransomware attacks, the necessity of thorough and documented contingency planning, to include backup and disaster recovery, has become a focus for health care entities.

Pursuant to the Health Insurance Portability and Accountability Act (HIPAA) health care entities are required to account for the confidentiality, integrity and accessibility of their electronic protected health information (ePHI). They must consider potential incidents that may affect their information systems like fires, vandalism, malware attacks and tornados. Then they must document their strategy for operation during those events.

Contingency planning should begin with a review of the entity’s Risk Analysis. This document identifies what type of ePHI the entity accesses or maintains, where the data resides, and how the entity handles the data. Afterwards, the entity should begin the process of developing specific Administrative Safeguards.

A Data Backup Plan is essential, especially in instances of malware and natural disasters. Entities must put procedures in place to create and maintain exact copy backups of their data that they can readily retrieve. For example, if an entity is heavily damaged by a tornado or fire, they must be able to gain access to the data that they previously utilized within their entity. Without the benefit of timely system backups, the entity would not be able to recover up-to-date data which can be a serious liability when treatment decisions are being made about patients/clients without the benefit of their most current records.

The entity should ensure that there is an appropriate off-site backup of the entity’s ePHI and that the backup is being appropriately performed. These exact copy backups generally occur on a daily, weekly and monthly basis. The entity should maintain copies of these backups and should test the system periodically to ensure that the backup process is working in accordance with the required standards.

The ability to recover lost or stolen data can be critical. The entity should ensure that they have an effective Disaster Recovery Plan that complies with the National Institute of Standards and Technology (NIST) specifications.[1] The Disaster Recovery Plan should identify risks observed in the Risk Analysis and reflect a comprehensive plan to recover ePHI within specific time parameters, generally 24 to 48 hours. Additionally, careful consideration must be given to appropriate off-site locations that the entity could utilize if their primary location is no longer available. All workforce members should be informed of the plan and trained on their specific role.

An Emergency Mode Operations Plan documents the manner in which the entity will work throughout the course of the emergency. This relates to the critical business processes that must take place to protect ePHI during and following the emergency or disaster. Examples include determining the need for additional equipment or supplies, ensuring hardware and software compatibility to retrieve ePHI and if necessary, communicating changes to patients/clients.

Testing and Revision Procedures are required for the Data Backup, Disaster Recovery and Emergency Mode Operation Plans. These tests should occur within the timelines listed in the entities Risk Analysis and in all instances no less than annually. The testing process should be documented and evaluated to determine any need for revision.

Entities should perform an Application and Data Criticality Analysis to identify the information systems that are most important from a business operations perspective. This allows the entity to prioritize which databases need to be restored and in what order. For example, if a health care provider were the victim of a ransomware attack and they were attempting to recover the data, the Application and Data Criticality Analysis would identify the exact systems that are most crucial to their operations, allowing them to more easily prioritize the recovery process.

What does a compliance professional look for when auditing an entity for compliance with contingency planning? Entities should be able to produce the following:

  • A documented Contingency Plan which covers each of the specifications listed above, namely Data Backup Plan, Disaster Recovery Plan, Emergency Mode Operations Plan, Testing and Revision Procedures and Application and Data Criticality Analysis;
  • Documented roles and responsibilities of workforce members during disasters or emergencies;
  • Documentation that identifies the entities critical applications;
  • Documentation to demonstrate the plan is periodically reviewed and tested; and
  • Documentation that reflects whether amendments to the Contingency Plan or Risk Analysis were warranted and implemented, if applicable.

While contingency planning is important for appropriate business operations and HIPAA compliance, it is also critical to patient care. Patients count on health care providers to provide appropriate treatment and care during normal periods and during emergencies. If an emergency or disaster renders an entity without access to their ePHI with no plan to recover or otherwise gain access to the data, that creates unnecessary liability on behalf of the provider for treating the patient without access to their current records. Patient care should be paramount to the mission of all health care entities.

[1] Although only federal agencies are required to follow NIST standards, they represent industry standards for how health care entities should handle ePHI.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.

Posted in: HIPAA

Leave a Comment (0) →

Is Your HIPAA Contingency Plan Adequate?

Is Your HIPAA Contingency Plan Adequate?

Your response to this question may include one of the following answers:

  1. What in the world is a Contingency Plan?
  2. I think we did that, but I’m not sure where it is.
  3. I know we did one a while back, but we haven’t looked at it in a while.

If any of these responses sound familiar, you will want to get to work. FAST!

HIPAA covered entities are required to protect the integrity, confidentiality and availability of electronic protected health information (ePHI).  In accordance with §164.308(a)(7) of the HIPAA regulations, covered entities are required to develop and maintain a Contingency Plan.  Specifically, covered entities are required to “establish (and implement as needed) policies and procedures for responding to an emergency or other occurrences (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” The purpose of this requirement is to ensure that entities are able to properly recover or access the accurate health information of their patients and clients during emergencies.

Entities must fulfill this requirement by satisfying “required” and “addressable” standards. Required specifications must be implemented while addressable specifications allow an entity to have more flexibility with regard to how they develop and implement the specification.

A Contingency Plan should include the following:

  1. Data Backup Plan (Required)
  2. Disaster Recovery Plan (Required)
  3. Emergency Mode Operation Plan (Required)
  4. Testing and Revision Procedures (Addressable)
  5. Applications and Data Criticality Analysis (Addressable)

Data Backup Plan

Entities must have internal controls as well as a working relationship with vendors of their information systems to ensure that the entity has the ability to do an up-to-date exact copy backup of its ePHI. The entity should have mechanisms in place to ensure that the backup is performed properly. This backup process must be periodically tested to ensure the integrity of the ePHI.

Data Recovery Plan

A Data Recovery Plan for use in disasters and emergencies must be developed.  Entities should review the HIPAA Risk Analysis to consider foreseeable threats. The Data Recovery Plan should reasonably mitigate any identified threats. In many instances, the entity needs to ensure that the Data Recovery Plan allows workforce members to access ePHI no later than 24 hours after a disaster occurs or a time deemed reasonable by the entity. Employees and staff must be educated with regard to their responsibilities in instances of emergencies when data recovery is warranted.

Emergency Operations Plan

An Emergency Operations Plan must be developed and documented. Entities should solicit the assistance of vendors of information systems that house the entity’s ePHI to devise a plan for how the entity should function during emergencies. This coordination shall include identifying alternate sites for work operations. The Emergency Operations Plan should be tested periodically during increments established by the entities risk management policy.

Testing and Revision Procedures

The Contingency Plan should be assessed and the entity should identify the need for any revisions. This testing should occur at least annually. This process, as well as any revisions that occur as a result of testing, should be documented. Testing shall include, but is not limited to, the disaster recovery plan, data backup plan and emergency operations plan.

Applications and Data Criticality Analysis

The entity must develop and amend their Risk Analysis, as necessary. As threats or vulnerabilities are identified in the Risk Analysis, the entity must work to resolve identified risks. The entity must ensure that contingency plans are included in the Risk Analysis and that vulnerabilities are appropriately addressed.

Where Should You Start?

  1. Develop a risk management group to oversee this process, as well as other HIPAA-related policies and procedures.
  2. Determine where your ePHI is stored and utilized in your entity.
  3. Consider threats to your ePHI. (Ex.) fires, flooding, hurricanes, tornadoes
  4. Develop procedures for how your entity will respond to these threats.
  5. Test and evaluate the procedures.

Don’t Forget to Document

Some entities invest considerable time and resources considering how they will respond to disasters and emergencies. Often, they implement procedures that are communicated orally but they fail to document the procedures and fail to develop written policies. Always remember, “if it isn’t written down, it didn’t happen.” Entities must ensure that they memorialize their contingency planning efforts by implementing written policies and procedures.

The absence of a written HIPAA Contingency Plan is indicative of an entity that has 1) not undergone a HIPAA compliant Risk Analysis or 2) has undergone an inadequate HIPAA Risk Analysis. In either case, the entity’s lack of attention to such a critical process could be detrimental to the health of its patients and the entity itself.

To ensure that your entity is complying with federal regulations, please consult a health care compliance professional.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.

Posted in: HIPAA

Leave a Comment (0) →

A Risk Analysis Is Your Entity’s Annual HIPAA Checkup

A Risk Analysis Is Your Entity’s Annual HIPAA Checkup

The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, availability and integrity of electronic protected health information (ePHI). This process must be documented as a Risk Analysis. Covered entities must develop a Risk Analysis at their inception and review the Risk Analysis at least annually to identify potential changes to their information systems, physical environment, and/or the regulatory environment that may affect how they handle ePHI.

When performing a Risk Analysis, entities should review the HIPAA regulations and recommendations from the National Institute of Standards and Technology (NIST). Although federal agencies are the only entities required to comply with NIST, these guidelines act as the industry standard and should be followed by all covered entities.

Generally, a Risk Analysis is performed by the entity’s Security Officer. HIPAA requires each entity to have a designated Security Officer.  This designation must be in writing. The designated Security Officer must be familiar with the entity’s operations and competent in Information Technology. In accordance with NIST standards, the Security Officer should take the following steps to create or review the Risk Analysis:

  1. Determine where the entity’s ePHI is stored;
  2. Interview management to determine how workforce members utilize ePHI;
  3. Review access security settings and controls of the information systems;
  4. Determine the present and potential threats to ePHI;
  5. Determine the likelihood and impact of current and potential threats and assign them a risk level of high, medium or low;
  6. Document the Risk Analysis process and attach it to the updated Risk Analysis; and
  7. Work with management to resolve all threats within a reasonable period, with priority given to issues of higher risk and vulnerability.

Risk Analysis Content

A Risk Analysis shall include the evaluation of administrative, technical and physical safeguards.

Administrative Safeguards are defined as “administrative actions, and policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.[1]  Administrative safeguards include the following:

  1. Assigned Security Responsibilities
  2. Security Management
  3. Information Access Management
  4. Business Associate Agreements
  5. Security Incident Procedures
  6. Security Awareness and Training
  7. Workforce Security
  8. Contingency Plans
  9. Evaluation

Technical safeguards are defined as “technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”[2]  Technical safeguards include the following:

  1. Access Controls
  2. Audit Controls
  3. Integrity
  4. Person or Entity Authentication
  5. Transmission Security

Physical safeguards are defined as “physical measures, policies, and procedures to protect a covered entity‘s or business associate‘s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”[3] Physical safeguards include the following:

  1. Facility Access Controls
  2. Workstation Use
  3. Workstation Security
  4. Device and Media Controls

The completed Risk Analysis must be maintained for at least six (6) years and should be kept in paper and electronic form.

Risk Analysis vs. Risk Management

Health care entities often confuse Risk Analysis and Risk Management. While a Risk Analysis serves to identify threats and estimate their risks, Risk Management is the process of managing identified risks. Risk Management consists of the development of policies and procedures that dictate how to address identified risks.

Several Risk Analysis Tools exist that entity’s can utilize. However, the Department of Health and Human Services (HHS) encourages entities to seek expert advise when completing a Risk Analysis to ensure that the Risk Analysis is accurate and thorough. Additionally, the National Institute of Standards and Technology (NIST) has produced a series of publications that can assist covered entities with understanding information technology security. Those publications can be viewed by visiting

A proper Risk Analysis is a necessity not only because it is required by HIPAA regulations, but also because it offers the entity the best opportunity to identify and deal with risks associated with the preservation of ePHI.  Finally, in the event a covered entity has to answer for a breach of PHI, the failure to produce a proper Risk Analysis could lead to sufficient justification for punitive action by HHS.

[1] 45 CFR 164.304

[2] 45 CFR 164.304

[3] 45 CFR 164.304

The Dunson Group is a health care compliance law firm in Montgomery, Ala., focused on helping health care providers meet regulatory requirements. Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, and regularly contributes articles of special interests to physicians and practice managers.

Posted in: HIPAA

Leave a Comment (0) →