Contingency Plan: Sample Policy and Procedures

This is the seventh Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has five implementation specifications: Data backup plan; Disaster recovery plan; Emergency mode operation plan; Testing and revision procedures; and Applications and data criticality analysis. The first three are required; the last two are addressable. Addressable does not mean optional. Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.

HIPAA.com will outline What to do and How to do it for each of the five contingency plan implementation specifications. Here, we describe sample policy and procedures for contingency plan. The inputs for your contingency plan and each of the implementation specifications will be outputs of your covered entity’s risk analysis.

Sample Policy

Our covered entity responds to emergencies that may impair our computer systems and electronic protected health information. Workforce members are responsible for complying with these policies and procedures.

Sample Procedures

Our covered entity’s Security Official has identified key elements of our contingency plan. These are:

Contingency Planning Group

Our covered entity’s Security Official defines the mission of this contingency planning group, chairs the group, and assigns workforce members to the group.

Operating Environment and Core Applications

Examples may include, but are not limited to: electronic protected health information; application and database servers; telephone and other communication systems; operational business systems (e.g., patient scheduling systems, practice management systems, e-prescribing systems, claims adjudication systems, clearinghouse systems); internet systems and applications; email exchange servers; desktop systems; workstations, laptops, tablets, and personal data assistants (PDAs); network servers, scanners, and printers.

Facility Locations

Covered entity physical location(s) and contingency recovery sites, including secure offsite application, electronic protected health information database, and hardware locations.

Key Covered Entity Workforce Members Responsible for Achieving Contingency Recovery

Names and contact information for 24/7 accessibility; name of party or parties responsible for declaring a contingency and invoking contingency recovery plan; and outline of steps to achieve contingency recovery.