Contingency Plan: Disaster Recovery Plan-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.

What to Do

Establish (and implement as needed) procedures to restore any loss of data.

How to Do It

The content and procedures of a covered entity’s disaster recovery plan will be

» Outcomes of the covered entity’s identification of vulnerabilities and potential threats in the risk analysis.
» Safeguards adopted by the covered entity to mitigate risks associated with those vulnerabilities and threats.
» Responsibilities of the covered entity’s key workforce members assigned by the Security Official to recover should a loss become a reality and a disaster occur.

The covered entity should prepare a comprehensive, usable, and effective disaster recovery plan, which will take time and involve the entire workforce.

A covered entity’s loss of electricity for a sustained period of time should be considered a disaster, for which the covered entity has a plan for restoring business operations and safeguarding electronic protected health information.

“The final [Security] rule calls for covered entities to consider how natural disasters could damage systems that contain electronic protected health information and develop policies and procedures for responding to such situations. We [HHS] consider this to be a reasonable precautionary step to take since in many cases the risk would be deemed to be low.” [68 Federal Register 8351] Even though the probability of occurrence may be low, a covered entity should consider potential loss regarding any vulnerability or threat from a worst-case scenario.

The next implementation specification focuses on an emergency mode operation plan. The disaster recovery plan should include how operations would be conducted in an emergency and which workforce members would be responsible for carrying out those operations.

Wikipedia identifies resources to begin disaster recovery planning. Also, visit the National Institute of Standards and Technology Web site for disaster recovery planning help with NIST’s Contingency Planning Guide for Information Technology Systems, available from NIST.