• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Contingency Plan: Emergency Mode Operation Plan-What to Do and How to Do It

April 7, 2009 HIPAA Law No Comments

In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.

What to Do

Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in the emergency mode.

How to Do It

Covered entities are required to develop and implement procedures for continuation of business operations and protection of electronic protected health information while operating in an emergency mode. Such procedures would include, but not be limited to, a plan for accessing safeguarded information systems and workstations in a timely manner to ensure availability of electronic protected health information. The covered entity will determine method and timeliness as risk mitigation outcomes of its risk analysis.

Examples of emergency mode operations plan procedures that the covered entity’s Security Official would implement include, but are not limited to:

» Maintaining an alternate site to perform data processing functions in the event of a disaster.
» Ensuring hardware and software compatibility at primary and backup sites.
» Providing backup electrical power and communications in the event of an emergency.
» Appointing workforce members to the emergency mode operations team.
» Ensuring that appropriate business associate hardware/software vendors are aware of the covered entity’s emergency mode operation plan and engaged in helping the covered entity recover, if required, in the event of an emergency.
» Training workforce members in the emergency mode operations plan, including determining extent of emergency, invoking the plan, informing customers and business associates, and restoring business operations.
» Testing periodically the emergency mode operations plan and making modifications, as necessary, as outlined in the next implementation specification of Contingency Planning.
» Ensuring that all actions are documented in writing.

Remember, a covered entity’s loss of electricity for a sustained period of time should be considered a disaster. Accordingly, the covered entity’s emergency mode operations plan needs to focus on restoring power as a major consideration in its plan for restoring business operations and safeguarding electronic protected health information.

Tags: 20092010Administrative Safeguard StandardAmerican Recovery and Reinvestment Act of 2009ARRAbackup sitebusiness associatecontingency plancovered entitydisasterdocumented in writingelectrical powerelectronic protected health informationemergency mode operation planFebruary 17HIPAA Administrative Simplificationimplementation specificationrequiredRisk Analysisrisk mitigationSecurity Ruletestingworkforce member
No Comments
Share
0

You also might be interested in

FTC Delays “Red Flags” Rule for Third Time

Jul 29, 2009

The Federal Trade Commission announced a third delay, from August[...]

The Definition of Secretary

May 11, 2009

This posting is one of several that outline the HITECH[...]

Evaluation-What This HIPAA Security Rule Administrative Safeguard Standard Means

Apr 20, 2009

This is the eighth Administrative Safeguard Standard of the HIPAA[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next