In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.
What to Do
Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in the emergency mode.
How to Do It
Covered entities are required to develop and implement procedures for continuation of business operations and protection of electronic protected health information while operating in an emergency mode. Such procedures would include, but not be limited to, a plan for accessing safeguarded information systems and workstations in a timely manner to ensure availability of electronic protected health information. The covered entity will determine method and timeliness as risk mitigation outcomes of its risk analysis.
Examples of emergency mode operations plan procedures that the covered entity’s Security Official would implement include, but are not limited to:
» Maintaining an alternate site to perform data processing functions in the event of a disaster.
» Ensuring hardware and software compatibility at primary and backup sites.
» Providing backup electrical power and communications in the event of an emergency.
» Appointing workforce members to the emergency mode operations team.
» Ensuring that appropriate business associate hardware/software vendors are aware of the covered entity’s emergency mode operation plan and engaged in helping the covered entity recover, if required, in the event of an emergency.
» Training workforce members in the emergency mode operations plan, including determining extent of emergency, invoking the plan, informing customers and business associates, and restoring business operations.
» Testing periodically the emergency mode operations plan and making modifications, as necessary, as outlined in the next implementation specification of Contingency Planning.
» Ensuring that all actions are documented in writing.
Remember, a covered entity’s loss of electricity for a sustained period of time should be considered a disaster. Accordingly, the covered entity’s emergency mode operations plan needs to focus on restoring power as a major consideration in its plan for restoring business operations and safeguarding electronic protected health information.