• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Contingency Plan: Testing and Revision Procedures-What to Do and How to Do It

April 8, 2009 HIPAA Law No Comments

In our series on the HIPAA Administrative Simplification Security Rule, this is the fourth implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.

What to Do

Implement procedures for periodic testing and revision of contingency plans.

How to Do It

Testing a revision procedures call for covered entities to develop and implement procedures for periodic testing and revision of the contingency plans discussed earlier for the Contingency Rule standard. The definition of periodic, relating to frequency of testing, will be an outcome of the covered entity’s risk analysis. A covered entity that changes its electronic systems or requirements relatively often will need to test more frequently than a covered entity that has a more static technology environment. Similarly, a covered entity with a high turnover of workforce members or a relatively high frequency of emergency situations will need to test and review security safeguards more frequently than covered entities not experiencing those conditions.

Testing is a measure of plan effectiveness. Testing should involve all workforce members, but should be conducted outside of normal business operation hours. During testing, the Security Official should document successes, identify any deficiencies that result in test failures for plan remediation and further workforce member training, and calculate response times to recovery plan provisions. After testing, the Security Official should revise the contingency plan to reflect any modifications, inform workforce members of modifications, and conduct necessary training.

Testing of data backup, disaster recovery, and emergency mode operation plans should take place at least annually, with all actions documented in writing. The value of testing is that it permits the covered entity to evaluate the effectiveness of its recovery efforts, especially if previous modifications have been adequately accounted for in training, response times, timely restoration of business operations, and safeguarding of electronic protected health information.

Tags: 20092010addressableAdministrative Safeguard StandardAmerican Recovery and Reinvestment Act of 2009ARRAbusiness associatecontingency plancovered entitydata backup plandisaster recovery plandocumented in writingelectronic protected health informationemergency mode operation planemergency safeguardFebruary 17HIPAA Administrative Simplificationimplementation specificationperiodic testingplan effectivenessreasonable and appropriateRisk AnalysisSecurity OfficialSecurity Ruletesting and revision proceduresworkforce member
No Comments
Share
0

You also might be interested in

OCR Reports 107 Breaches Affecting Over 4 Million Individuals (I)

Jul 6, 2010

As of the July 4th holiday weekend, the Office for[...]

HIPAA Final Rule: Prohibited Uses and Disclosures–Sale of Protected Health Information

Mar 7, 2013

March 7, 2013.  Today, we continue going through the HIPAA[...]

FTC Delays “Red Flags” Rule for Third Time

Jul 29, 2009

The Federal Trade Commission announced a third delay, from August[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next