Contingency Plan: Applications and Data Criticality Analysis-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the fifth implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is addressable.  Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.

What to Do

Assess the relative criticality of specific applications and data in support of other contingency plan components.

How to Do It

A covered entity will assign priorities to its contingency plan decisions and actions. These priorities initially will be outputs of the risk analysis, and thereafter reviewed as part of periodic reassessment of threats and vulnerabilities.  Priorities will be a function of the following:

» What are the most important steps in safeguarding the covered entity’s electronic systems and electronic protected health information.
» Where are the covered entity’s most vulnerable points with regard to electronic systems and electronic protected health information.
» What are the covered entity’s biggest threats to electronic systems and electronic protected health information.
» What are steps and in priority order for the covered entity to achieve recovery of electronic systems, electronic protected health information, and business operations in the event of a contingency.

The Security Official in the covered entity should establish criteria for assessing the relative importance of vulnerabilities and threats as part of the risk analysis, and should prioritize steps in data backup, disaster recovery, and emergency mode operation plans for recovery of operations and safeguarding the covered entity’s electronic systems and electronic protected health information.

Remember, the Security Rule covers safeguarding of electronic systems and electronic protected health information.  As a result, loss of electricity is critical to the covered entity’s applications and data and should have high priority in the covered entity’s risk analysis outcomes and in its recovery plans.