Disaster Recovery Journal

By Sameer Sule

As I mentioned in my earlier blog (Part1), the Contingency Plan requirement is the seventh standard under the Administrative Safeguards requirement of the HIPPA security rule. The Security rule has Administrative, Physical and Technical safeguards . Each safeguard has its own standards. Each standard in turn has its own implementation specifications that are either required or addressable.  As mentioned in Part 1, addressable does not mean optional.

Even though these safeguards, standards and implementation standards address different components of security rule, they need to taken as a part of the whole security scenario. While addressing the data backup plan implementation specification, one should not forget about data encryption, data  backup and storage, emergency access procedure and other specifications under the physical and technical safeguards that also impact the data handling and data recovery aspect of the Contingency Plan.  Care should be taken to ensure the privacy, security and integrity of ePHI( electronic protected health information) at all times, whether in use, in storage or in transit.

The table below summarizes the Administrative, Physical and Technical Safeguards of the Security rule along with their associated implementation requirements, which directly and/or indirectly affect the Contingency Plan standard compliance requirement. 

At every step of the Contingency Plan implementation, ePHI data privacy, integrity, and security cannot be compromised.  Covered Entities and Business Associates must: 

1. Conduct a comprehensive risk assessment of all systems that create, receive, maintain or transmit patient ePHI. This is should include all the servers ( physical and virtual), workstations, network , laptops,  and all other mobile devices like smart phones, tablets etc. The assessment should basically cover all points in your IT systems that can come in contact with an ePHI.
2. Assign a Contingency Plan officer who is accountable for the contingency planning, implementation and compliance for the organization.
3. Write a formal written Backup and disaster recovery plan that ensures business continuity in the event of a disaster.
4. Implement a backup solution that regularly backs up the ePHI data ensuring the security and integrity of the backup data at all times. The backup can be tape, disk, offsite or cloud. Make sure that the backups are encrypted.
5. Implement a disaster recovery plan that ensures access to ePHI in the event of an unforeseen disaster and enables the organization to recover critical data and applications as soon as possible. The plan should account for common disruptions like power outage, internet outage, hardware crash, etc as well as take in to account disruptions due to fire, flood, and other disasters that are likely to occur or have previously occurred at the business location or in the region.
6. Implement a procedure to operate in an emergency mode if there is a disaster.  Ensure that all the ePHI is protected during this time.
7. Ensure that all personnel are aware and properly trained in the policies and procedures of the disaster recovery plan.
8. The Contingency Plan is a living document. As an organization undergoes changes in its personnel and technology, it is extremely important to implement a policy to regularly review and test the Backup and Disaster recovery.