Labor Day is about celebrating American workers and this year amidst the coronavirus pandemic and with the recent natural disasters affecting many across the country, we would like to say THANK YOU to healthcare professionals everywhere!
Typical preparations for Labor Day weekend usually include deciding where to camp, what to grill, and how to celebrate. Or on the business side of things, managing time-off requests and ensuring adequate coverage if still open for normal business operations. While these things are still important, this year we would like to focus on how organizations are required under HIPAA to stay prepared for natural disasters and emergencies.
What does it mean to be prepared in case of an emergency for healthcare organizations?
A Contingency Plan is a requirement under the HIPAA Security Rule that requires covered entities to have policies and plans in place to protect the availability, integrity, and security of data during unexpected negative events (such as pandemics, hurricanes, earthquakes, etc). Data is often most exposed during these events since the usual security measures might be disabled, ignored, or not observed.
These policies and procedures detail how to respond to emergencies and other occurrences such as fires, vandalism, system failures, and natural disasters, that can damage systems containing ePHI. A disaster and emergency response process must reduce the disruption of information systems to an acceptable level through a combination of preventive and recovery controls and processes.
Components of a Contingency Plan
- Data Backup Plan - Covered entities are required to establish and implement procedures to create and maintain retrievable exact copies of ePHI. retrievable exact copies of information.
- Disaster Recovery Plan - Covered entities are required to establish, and implement, as needed, procedures to restore any loss of data after an emergency. A disaster recovery plan contains a process enabling an enterprise to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure.
Emergency Mode Operation Plan - Covered entities are required to establish, and implement as needed, procedures to enable the continuation of critical business processes for protection of the security of ePHI while operating in emergency mode. This plan contains a process that enables an enterprise to continue to operate in the event of fire, vandalism, natural disaster, or system failure.
Testing and Revision Procedures -Covered entities are required to address implementing procedures for periodic testing and revision of contingency plans. Written testing and feedback mechanisms are keys to successful testing. This implementation specification ensures that contingency plans are kept up to date when business processes change.
Applications and Data Criticality Analysis - Covered entities are required to assess the relative criticality of specific applications and data in support of other contingency plan components. This is an entity's assessment of the sensitivity, vulnerabilities, and security of its programs and the information it receives, manipulates, stores, and/or transmits.
Does your organization need help developing, implementing, or reviewing any of the Contingency Plan Requirements? We can help, contact your compliance specialist (855.427.0427) to find out how.