Key Facts About HIPAA Compliance – What You Need to Know – Part 4

Key Facts About HIPAA Compliance – What You Need to Know – Part 4

by Alex Hirsch (SU)

Our series is designed to explain best practices about HIPAA compliance, HIPAA settlements, and the various requirements an organization must have in place under the HIPAA Security and Privacy Rules.

The Need for Contingency Plans and Testing

The HIPAA Security Rule, under CFR § 164.308 for Administrative Safeguards, states the requirement to establish and implement, as needed, Contingency Plan policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, or natural disaster) that can damage systems which contain electronic protected health information. Regardless of the size of your organization, a plan must be in place.

The requirements also call for the implementation of procedures for periodic testing and revision of the contingency plan.

What Must Be Covered in the Contingency Plan?

The plan does not need to be overly elaborate, but it must be functional. It should be clear and concise as to what to do in the event of an information systems failure, whether caused by natural or man-made disasters.

Here are some areas that must be covered in the plan:

  • It is vitally important to maintain an asset inventory of all software and hardware that can access and store ePHI.
  • Define all routine operations and preventive measures.
  • Define data backup and recovery procedures.
  • Determine who is alerted when a disaster occurs, and how the plan is invoked.
  • Describe how to shut down all information systems in the event of a potential or active disaster.
  • Describe how to access backup ePHI data in the event of an emergency. This is especially important if your organization provides critical health care services on a 24/7 basis.
  • Routinely test the plan.

Help with HIPAA Compliance

Our goal at Colington is to help keep your organization one step ahead in making sure those tasked with implementing a Contingency Plan understand the requirements.

Have a question about HIPAA compliance? Let us know online or by calling us at (800) 733-6379, and we would be pleased to discuss it with you and perhaps also address it in this series.