- Healthcare organizations must ensure they have a current HIPAA contingency plan in place to prepare for all types of adverse events, including natural disasters and cybersecurity attacks, according to the latest OCR Cybersecurity Newsletter.
A good contingency plan ensures that any damage, injury, or loss to property, personnel, and data are contained, the agency explained. Additionally, it will ensure that key organization operations are able to continue.
Flooding, fire, and severe weather can create problems for healthcare organizations. But a cybersecurity attack could also leave a provider’s data unreadable or unusable, OCR cautioned.
“In the event data is compromised due to a cyberattack, restoring the data from backups may be the only option to recover the data and restore normal business operations,” the newsletter read.
The HIPAA Security Rule also requires covered entities and business associates to have an appropriate contingency plan. As part of the federal requirements for contingency planning, organizations need to have a disaster recovery plan, a continuity of operations plan, and a data backup plan.
Healthcare organizations need to address their applications and determine which ones are critical, OCR explained. Entities should also be testing their contingency plan and “revising any identified deficiencies.”
“A formal policy provides the authority and guidance necessary to develop an effective contingency plan,” the agency said. “Knowing what systems and data are critical to operations will help prioritize contingency planning and minimize losses.”
A comprehensive risk analysis will also help covered entities and business associates identify various risks that they may face. A risk analysis “can provide a list of potential threats, risks, and preventative controls,” and entities will then need to prioritize systems and information going forward to focus their planning.
“Establish the specific guidelines, parameters, and procedures when enacting the contingency plan and for the recovery of systems and data,” OCR stated, adding that a disaster recovery plan, emergency mode operation plan, and data backup plan all play a key role in the overarching contingency plan.
Specifically, organizations should consider the following:
- Maintain critical operations and minimize loss
- Define time periods, such as a process for the first hour, day, and week following an event
- Know under which circumstances the contingency plan would be activated. All staff members should consequently know their roles in the process.
- All employees need to understand the language in the plan. Keep the language plain.
“Communicate and share the plan and roles and responsibilities with the organization,” OCR said. “Establish a testing (exercise) schedule for the plan, to identify gaps and ensure updates for plan effectiveness and increase organizational awareness.”
“Review the plan on a regular basis and situationally when there are technical, operational, environmental, or personnel changes in the organization.”
Overall, organizations cannot wait for a disaster to occur before they design and implement a contingency plan, OCR warned.
A contingency plan’s goal should be to ensure that an organization’s ePHI is available when it is needed, according to the HHS Security Series.
“Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information,” HHS explains.
A data backup plan, a disaster recovery plan, and an emergency mode operation plan are required implementation specifications under HIPAA. Testing and revisions procedures and applications and data criticality analysis are “addressable” specifications. However, this does not mean that organizations can assume that they are not needed.
“The comprehensiveness and sophistication of the testing and revision procedures depends on the complexity of the covered entity’s organization and other factors such as size and costs. It is expected that the frequency and comprehensiveness of the procedures will vary among covered entities,” HHS says.
These procedures can include an organization ensuring that the processes for restoring data from backups, disaster recovery and emergency mode operation are properly documented. Additionally, entities could ensure that individuals who are deemed responsible for performing any contingency planning tasks understand their responsibilities.
For Application and Data Criticality Analysis, organizations must “assess the relative criticality of specific applications and data in support of other contingency plan components,” HHS notes.
Any data applications that store, maintain, or transmit ePHI must be identified. From there, organizations prioritize those applications, dependent on their importance “to patient care or business needs, in order to prioritize for data backup, disaster recovery and/or emergency operations plans.”
HHS added that covered entities and their business associates need to continuously monitor and evaluate their contingency plans. Security requirements will need to meet entities’ evolving and increasingly sophisticated environmental needs.