Contingency Plan (164.308(a)(7)) and Electronic Health Records brought to you by HIPAA Academy

Contingency Plan is a Standard is defined within the Administrative Safeguards section of the HIPAA Security Rule. It requires all covered entities to establish and implement as needed policies and procedures for responding to an emergency or other occurrences (for example fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information (EPHI).

As the volume of electronic healthcare information rises within organizations, this HIPAA Security Rule Standard gains more relevance. Covered entities must review capabilities for continued access to vital patient records if the primary data center was disabled for an indefinite period of time. This will require organizations to start planning for an alternate data center – a capability that may be outsourced to a business associate or developed by the organization itself.

Key areas your organization needs to address include:

• Develop a comprehensive contingency plan, disaster recovery plan as well as an emergency mode operation plan
• Identify the critical services or operations, and the manual or automated processes that support them, involving EPHI
• Determine the amount of time the organization can tolerate disruptions to these operations, materials or services
• Establish cost-effective strategies for recovering these critical services or processes

The HIPAA Academy has developed the healthcare industry’s most comprehensive suite of HIPAA Security policy templates. Review the outline of all HIPAA Academy policies at www.HIPAAAcademy.Net. For more information please contact Lorna.Waggoner@ecfirst.com or call her at 1.515.453.8247 x17.