|
contingency
plan (HIPAA)
Covered entities
must implement a contingency plan as part of their administrative
safeguards. The Security
Rule defines that plan as "policies
and procedures for responding to an emergency or other occurrence
(for example, fire, vandalism, system failure, and natural
disaster) that damages systems that contain electronic
protected health information
[PHI]."
The standard includes
five implementation
specifications. The first three are required, and the
last two addressable:
- emergency mode
operation plan;
- testing and
revision procedures; and
- applications
and data criticality analysis.
The first requires
implementation of procedures "to create and maintain
retrievable exact copies of electronic [PHI]." The second
requires establishment -- and, if necessary, implementation
-- of procedures "to restore any loss of data."
The third requires establishment -- and, again, implementation
if necessary -- of procedures "to enable continuation
of critical business processes for protection of the security
of electronic [PHI]."
The penultimate
specification covers "periodic testing and revision of
contingency plans" for emergency operations. The last
is defined as "assess[ment of] the relative criticality
of specific applications and data in support of other contingency
plan components." Although DHHS has, as noted, made these
last two addressable, it is hard to envision a disaster or
emegency mode operation plan that would not include them.
As with all the
other standards, the components here must be scaled to the
particular circumstances of the covered entiy. "Each
entity needs to determine its own risk in the event of an
emergency that would result in a loss of operations. A contingency
plan may involve highly complex processes in one processing
site, or simple manual processes in another." (Final
Rule, p.105)
See also:
|
