Do you need a Contingency Framework?
The HIPAA Security Rule requires that your organization comply with its Contingency Standard (i.e. "Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.").
The Contingency Standard has five implementation specifications:
1. Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
2. Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
3. Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
4. Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.
5. Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.
Our Contingency Framework ("Framework") offers guidance for complying with this standard. With the Framework, you’ll be able to determine what you need to do in order to satisfy these five implementation specifications ("Controls"). In addition, you are provided templates that help you mitigate the risks posed by the absence of these Controls.
These Controls are now generally referred to as “Business Continuity.” Business Continuity is a very complex topic; however, similar to the manner in which other wicked problems are attacked, the most important thing that any organization can do is to fail forward fast; that is, to put a foundational solution in place and then proceed to refine it over time as specific requirements manifest.