What is a Contingency Plan? 

A Contingency Plan is the plan of action that is required for covered entities and business associates to implement under the Health Insurance Portability and Accountability Act. Due to the value of the protected health information that these organizations store and transmit, it is important that they each have a clear and well structured plan for the next steps to take following an emergency. 

Why is a Contingency Plan Needed? 

HIPAA is a complex law with pages and pages of requirements - so it is easy to see that some people will overlook the importance of creating and training employees on contingency plans. However, beyond just the fact that this is required under HIPAA, it is also a valuable preventative measure that all organizations will rely upon in the event of an unexpected disaster of any kind. 

The goal of implementing a Contingency Plan is to ensure that the organization is able to continue the necessary daily operations while minimizing costs and loss in the days, weeks and months following a disaster. Obviously the steps to take might vary depending on what type of emergency occurs whether that is a cybersecurity disaster, natural disaster, or other significant incident.  

How to Create a Contingency for your Company:

Elements of a Contingency Plan

Within the HIPAA Security Rule, a Contingency Plan has five specific components, three of which are considered to be “necessary” and two which are just “addressable.” This means that the necessary aspects are required within the standard for a Contingency Plan versus an addressable standard which is optional depending on what an organization determines appropriate for their specific plan. 

Necessary Contingency Plan Requirements: 

Data Backup Plan 

This first aspect of a HIPAA Contingency Plan, the Data Backup Plan, revolves around ensuring that all electronic protected health information (ePHI) is copied and backed up. This process includes first making sure that multiple copies are made of all forms of ePHI, including images, medical records, tests or charts. These backups should then be tested to guarantee that the plan works and the ePHI can successfully be restored through them.  

Disaster Recovery Plan 

As we have mentioned above, Contingency Plans are all about establishing the steps to take following a disaster, which is exactly what the disaster recovery plan portion is centered on. This plan should lay out how each of the file backups created in the last requirement should be restored from the copied state. Since staff should be trained on the Contingency Plan, they will be ready to begin restoring access to the ePHI immediately after a disaster.   

Emergency Mode Operation Plan 

Aside from guaranteeing that protected health information has been backed up and the steps for restoration have been determined, the next piece is to continue the necessary business operations. Especially within the healthcare industry, each and every organization serves a necessary purpose day in and day out. The importance of a business operating does not disappear because of a disaster, but rather it is often amplified. That is why an emergency mode operation plan is required within your Contingency Plan to specify the steps to take to continue all of your critical operations while keeping ePHI safe and secure. 

Addressable Contingency Plan Requirements: 

Applications and Data Criticality Analysis 

As we saw above, one of the necessary steps to a Contingency Plan is the emergency mode operation plan, which is all about restoring essential business operations after the crisis. However, in order for this to happen quickly and successfully, an applications and data criticality analysis should be conducted first. This analysis would determine how critical each application is to the business functioning and securing important data. Once the priority has been established, the Contingency Plan should be revised to organize the restoration of the most critical applications and data first and then continue down the priority list in that order. 

Testing and Revision Procedure

The second addressable component for the Contingency Plan is having a system for testing the plan regularly and revising it as necessary. Testing can take on a few different styles depending on how you determine that fits your organization whether that is scenario walkthroughs, live tests or other methods. A contingency plan can be a great resource for a company in a time of crisis but only if the plan has been tested and revised plus the staff is prepared to execute that process. 

Implementing your Contingency Plan

As we know, HIPAA is a complex law that contains many requirements and steps for the organizations underneath it to follow. Contingency Plan is one particular step that we are exploring today but it does not operate entirely independently. The need for a Contingency Plan plus the understanding of what needs to go into your organization’s specific plan all comes from a thorough analysis. 
Organizations are actually required under HIPAA to regularly conduct exhaustive risk analyses of the systems and potential risks, threats or weaknesses to the PHI in your stands. In order to help you prioritize the necessary steps to return your organization to regular operations, conducting a risk analysis can be extremely helpful. Luckily, Accountable has a free risk analysis that you can take today - plus we’ll discuss the results & next steps towards compliance with you afterwards.