Developing a good HIPAA contingency plan is critical to ensuring a facility can access data during a disaster or cyberattack, and it also is required for HIPAA compliance. Creating that plan may require more assessment and planning than one might imagine, and it’s the kind of thing that can be lacking in an otherwise good HIPAA program.
The HHS Office for Civil Rights (OCR) recently urged healthcare organizations to develop contingency plans for crises that could compromise protected health information (PHI) covered under HIPAA. …
Typically, developing a contingency plan will require forming a committee of stakeholders, says Alaap B. Shah, JD, an attorney with Epstein Becker & Green in Washington, DC. That committee should include, but is not limited to, individuals with responsibilities related to compliance, information technology, facilities management, finance and administration, human resources, and communications.
“This committee will need to work together to define recovery requirements relative to key business functions; document the impact of an extended loss to operations and key business functions; and evaluate options for disaster prevention, impact minimization, and orderly recovery,” he says. “It ultimately will develop a written contingency plan that is understandable, easy to use, and easy to maintain, with clearly defined triggers and response roles and responsibilities.”
Shah also emphasizes that a contingency plan should not sit on a shelf and collect dust, but rather should be tested and improved over time.