Alaap B. Shah, Member of the Firm in the Health Care and Life Sciences practice, in the firm’s Washington, DC, office, was quoted in Healthcare Risk Management, in “OCR Concerned About HIPAA Contingency Plans.”

Following is an excerpt:

Developing a good HIPAA contingency plan is critical to ensuring a facility can access data during a disaster or cyberattack, and it also is required for HIPAA compliance. Creating that plan may require more assessment and planning than one might imagine, and it’s the kind of thing that can be lacking in an otherwise good HIPAA program.

The HHS Office for Civil Rights (OCR) recently urged healthcare organizations to develop contingency plans for crises that could compromise protected health information (PHI) covered under HIPAA. …

Typically, developing a contingency plan will require forming a committee of stakeholders, says Alaap B. Shah, JD, an attorney with Epstein Becker & Green in Washington, DC. That committee should include, but is not limited to, individuals with responsibilities related to compliance, information technology, facilities management, finance and administration, human resources, and communications.

“This committee will need to work together to define recovery requirements relative to key business functions; document the impact of an extended loss to operations and key business functions; and evaluate options for disaster prevention, impact minimization, and orderly recovery,” he says. “It ultimately will develop a written contingency plan that is understandable, easy to use, and easy to maintain, with clearly defined triggers and response roles and responsibilities.”

Shah also emphasizes that a contingency plan should not sit on a shelf and collect dust, but rather should be tested and improved over time.

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.