Contingency Planning: Do You Know What HIPAA Requires?
by Legal and Regulatory Affairs and Technology Policy and Projects Staffs
June 7, 2005 -- Sitting in your office late one night, you see lightning and hear the rumble of thunder outside your window. Suddenly, the lights in your office flash, the light bulb in your lamp explodes, and your computer starts to spark and smoke. When the smoke clears, you realize that your computer’s hard drive is completely destroyed, making it impossible to recover the patient data that was stored there.
Are you aware that, in this scenario, you have more to be concerned about than simply replacing your malfunctioning computer? If you haven't take steps to protect your patient data in a situation like this -- as well as from fire, vandalism, system failure, theft or natural disasters -- you could be violating the HIPAA Security Rule.
The Security Rule requires practitioners to safeguard the electronic protected health information (EPHI) in their practice from unauthorized alteration, destruction or disclosure, both intentional and unintentional. That means practitioners need to protect their electronic data, such as patient notes, e-mail with or about patients, and insurance or financial records with identifying patient information, from potential security risks.
Under the “contingency planning standard” of the HIPAA Security Rule, psychologists must develop a plan to address how they will respond to a loss of electronic information in the event of a disaster or emergency. As part of complying with the Security Rule, practitioners must comply with the contingency planning standard.
Contingency planning is not just a HIPAA requirement; it is also good business practice. Taking steps to ensure that EPHI can be recovered and restored in the event of an emergency can lessen interruptions to your business. Planning ahead can help you to keep your practice operations running and can help you focus on providing quality services to your clients following an emergency, rather than spending time and energy on efforts--such as tracking down client records--that pull you away from your clinical duties and other practice responsibilities. While loss of EPHI may not be as disruptive to small practices with less complex systems as it can be for larger practices, it is nevertheless a serious possibility that practitioners should plan for by developing a sound contingency plan.
Components of a Contingency Plan
Under the HIPAA Security Rule, a contingency plan has five components. Of these five, three are necessary for you to adopt in order to comply with the contingency plan standard. Two other components are deemed “addressable,” meaning that they are optional for you to adopt, depending upon whether you consider them reasonable and appropriate for your practice’s contingency plan.
-- Data Backup Plan (required) - This component of contingency planning requires you to establish and implement procedures to create and maintain retrievable copies of all EPHI stored in your system so that if the office data is lost, corrupted, or destroyed, it can be recovered. One step toward complying with this component would be to manually back up EPHI using a disk or CD in order to save EPHI from your hard drive in a separate location.
-- Disaster Recovery Plan (required) – You need to establish and implement policies and procedures to restore EPHI lost in the event of a disaster. For example, a disaster recovery plan should encompass procedures such as developing an employee phone list to use in an emergency and procedures for patient contact in the event that appointments need to be verified or rescheduled.
-- Emergency Mode Operation Plan (required) - This component of the plan is where you establish and implement procedures to enable continuation of critical practice activities, including the protection of EPHI, while operating in an emergency mode. You will need to adopt a plan that notifies employees of what to do if they are involved in an emergency situation and who they should contact to assess the seriousness of the situation.
-- Applications and Data Criticality Analysis (addressable/if applicable to your practice) - This section of the plan involves determining which specific computer programs and data are the most important and to create a procedure that gives priority to restoring the most critical programs and data first, such as patient data, then financial or other operational data. For example, if you use two applications, one for bookkeeping and one for accessing patient data, you will need to consider which one is more critical or important to restore first in an emergency.
-- Testing and Revision Procedure (addressable/if applicable to your practice) - Backup, disaster, and emergency operations mode plans are of no use if they are unrealistic or fail to accomplish the goals of restoring your computer system and the EPHI contained within it. This component of the contingency plan is designed to ensure that your plan is regularly tested and revised as needed. Contingency plan testing should focus on your ability to: access alternative computers and sites in a timely fashion; load and run any necessary software programs; and load, view and use backup data.
Be aware that, although you may decide not to implement the last two components listed above, you still will need to document your rationale for making that choice and how you meet the contingency planning standard.
Developing a Contingency Plan for Your Practice
The APA Practice Organization has developed a comprehensive product to help you create your own contingency plan. The HIPAA Security Rule Online Compliance Workbook, designed especially for practicing psychologists, takes practitioners step-by-step through the process of complying with all the HIPAA Security Rule standards, including the contingency planning standard.
Download_HIPAA_Contingency_Planning_article.pdf
(99.22 Kb)
