HIPAA Regulation Reference §142.308(a)(3):
Contingency Planning: A contingency plan, a routinely updated plan for responding to a system emergency,
which includes performing backups, preparing critical facilities that can be used to facilitate
continuity of operations in the event of an emergency, and recovery from a disaster.
Section II: Requirement
The plan must include all of the following implementation features:
• An application and data criticality analysis.
• A data backup plan.
• A disaster recovery plan.
• An emergency mode operation plan.
• Testing and revision procedures.
Section III: Approaches/Solutions
- Conduct an application and data criticality analysis to determine and rank the importance of each application and data.
- Develop a plan to create and maintain retrievable exact copies of information.
- Develop a plan for the timely recovery of critical applications and data.
- Develop a plan to detail procedures and processes to be followed in the event of a disaster.
- Develop a plan to ensure contingency plans are updated and tested periodically.
Return To Top
Section IV: Policy & Procedure
Each business function has the responsibility to ensure a Contingency Plan is in place for all applications
even if the contingency plan is "Repair in Place." The business function, in coordination with IT, also has
the responsibility to update the plans as changes occur. Those changes include but are not limited to
hardware, software, network, or the environment.
Initiating periodic testing is the responsibility of each business function to ensure the plan is
comprehensive and accurate.
Regularly scheduled backups must be performed for all production application data to ensure that when an
outage occurs and the need arises to execute a Contingency Plan that the data being restored is accurate
and timely.
Each business function is required to have a current documented & tested Contingency Plan for each
application/system that contains business critical information. Annual testing of the plan is essential,
or when a change occurs that may effect the application, retesting is required.
Section V: Technology
In the event of a disaster, contingency plans must be accessible. Contingency plans should be stored
off-site and in paper form.
Return To Top
Section VI: Users/Roles
Management - Responsible for enforcing the Contingency Planning policy.
Audit - Responsible for ensuring the adherence to the Contingency Planning policy.
Custodian/Application Owner - Responsible for maintaining and testing the Contingency plan for associated applications/data.
Section VII: Web Sites of Interest
http://aspe.hhs.gov/admnsimp/nprm/secnprm.pdf
http://www.wedi.org/snip/public/articles/privacy_pp1115_02.pdf
http://www.nchica.org/hipaa/hipaa%20security%20update.pdf
http://www.aamc.org/members/gir/gasp/securitysectionone.pdf
http://www.drj.com/
http://www.business-continuity-world.com/
http://www.state.ks.us/public/kirc/refer2a.htm
http://www.sans.org/newlook/resources/policies/policies.htm
http://www.dir.state.tx.us/IRAPC/bcpg/bcpg.pdf
http://www.itl.nist.gov/lab/bulletns/bltnjun02.htm
http://enterprisesecurity.symantec.com/article.cfm?articleid=573&PID=na&EID=0
Return To Top
