The Disaster Recovery Component of HIPAA Compliance

October 9, 2016
Compliance, Disaster Recovery, Healthcare, IT Security

The Disaster Recovery Component of HIPAA Compliance


The healthcare industry is among the most highly regulated industries, and disaster recovery (DR) planning is crucial for compliance with its most well-known mandate — the Health Insurance Portability and Accountability Act (HIPAA).

According to the HIPAA Security Rule, organizations classified as covered entities are required to establish and implement, as needed, policies and procedures for responding to any situation that could damage IT systems that contain electronic protected health information (ePHI). In simple terms, they are required to have a contingency plan. That plan includes DR.

The same requirement also applies to business associates as noted in the HIPAA Omnibus Rule. In general, a business associate refers to an individual or organization that creates, receives, maintains or transmits protected health information. Cloud services providers (CSPs) are typically considered business associates, making them subject to the contingency plan requirements as well.

Learn how to work with a CSP to help meet your compliance requirement in the eBook, "Partnering for Compliance in the Cloud."

Contingency Plan Components

A contingency plan defines the roles, responsibilities and procedures associated with restoring IT systems following any kind of disruption. To meet HIPAA requirements, the plan should include five implementation specifications outlined in the HIPAA Security Rule.

The first three are required and include:

  • A data backup plan that establishes systems for restoring ePHI.
  • A DR plan that identifies the processes needed to make sure ePHI can be restored in the event of loss.
  • An emergency mode operation plan that establishes procedures to ensure you can continue the necessary business processes for protecting the security of ePHI while you’re operating in emergency mode.

The other two specifications are “addressable” according to HIPAA.  This means that your organization must decide whether they are reasonable and appropriate security measures to apply within its particular security framework. They are:

  • Procedures for periodic testing and revision of contingency plans.
  • Application and data criticality analysis.


Specification 1: The Data Backup Plan

To create a data backup plan, start by identifying the ePHI to be backed up whether you handle data backups internally or outsource them. Information to be backed up may include electronic medical records, digitized diagnostic images, electronic test results or any other electronic documents your organization uses.

Next, determine the backup method. HIPAA doesn’t provide any specifics in terms of how often to back up data. You’ll need to determine the frequency that best meets your business requirements.


Specification 2: The Disaster Recovery Plan

The second implementation specification is a DR plan that outlines the recovery of ePHI, is specific to your operating environment, and addresses what data must be restored and in what order. It should also account for all possible scenarios, from natural disasters to cyber-attacks. Specific components include:

  • Roles and responsibilities for everyone who will be involved in the recovery process, along with their contact information.  
  • The frequency, type and locations of any data and system backups and/or replication done to offsite location(s).
  • Documentation of all ePHI systems and data requirements, and the processes and procedures for restoring them.


Need additional help getting started on a Disaster Recovery Plan? Check out this Guide to DR Planning ebook.

Specification 3: The Emergency Operations Mode Plan

This plan outlines how your organization would carry out operations between the onset of restoration activity and when system functions return. It should identify and prioritize emergencies that may impact information systems containing ePHI, and include the processes and controls that protect the confidentiality, integrity, and availability of ePHI on your organization’s information systems


Specification 4: Testing and Revision Procedures

While the HIPAA Security Rule deems the testing and revision procedures for contingency plans to be “addressable,” it’s a good idea to test all plan components and revise them as necessary. The frequency and sophistication of the testing and revision procedures will depend on the complexity of your organization, its size, the costs and other factors.


Specification 5: Application and Data Criticality Analysis

This one is also “addressable.” It entails identifying all applications that store, maintain or transmit ePHI and then determining how important each is to patient care or other business needs in order to prioritize them for data backup, DR and/or emergency operations plans.


Helpful Resources

US Signal’s solution engineers also have extensive expertise in DR planning and HIPAA compliance, and will be happy to answer your questions. They can also help you develop a solution to meet your organization’s specific HIPAA compliance and DR requirements.  Just email us at [email protected] or call 866.2.SIGNAL.