HIPAA Contingency Planning

Contingency Planning, Yes You Need It!!

The purpose of contingency planning is to establish strategies for recovering access to electronic protected health information (ePHI). In the event an organization experiences an emergency or other incident, such as power outages and/or disruption of critical business operations, any lost or damaged ePHI must be recovered and/or restored.

The Contingency Plan standard requires that Covered Entities and Business Associates (BAs):

Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

The Contingency Plan standard includes five implementation specifications:

  1. Data Backup Plan (Required) – 45 CFR § 164.308(a)(7)(ii)(A)
  2. Disaster Recovery Plan (Required) – 45 CFR § 164.308(a)(7)(ii)(B)
  3. Emergency Mode Operation Plan (Required) – 45 CFR § 164.308(a)(7)(ii)(C)
  4. Testing and Revision Procedures (Addressable) – 45 CFR § 164.308(a)(7)(ii)(D)
  5. Applications and Data Criticality Analysis (Addressable) – 45 CFR § 164.308(a)(7)(ii)(E)

The purpose of any contingency plan is to allow an organization to return to its daily operations as quickly as possible when experiencing a business-loss event. The contingency plan:

  • • Protects resources
  • • Minimizes customer inconvenience and identifies key staff
  • • Assigns specific responsibilities in the context of the recovery

Contingency plans are critical to protecting the availability, integrity, and security of data during unexpected adverse events. Contingency plans should consider not only how to respond to disasters such as fires and floods, but also how to respond to cyberattacks.

Contingency Planning

Key Steps on the road to Contingency Planning


  1. Make it Policy: A formal policy provides the authority and guidance necessary to develop an effective contingency plan.
  2. Identify what is Critical: Knowing what systems and data are critical to operations will help prioritize contingency planning and minimize losses.
  3. Identify Risks, Threats and Preventative Controls: What has the potential to significantly disrupt or harm your operations and data? Perform a risk analysis to identify the various risks your business may face.
  4. Contingency Plans & Risk Analysis: The need for contingency plans is a result of a thorough and accurate analysis of the risks the organization may face. The end result of a risk analysis is that it can provide a list of potential threats, risks, and preventative controls. It will identify the prioritization of critical systems and information and will help the business identify where to focus its planning efforts.
  5. Create Contingency Procedures: Establish the specific guidelines, parameters, and procedures when enacting the contingency plan and for the recovery of systems and data. Here’s where the Disaster Recovery Plan, Emergency Mode Operation Plan and Data Backup Plan will fill in the overarching contingency plan.
  6. Testing and Revisions: Focuses on testing your contingency plan and revising any identified deficiencies.

Don’t wait for a disaster to happen before designing and implementing a contingency plan.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?

Contingency Planning



For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.