This entry is part 14 of 59 in the series Complete Guide to HIPAA Security Final Rule

(ii) Implementation specifications:

 (B) Disaster recovery plan (Required).  Establish (and implement as needed) procedures to restore any loss of data.

 Tell Me More:

The Disaster Recovery Plan implementation specification requires covered entities to establish (and implement as needed) procedures to restore any loss of data after an emergency.   While called a Disaster Recovery Plan, it is really about a DATA recovery plan as it focuses on “restore loss data”.

The final security rule addresses the need for each entity to have a Disaster Recovery Plan to respond to an emergency or other occurrence, including fire, vandalism, system failure and natural disaster.  Disaster Recovery Plan will be scalable depending on the organization.  Within Disaster Recovery Plan, the rule addresses Disaster Recovery Plans, emergency mode operation plans, and testing and revision procedures.

The final rule empowers each entity to determine its own risk in the event of an emergency that would result in a loss of operations. A Disaster Recovery Plan may involve highly complex processes in one processing site, or simple manual processes in another. The contents of any given Disaster Recovery Plan will depend upon the nature and configuration of the entity devising it.  In addition, depending upon the size, configuration, and environment of a given Covered Entity or Business Associate, the entity should decide if testing and revision of all parts of a Disaster Recovery Plan should be done or if there are more reasonable alternatives. The same is true for the proposed applications and data criticality analysis implementation feature.

The Disaster Recovery Plan is necessary to assure the continued capabilities of the organization by guarding against unforeseen events.  Effective data backup and recovery is clearly essential, as without this information operations are directly impacted.  Asset management and criticality analysis facilitate the Disaster Recovery Plan and execution processes, while ensuring resources are spent wisely.  Disaster Recovery Plans are typically the last priority of many busy organizations; however, there is no replacement for them and they are invaluable when the need arises.

For more information, see “The Truth about HIPAA‐HITECH and Data Backup“.

Questions to consider:

  •  Has the organization identified those staff responsible to carry out data restoration, including lists of emergency contact names and numbers, important business partners as well as potentially hardware, software and other business supply contact information as would be necessary to allow for a temporary office set-up to support complete restoration of data in order to continue business functioning? Make sure vital information is available offsite in case the site is inaccessible.
  • Has the organization performed detailed testing and revision of its plan? Plans may need to be updated and changed on an ongoing basis.
  •  Has the organization considered secure, offsite electronic vaulting?

References:

Series Navigation<< 164.310 Physical safeguards164.308(a)(5)(ii)(A) Standard: Security awareness and training – Security reminders >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.