This entry is part 59 of 59 in the series Complete Guide to HIPAA Security Final Rule

(ii) Implementation specifications:

(C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

Tell Me More:

The Emergency Mode Operation Plan implementation specification is an interesting one!  The name suggests a full continuity of operation plan (COOP) or business continuity plan (BCP) while the language actually calls for the entity to ensure “… continuation of critical business processes for PROTECTION OF THE SECURITY of electronic protected health information while operating in emergency mode.”  That is, an entity cannot let it’s guard down when operating in emergency mode.  That said, a COOP and BCP are equally important.

An emergency mode operation plan contains a process that enables an enterprise to continue to operate in the event of fire, vandalism, natural disaster, or system failure. In a manner similar to disaster recovery planning, budget for and schedule required resources for effective emergency mode operation plan testing.

Questions to consider:

  • Does the organization have policies and procedures in place to ensure administrative, physical and technical safeguards remain operational in the event of a need to operate in an emergency?
  • Does the organization have policies and procedures for maintaining access to data and maintain data security when in disaster recovery mode?
  • Has the organization identified those critical business processes that must occur in order for the organization to continue operations during and immediately after a crisis situation? This will help to focus resources on the most important systems first.
  • Has the organizations made reasonable and appropriate arrangements to ensure that its critical business processes can be up and running in an appropriate time frame? This may include having an offsite location ready for operation, mirroring data at a remote site, having agreements with suppliers to rapidly provide equipment, and having an uninterruptible power supply.


Series Navigation<< 164.308(a)(8) Administrative safeguards – Standard: Evaluation

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.