This entry is part 40 of 59 in the series Complete Guide to HIPAA Security Final Rule

(ii) Implementation specifications:

(E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.

Tell Me More:

The Applications and Data Criticality Analysis implementation specification requires covered entities to assess the relative criticality of specific applications and data in support of other contingency plan components.

Not all information assets are equally critical.  Not all business processes have the same requirements for recovery in the event of a disaster.  Completing this analysis usually involves formal processes that take into account business impact, recovery time objectives (RTOs), recovery point objectives (RPOs) and potential data loss events.

Your organization should consider implementing a process to review the various computer and other electronic systems critical to the organization. Applications and data criticality analysis allows for a prioritization or ordering of the various systems. This allows for resources to focus on those systems and support processes most critical to the business first, should staff resources or ability be diminished due to a disaster or other negative event.

This is an entity’s assessment of the sensitivity, vulnerabilities, and security of its programs and information it receives, manipulates, stores, and/or transmits.

This procedure begins with an application and data inventory. This application and data inventory is required for identifying and categorizing the value of the company’s assets, for performing vulnerability and risk analyses, and for a variety of audit-related activities.

Questions to consider:

  • Has the organization evaluated its systems and ranked them in order of importance to the ongoing operation of the organization?


Series Navigation<< 164.308(b)(4) Standard: Business associate contracts – Written contract or other arrangement164.312(c)(2) Standard: Integrity – Mechanism to authenticate electronic protected health information >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.