The HIPAA Administrative Safeguards for ensuring ePHI is not only backed and can be recovered, the spirit of this CFR is to ensure ePHI is resilient.


CMS calls it “Contingency Plan § 164.308(a)(7)”. The purpose of contingency planning is to establish strategies for recovering access to ePHI should the organization experience an emergency or another occurrence, such as a power outage and disruption of critical business operations.


The goal is to ensure that organizations have their ePHI available when it is needed. The Contingency Plan standard requires that covered entities: “Establish (and implement as needed) policies and procedures for responding to an emergency or another occurrence(for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”


The Contingency Plan standard includes five implementation specifications: I will cover each briefly in layman’s terms

Data Backup Plan (Required): Sounds simple right? In general, it is. In my experience, most healthcare executives see this as the final frontier of preserving their data. That is far from the case. Let’s use something as simple as backing a cake. How good will your cake be without some of the ingredients such as the batter?


Disaster Recovery Plan (Required): This part of the “cake” gets confused, a lot. Recovery data means more than recovering the Data Backup. It usually required all the ingredients of the cake that makes it whole. The server, databases, desktop, laptop, and mobile device connectivity, the network, etc.


Emergency Mode Operation Plan (Required): This is basically a form of Disaster Recovery whereas having a standby system “standing up” and ready to go usually from your DR plan in increments of hours, days, weeks, etc. depending on the demand, need, and compliance of all stakeholders (patient, provider, payer, etc.)


Testing and Revision Procedures (Addressable): Something that unfortunately most healthcare organizations do not see as a value, that is until something goes wrong. Then, they vigorously test, test, and test again.


Applications and Data Criticality Analysis (Addressable): This usually involved an exercise of “tiering” your applications. For instance, in most healthcare organizations, the EHR would be tier 0, meaning “we need it up within 2 hours along with all the dependent technologies to support it. Email may also fit into a tier 0 level. Something like forms, word documents, etc. could be tier 1 whereas it could be up within 4 hours or so. Tiering is up to the covered entity. CMS/OCR does not regulate that. This is where you’ll need a savvy and strategic IT leader that understands the value proposition of your medical practice, along with the IT staff for tactical execution and end user support.


Manuel W. Lloyd offers free assessments with a scientifically generated risk score for HIPAA IT contingency & more.

Schedule Assessment