HIPAA Disaster Recovery Plan

Having a HIPAA disaster recovery plan is a requirement of the HIPAA Security Rule. Therefore, not having a HIPAA disaster recovery plan will attract the attention of HHS’ Office for Civil Rights in the event of an emergency or other occurrence that damages systems containing electronic Protected Health Information (ePHI) or corrupts the data itself.

However, having an ineffective HIPAA disaster recovery plan can be even worse. If there is no plan in place, team members may be able to recover systems or data simply using their skills and knowledge of the infrastructure. But, if team members try to recover systems or data using an ineffective plan, it could exacerbate the consequences of the disaster.

Exacerbating the consequences of a disaster for healthcare IT teams can delay how long it takes to recover from the disaster or limit how much data is recoverable. In the worst possible circumstances, an ineffective HIPAA disaster recovery plan could result in a permanent system failure and the loss of all data. Consequently, it is important a plan is effective and executed as intended.

Why Disaster Recoveries Don’t Always Go to Plan

There are multiple reasons why disaster recoveries don’t always go to plan. From a cross-section of online resources, it is possible to tell that the common reasons include:

Why Disaster Recoveries Don’t Always Go to Plan

Reportedly, only 5% of emergencies requiring disaster recovery are due to natural disasters. The majority are attributable to hardware failures, software issues (including cyberattacks), and human error. While most of these events will be on a recovery planner’s radar, it is important not to overlook other potentially foreseeable events such as active shooters or malicious insiders, or concurrent events such as severe weather being responsible for a hardware failure.

The failure to keep plans up to date.

While there are some organizations that prepare a HIPAA disaster recovery plan to “tick the box of compliance” and never look at it again, most make some effort to keep plans up to date – especially those subject to the CMS’ Emergency Preparedness Rule. However, when healthcare IT teams are pressed for time or short of resources, keeping disaster recovery plans up to date more often than required by regulation is one of the first tasks to be put aside.

The failure to train all members of the workforce.

Healthcare organizations that participate in Medicare are required to train all members of the workforce on their emergency preparedness plans at least every two years, but not on their disaster recovery plans. Even if members of the workforce are not likely to be involved in the recovery process, they need to receive some degree of training in case the individuals responsible for executing the disaster recovery plan are unavailable or incapacitated due to the emergency.

The failure to test plans for all events.

Although many healthcare IT teams run tests to assess their resiliency to cyberattacks, many fail to test disaster recovery plans for other types of non-technical events. When an emergency occurs at 3.00 a.m. in the morning and the IT team cannot access their offices because the building is on fire, it is important to be confident that the processes for accessing servers and data remotely (possibly in the dark and in the rain) work effectively.

The failure to test data back-up solutions.

There is a commonly quoted “statistic” that 58% of data backups fail. The “statistic” is not only taken out of context to the source, but applies to all backups (including application backups) and not to restoring data from backups. Nonetheless, it is important healthcare IT teams test their back up solutions to ensure it is possible to fully restore data from whatever solutions are implemented (hard drive, cloud, backup service, network attached storage, etc.).

The failure to coordinate with other recovery teams.

When an emergency occurs, it may not only impact the healthcare IT team. Depending on the nature of the emergency, there may be multiple teams involved in disaster recovery – each with its own plans and priorities. It is important the healthcare IT team coordinates with other disaster recovery teams during the planning stage so that each team can reach key recovery point objectives as quickly as possible and smoothly transition to a full recovery.

What HIPAA Says about Disaster Recovery Plans

Because the objective of this article is to ensure healthcare IT teams develop an effective HIPAA disaster recovery plan, it is important to consider what HIPAA says about disaster recovery plans. All the relevant information healthcare IT teams need to develop a disaster recovery plan that complies with HIPAA can be found in the Administrative, Physical, and Technical Safeguards.

Administrative Safeguards

Under §164.308 (7)(i) of the Administrative Safeguards (Contingency Planning), covered entities and business associates must “Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”

There are five implementation specifications for this standard:

(A) Data backup plan. Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

(B) Disaster recovery plan. Establish (and implement as needed) procedures to restore any loss of data.

(C) Emergency mode operation plan. Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

(D) Testing and revision procedures. Implement procedures for periodic testing and revision of contingency plans.

(E) Applications and data criticality analysis. Assess the relative criticality of specific applications and data in support of other contingency plan components.

Physical Safeguards

Under §164.310 (2)(i) of the Physical Safeguards (Facility Access Controls), covered entities and business associates are required to “Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.”

Technical Safeguards

Finally, under §164.312 (2)(ii) of the Technical Safeguards (Device Access Controls), covered entities and business associates must “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.” Although applicable “during an emergency”, this standard also applies to a HIPAA disaster recovery plan.

Other Healthcare Industry Standards to Consider

While it may not appear too difficult to develop a HIPAA disaster recovery plan that complies with the seven relevant implementation specifications of the Security Rule, there are other healthcare industry requirements to consider in addition to HIPAA. These include, but are not limited to, CMS’ Emergency Preparedness Rule and OSHA’s Requirements for Emergency Response and Preparedness.

Additionally, many healthcare facilities must comply with state codes and federal standards to maintain Joint Commission, ACHC, or CHAP accreditation. While the codes and standards may not be relevant to the operation of a healthcare IT department, they may impact the content of an emergency mode operation plan or the accessibility of facilities during an emergency.

Possibly of more relevance to the operation of a healthcare IT department are ISO 27001 and ISO 27799. These standards can complicate the execution of a HIPAA-compliant disaster recovery plan by requiring stronger access controls, the management of encryption keys, and protected security intelligence logs. The complications can be overcome, but require careful planning.

HIPAA Disaster Recovery Plan Checklist

Disaster recovery plans vary according to the nature of an organization’s activities, its size, its location, and any other healthcare industry standards it is required to comply with. The age, complexity, and compatibility of technologies used by the organization can also be a factor. Therefore, it is impossible to compile a one-size-fits-all HIPAA-compliant disaster recovery plan.

Nonetheless, we have compiled a HIPAA disaster recovery plan checklist that most organizations covered by HIPAA will find beneficial. The checklist enables organizations to check that their disaster recovery plans comply with HIPAA and other relevant standards, and helps healthcare IT teams avoid the pitfalls that prevent disaster recoveries going to plan.

The checklist has been designed to be as straightforward to follow as possible and we have also included links to relevant references where practical to provide further advice. However, if you require assistance in navigating the checklist or comparing it to an existing HIPAA disaster recovery plan, do not hesitate to seek professional compliance advice.

Download FREE documents

Download HIPAA Disaster Recovery Plan Checklist

(PDF download, 83KB)
Scroll to Top

Get the free newsletter

Discover everything you need to become HIPAA compliant
Please enable JavaScript in your browser to complete this form.