|
HIPAA
CONTINGENCY PLAN Step 1 – Upper Management Commitment
- Contingency planning either commences here, or dies here.
This is often the most difficult obstacle to overcome.
However, if you are developing a contingency plan to become
compliant with the HIPAA regulation, you should already have a
commitment to the process. If you don’t, finish reading this article and discuss this with your
management. Once the commitment is obtained,
it is recommended that a Coordinator be appointed to act as a
facilitator for the entire contingency planning process. Step 1 is required before
starting to work on any implementation specification Step 2 - Risk Assessment
–
Given a choice, disaster avoidance is a far more desirable option than
attempting to recover from one. To
accomplish this, the simplest process is to perform a risk assessment,
and subsequently remove the exposure(s). Step 2 is not a direct
requirement, however information gathered in this step will be helpful
in completing Implementation Specification (iiC), emergency mode
operation plan. Step 3 - Business Impact Analysis and Recovery
Strategy - A business
impact analysis (BIA) is a straightforward process designed to
understand each business unit, and what each contributes.
What would happen if the unit could not function for 8 hours, a
day, 2 days, a week, month or more?
What would it cost the business in lost revenue, both immediate
and long term? Would the
inability of this unit to function impact other units?
Could you loose future customers? BRProactive’s Introduction and Guide explains
the process Step 3 will meet the
requirements of HIPAA Implementation Specification (iiE) An Applications and Data Criticality Analysis.
It will also provide preliminary information required for HIPAA
Implementation Specifications - (iiB) disaster recovery plan, (iiC) emergency mode
operations plan, and (iiE) applications and data criticality analysis.
Step 4 - Offsite Storage of
Critical Data
–
The identification and subsequent storage of both hardcopy and
electronic information, OFFSITE, should be your number one priority.
At a minimum weekly, or preferably daily, full volume backups
must be taken. These backups, along with hard copy documentation, must be
sent offsite to another location (another room or another floor is not
an option). Once you have
established this process, ensure that it is documented and that you
perform a quarterly review of the material you are sending.
BRProactive’s
Introduction and Guide explains the process and provides
recommendations If you rely on information technology to run your
business, offsite storage
should not be considered an option.
Instead, this process should become a routine reality. Step 4 will meet the
requirements of HIPAA Implementation Specification: (iiA) data backup plan.
Step 5 - Disaster Recovery Plan
–A
disaster recovery plan is a collection of specific recovery team
plans. Attempting a
recovery without one is as much fun as a long walk down a short pier.
Each recovery team plan documents specific activities that each
recovery team will perform in the event of a disaster.
Examples of recovery teams are: Crisis Management, Damage
Assessment, Information Systems, Business Unit, Voice and Data,
Corporate, etc. Each
recovery team plan, when fully developed, provides a detailed and
systematic set of instructions that team leaders and members would
follow in an emergency. In essence, each recovery team plan documents: To further control the recovery process, all recovery
team plans are logically broken down into stages, sections and tasks.
Each stage (response, recovery, resumption, reconstruction and
relocation), and section in a recovery team plan provides general
direction. Each task
provides the detailed specific instructions on a required activity,
and how to perform a function. BRProactive
provides the comprehensive templates for you to complete your plan Remember, in a disaster, you cannot rely on key staff
members being available. Therefore, the information contained within
the recovery plan should allow others to understand the process, and
step in. Step 5 will meet the requirements of HIPAA
Implementation Features: (iiB)
a disaster recovery plan and (iiC) emergency mode operation plan Step 6 - A Recovery Location
–
When your recovery plan is fully developed, you have positioned your
business to recover in the event of a disaster.
At this point, you will want to consider an outside recovery
service provider. Generally,
the services they provide can be two fold: BRProactive’s
Introduction and Guide explains the process and options Step 6 will meet the
requirements of HIPAA Implementation Specification: (iiC) emergency
mode operation plan Step 7 - A Tested Plan
–
Finally, no recovery plan is ever completed.
It is a constantly changing and evolving document that is
modified as your business changes.
One of the best ways to check the accuracy and logic of your
recovery plan is to run an actual test, following the instructions
outlined within, step-by-step. Should
any errors or omissions be uncovered, changes in the plan must be
made. This can be done at
an offsite location, or with a table top desk exercise.
An annual test should be conducted at a minimum, with a twice a
year test being ideal. BRProactive’s Introduction and Guide explains
the process and the required steps Step 7 will meet the
requirements of HIPAA Implementation Specification: (iiD) testing and revision procedures Contingency Plan Summary: Should a disaster impact
your company, an up-to-date and fully functional contingency plan is
priceless. However, to
get one requires a price to be paid as you go.
Commitment within Step 1 gets you going. Step 2 identifies and reduces risk. Steps 3 through 5 provide you with the recovery plan and the
critical information and files needed for the recovery.
And finally, Steps 6 & 7 give your business a location to
recovery at, and a place to test your recovery plan. BRProactive
provides you with the disaster recovery plan development software, and
the necessary information to become HIPAA compliant in this section of
the Security Standard. It
is a simple, straightforward and cost effective solution. To order, click here: To
return to the BRProactive home page, click
here
|
