Don Kinser – Disaster Recovery and Data Back-up

Establishing a Contingency Plan |
HIPAA Security Rule
§ 164.308(a)(7) Contingency Plan
The Contingency Plan standard requires covered
entities to:
“Establish (and implement as needed) policies and
procedures for responding to an emergency or other
occurrence (for example, fire, vandalism, system failure,
and natural disaster) that damages systems that contain
 Data Backup Plan
 Disaster Recovery Plan
 Emergency Mode
Operation Plan
 Testing and Revision
 Applications and Data
Criticality Analysis
Data Backup Plan (Required)
“Establish and Implement procedures to create and maintain retrievable exact copies of ePHI”
 What ePHI must be
backed up?
 Have we included all
data sources?
 Have we considered
various backup
 Is our backup data
stored in a safe secure
Sonya Christian, CIO; West Georgia Health
Disaster Recovery Plan (Required)
“Establish (and implement as needed) procedures to restore any loss of data.”
 You may already have a
DR plan – does it
address ePHI?
 What specific threats do
you face?
 Does is address what
data is to be restored?
 Is the plan readily
available – during an
Emergency Mode Operation Plan (Required)
Establish Procedures to Enable Continuation of Critical Business
Processes to Protect the Security of ePHI While Operating
In Emergency Mode
Emergency Mode Operation Plan
Continuity of Operations
 Will determine the ability of
your organization to continue its
business operations
 Improve the likelihood that your
facility will survive and recover
from events that impact
business operations
Emergency Mode Operation Plan
Emergency Mode Operation Plan
Moving Towards Cloud
 Continuous Up-Time?
 What is Downtime Costing Your
 Is Cloud Computing an Option?
 What other risks does cloud
computing invite?
Testing and Revision Procedures (Addressable)
“Implement procedures for periodic testing and revision of contingency plans.”
 Have we documented
our processes?
 Does everyone
understand their role?
 Have we actually
practiced and tested
our procedures?
 What did we learn?
 How should we change
our plan?
Applications & Data Criticality Analysis
Applications & Data Criticality Analysis
 Review critical
computer and
electronic systems
 Identify applications
critical to patient care
Questions and Discussion
Don Kinser, PE, CPHIMS
President and CEO EDI, ltd.
Mark Renfro
Healthcare Consultant