Establishing a Contingency Plan www.ediltd.com | info@ediltd.com HIPAA Security Rule § 164.308(a)(7) Contingency Plan The Contingency Plan standard requires covered entities to: “Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ePHI.” Agenda Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Testing and Revision Procedures Applications and Data Criticality Analysis Data Backup Plan (Required) “Establish and Implement procedures to create and maintain retrievable exact copies of ePHI” What ePHI must be backed up? Have we included all data sources? Have we considered various backup methods? Is our backup data stored in a safe secure place? Sonya Christian, CIO; West Georgia Health Disaster Recovery Plan (Required) “Establish (and implement as needed) procedures to restore any loss of data.” You may already have a DR plan – does it address ePHI? What specific threats do you face? Does is address what data is to be restored? Is the plan readily available – during an emergengy? Emergency Mode Operation Plan (Required) Establish Procedures to Enable Continuation of Critical Business Processes to Protect the Security of ePHI While Operating In Emergency Mode Emergency Mode Operation Plan Continuity of Operations Planning Will determine the ability of your organization to continue its business operations Improve the likelihood that your facility will survive and recover from events that impact business operations Emergency Mode Operation Plan Emergency Mode Operation Plan Moving Towards Cloud Computing Continuous Up-Time? What is Downtime Costing Your Hospital? Is Cloud Computing an Option? What other risks does cloud computing invite? Testing and Revision Procedures (Addressable) “Implement procedures for periodic testing and revision of contingency plans.” Have we documented our processes? Does everyone understand their role? Have we actually practiced and tested our procedures? What did we learn? How should we change our plan? Applications & Data Criticality Analysis Applications & Data Criticality Analysis Review critical computer and electronic systems Identify applications critical to patient care Questions and Discussion Don Kinser, PE, CPHIMS President and CEO EDI, ltd. dkinser@ediltd.com 678-213-3586 Mark Renfro Healthcare Consultant marenfro@windstream.net 706-782-0764