A contingency plan should help an organization return to its daily operations as quickly as possible following an unforeseen event. The contingency plan should protect resources while minimizing inconveniences for patients, customers, and the organization.
Contingency Plans are Critical
According to recent suggestions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), contingency plans are critical to protecting the security of data. Contingency plans should consider not only how to respond to disasters such as fires and floods, but also cyberattacks. software such as ransomware may render an organization's data unusable. In the event data is compromised due to a cyberattack, restoring the data from backups may be the only option to recover the data. The guidance discusses what is required for a HIPAA contingency plan, including:
- Disaster Recovery Plan: Emphasized restoring an organization's protected health data.
- Emergency Mode Operation Plan: Focused on maintaining and protecting critical functions that protect the security of protected health data.
- Data Backup Plan: Established regularly copying protected health data to ensure it can be restored in the event of a loss or disruption.
The Key Steps of Contingency Planning Include:
Make it Policy: A formal policy provides the authority and guidance necessary to develop an effective contingency plan.
Pinpoint what is Critical: Knowing what systems and data are critical to operations will help prioritize contingency planning and minimize losses.
Identify Risks, Threats, and Preventative Controls: Perform a risk analysis to find the risks that your business may face. What has the potential to harm your operations and data?
Create Contingency Procedures: Set up the specific guidelines, conditions, and procedures when creating the contingency plan.
- The goal is to maintain critical operations and minimize loss.
- Define time periods What must be done during the first hour, day or week?
- Establish Plan Activation Which event(s) will cause the activation of the contingency plan? Who can activate it?
- Using plain language the plan should be understandable to all types of employees.
Operationalize & Maintain the Plan: Add the plan into normal business operations.
- Communicate and share the plan, roles, and responsibilities with the organization.
- Create a testing schedule for the plan, to identify gaps and ensure updates for plan effectiveness.
- Review the plan on a regular basis and situationally.
Did you know Healthcare Compliance Pros helps organizations with contingency planning efforts? Feel free to contact us if you have any questions about contingency plans or any of the contingency planning requirements discussed above. Please send us an email: support@hcp.md or contact us by phone: 855-427-0427.