When HIPAA was enacted, major emphasis was placed on patient privacy and portability of records. Both of these points are addressed in the HIPAA Security Rule. Business Continuity became a requirement within this security rule because of issues not just with patient privacy but also portability of records, as a patient’s healthcare record needs to be readily available when requested. To this end within the security rule specifically section 164.308(a)(7) details what is required for an organization to comply with HIPAA regarding a Contingency Plan. Within the rule itself 3 elements are required and 2 additional elements are addressable (not strictly required). Those elements are as follows:
HIPAA Citation | HIPAA Security Rule Standard Implementation Specification | Implementation |
164.308(a)(7)(i) | Contingency Plan | Overview |
164.308(a)(7)(ii)(A) | Data Backup Plan | Required |
164.308(a)(7)(ii)(B) | Disaster Recovery Plan | Required |
164.308(a)(7)(ii)(C) | Emergency Mode Operation Plan | Required |
164.308(a)(7)(ii)(D) | Testing and Revision Procedures | Addressable |
164.308(a)(7)(ii)(E) | Applications and Data Criticality Analysis | Addressable |
HIPAA Business Continuity – Who Must Comply?
With the passage of ARRA – American Recovery and Reinvestment Act the types of organization who must comply with the HIPAA Security Standard greatly expanded. Prior to February 2009 only
health care providers, health plans and health care clearinghouses were considered ‘covered entities’ and were therefore required to comply. ARRA expanded the definition of covered entities to include ‘Business Associates’ or vendors. These business associates are now not only required to follow the HIPAA privacy and security standards, but also may be subject to civil and criminal penalties as well as enforcement proceedings for violations of HIPAA. Now more than ever, if you touch a medical record as an organization, it is wise to comply with the provisions of the HIPAA security rule.