When HIPAA was enacted, major emphasis was placed on patient privacy and portability of records.  Both of these points are addressed in the HIPAA Security Rule.  Business Continuity became a requirement within this security rule because of issues not just with patient privacy but also portability of records, as a patient’s healthcare record needs to be readily available when requested.   To this end within the security rule specifically section 164.308(a)(7) details what is required for an organization to comply with HIPAA regarding a Contingency Plan.  Within the rule itself 3 elements are required and 2 additional elements are addressable (not strictly required).  Those elements are as follows:

HIPAA Citation HIPAA Security Rule Standard Implementation Specification Implementation
164.308(a)(7)(i) Contingency Plan Overview
164.308(a)(7)(ii)(A) Data Backup Plan Required
164.308(a)(7)(ii)(B) Disaster Recovery Plan Required
164.308(a)(7)(ii)(C) Emergency Mode Operation Plan Required
164.308(a)(7)(ii)(D) Testing and Revision Procedures Addressable
164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis Addressable

HIPAA Business Continuity – Who Must Comply?

With the passage of ARRA – American Recovery and Reinvestment Act the types of organization who must comply with the HIPAA Security Standard greatly expanded.  Prior to February 2009 only

health care providers, health plans and health care clearinghouses were considered ‘covered entities’ and were therefore required to comply.  ARRA expanded the definition of covered entities to include ‘Business Associates’ or vendors.  These business associates are now not only required to follow the HIPAA privacy and security standards, but also may be subject to civil and criminal penalties as well as enforcement proceedings for violations of HIPAA.    Now more than ever, if you touch a medical record as an organization, it is wise to comply with the provisions of the HIPAA security rule.

Pin It on Pinterest