Covered Entity: A “Covered Entity” under HIPAA, is a Health Care Provider who transmits any health care information in electronic form in connection with a covered transaction; a Health Plan (e.g., payer,insurer); or a Health Care Clearinghouse. If covered, you must analyze your business processes and determine the best course of action toward compliance.
Business Associate:A “Business Associate” under HIPAA, is one who conducts an activity involving the use or disclosure of protected health information on behalf of a covered entity. Business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.
Here are the important HIPAA rules as they relate to the Business Continuity and Disaster Recovery arena. This is not meant to be legal advice and should not be construed as one, but rather a starting point for businesses to ascertain their data backup and disaster recovery compliance requirements under HIPAA.
HIPAA Privacy Rule: Privacy Rule applies to all forms of patients’ Protected Health Information (PHI), whether electronic, written, or oral. It sets the standards for, among other things, who may have access to PHI, whether it is electronic, oral or paper form. The Privacy Rule requires covered entities to have in place appropriate administrative, physical, and technical safeguards and to implement those safeguards reasonably.
HIPAA Security Rule: The Security Rule applies only to electronic PHI, while the Privacy Rule applies to PHI which may be in electronic, oral, and paper form. Security Rule sets the standards for ensuring that only those who should have access to EPHI will actually have access. This includes EPHI that is created, received, maintained or transmitted. For example, EPHI may be transmitted over the Internet, stored on a computer, a CD, a disk, magnetic tape, or other related means. The Security Rule does not cover PHI that is transmitted or stored on paper or provided orally. The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
The § 164.308(a)(7)(ii)(A) refers to the “Contingency Plan” which is the seventh standard under the Administrative safeguards of the HIPAA security rule. Each set of safeguards is comprised of a number of standards, which, in turn, are generally comprised of a number of implementation specifications that are either required or addressable. An “implementation specification” is an additional detailed instruction for implementing a particular standard.
The “Contingency Plan” standard has five implementation specifications: Three are Required and two are Addressable. Please be aware that Addressable does not mean optional. Paraphrasing from HIPAA:
“If an implementation specification is required, the covered entity must implement policies and/or procedures that meet what the implementation specification requires. If an implementation specification is addressable, then the covered entity must assess whether it is a reasonable and appropriate safeguard in the entity’s environment. This involves analyzing the specification in reference to the likelihood of protecting the entity’s EPHI from reasonably anticipated threats and hazards. If the covered entity chooses not to implement an addressable specification based on its assessment, it must document the reason and, if reasonable and appropriate, implement an equivalent alternative measure.”
1. Data backup plan (Required) § 164.308(a)(7)(ii)(A) requires covered entities to:
“Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”
2. Disaster recovery plan; (Required) § 164.308(a)(7)(ii)(B) requires covered entities to:
“Establish (and implement as needed) procedures to restore any loss of data.”
3. Emergency mode operation plan; (Required) § 164.308(a)(7)(ii)(C) requires covered entities to:
“Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.”
4. Testing and revision procedures; (Addressable) § 164.308(a)(7)(ii)(D), where the Testing and Revision Procedures implementation specification is a reasonable and appropriate safeguard for the covered entity, the covered entity must:
“Implement procedures for periodic testing and revision of contingency plans.”
This implementation specification applies to all implementation specifications under the Contingency Plan standard, including the Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operations Plan.
5. Applications and data criticality analysis (Addressable), where this implementation specification is a reasonable and appropriate safeguard for the covered entity, the covered entity must:
“Assess the relative criticality of specific applications and data in support of other contingency plan components.”
This implementation specification requires covered entities to identify their software applications (data applications that store, maintain or transmit EPHI) and determine how important each is to patient care or business needs, in order to prioritize for data backup, disaster recovery plans.
As you can see, the "Contingency Plan" standard with its required and addressable implementation specifications, places a tremendous responsibility on all Covered Entities ( Healthcare providers, Health plans, Healthcare Clearinghouses) as well as their Business Associates, to implement appropriate Backup and Disaster Recovery plans to ensure that all electronic protected health information is secure, and can be accessed and restored securely during and after an unforeseen disruptive event. Even if your business is not covered under any federal and state regulation, having a written Disaster Recovery must be considered a business priority as it can be the difference in ensuring your business survival after a disaster. I plan to address the “Contingency Plan” implementation requirements in more detail in future blogs.