Even though these safeguards, standards and implementation standards address different components of security rule, they need to taken as a part of the whole security scenario. While addressing the data backup plan implementation specification, one should not forget about data encryption, data backup and storage, emergency access procedure and other specifications under the physical and technical safeguards that also impact the data handling and data recovery aspect of the Contingency Plan. Care should be taken to ensure the privacy, security and integrity of ePHI( electronic protected health information) at all times, whether in use, in storage or in transit.
The table below summarizes the Administrative, Physical and Technical Safeguards of the Security rule along with their associated implementation requirements, which directly and/or indirectly affect the Contingency Plan standard compliance requirement.
- Conduct a comprehensive risk assessment of all systems that create, receive, maintain or transmit patient ePHI. This is should include all the servers ( physical and virtual), workstations, network , laptops, and all other mobile devices like smart phones, tablets etc. The assessment should basically cover all points in your IT systems that can come in contact with an ePHI.
- Assign a Contingency Plan officer who is accountable for the contingency planning, implementation and compliance for the organization.
- Write a formal written Backup and disaster recovery plan that ensures business continuity in the event of a disaster.
- Implement a backup solution that regularly backs up the ePHI data ensuring the security and integrity of the backup data at all times. The backup can be tape, disk, offsite or cloud. Make sure that the backups are encrypted.
- Implement a disaster recovery plan that ensures access to ePHI in the event of an unforeseen disaster and enables the organization to recover critical data and applications as soon as possible. The plan should account for common disruptions like power outage, internet outage, hardware crash, etc as well as take in to account disruptions due to fire, flood, and other disasters that are likely to occur or have previously occurred at the business location or in the region.
- Implement a procedure to operate in an emergency mode if there is a disaster. Ensure that all the ePHI is protected during this time.
- Ensure that all personnel are aware and properly trained in the policies and procedures of the disaster recovery plan.