HHS Emphasizes Contingency Planning in Promoting PrepareAthon! National Day of Action on April 30

The Department of Health and Human Services (HHS) is promoting PrepareAthon! National Day of Action on April 30 with an emphasis on health care providers meeting the HIPAA Security Rule requirement for Contingency Plans.

In an April 11, 2014  press release, HHS announced the PrepareAthon! as a campaign to ensure every community’s ability to withstand disaster.  While much of the press release encourages individuals and communities to participate, the press release also announces the HHS Office of the National Coordinator for Health Information Technology’s release of a video game and a video to help health care providers prepare for disaster.  The video, which is just under seven minutes, educates health care providers on their requirements under the HIPAA Security Rule to have a contingency plan.

The HIPAA Security rule at 45 C.F.R. §308(a)(7) requires covered entities and business associates to have contingency plans in place for responding to emergencies, including natural disasters, that could damage systems containing electronic protected health information (ePHI).   Three out of the five implementation specifications are required:  (1)data backup plan; (2) disaster recovery plan; and (3)emergency mode operation plan.  The final two elements, testing and revision of procedures and applications and data criticality analysis are considered addressable.  Addressable elements require an entity to assess whether each implementation specification is reasonable and appropriate and requires the covered entity or business associate to either implement the specification if it is reasonable and appropriate or document why it is not and implement an alternative that would be equivalent if it is reasonable and appropriate.

A sample contingency plan was published in 2008 by the National Institute of Standards and Technology (NIST).  In addition, the Office for the National Coordinator for Health Information Technology published a self assessment for contingency planning, with the warning that while there is overlap with the Security Rule, this tool focuses on patient safety and cannot be used to demonstrate compliance with HIPAA.

Speak Your Mind