Building the best HIPAA contingency plan

Whether by the hand of hackers or the weather gods, patient data are always at risk of being breached. As the plague of cyberattacks on health systems continues, HHS' Office for Civil Rights wants healthcare organizations to establish contingency plans to keep patient data secure. In fact, the HIPAA security rule mandates that covered entities and business associates have such plans.

In their March newsletter, OCR officials urged healthcare organizations to figure out which IT systems are critical, to understand how to function in a disaster, and to back up protected health information so it can be retrieved if the original data are lost or taken offline.

What else should a contingency plan include and do? Modern Healthcare asked around:

Prioritize: "To best set priorities, one needs to understand the organization's most critical administrative and clinical processes, the associated 'information assets,' and the most critical risks to those assets," said Bob Chaput, CEO of Clearwater Compliance.

Calculate: Figure out what the financial loss would be from various business interruptions, said Janice Ahlstrom, a director with Baker Tilly. Also figure out how long you can tolerate each system being down.

Back it up: "The organizations that are good at this have actually restored from their backups and know they can restore from their backups," Ahlstrom said. "There are a lot that never test that they can restore. Some even have the backups in the same room as their systems."

Strategize: "You want to define alternative work arrangements and procedures," Ahlstrom said. Nurses might go to 12-hour shifts, for instance, and the IT department might do the same. Meanwhile, providers might have to return to paper workflows, so make sure they know how to do that, said Lawrence Hughes, assistant general counsel for the American Hospital Association.

Test: "Test the effectiveness of the organization's resilience through tabletop exercises designed to demonstrate repeatable, efficient and effective processes to respond to manmade and natural disaster scenarios," said David Holtzman, CynergisTek's vice president of compliance strategies.

Go beyond HIPAA and think ahead: "There should be an integrated contingency plan about more than just HIPAA," Hughes said. "It's really important to stay abreast of developments around hacking and other kinds of malware and include those as part of your plan."