OCR: We Want to See Contingency Plans
When the Department of Health and Human Services' Office for Civil Rights will conduct audits of organizations' compliance with the HIPAA security rule, a comprehensive business continuity contingency plan is one of many pieces investigators will be looking for.
Enforcement of the security rule last year migrated from the Centers for Medicare and Medicaid Services to OCR, which has placed security rule investigators in 10 regional offices. During a session at the Safeguarding Health Information conference in Washington, David Holtzman, a health information privacy specialist at OCR, reminded attendees of the security rule's requirements for contingency plans. They must respond to emergencies that damage systems containing electronic protected health information due to fire, theft, vandalism, natural disaster or system failure.
That means data back-up and disaster recovery plans are required, Holtzman says. Questions an organization being investigated can expect to be asked include: Do you have a disaster recovery plan? What do you do on Day One of an emergency? Do you periodically test your emergency plan?
OCR officials are not going to march out and check everyone's plan, Holtzman says, "But it is an issue we will be asking about as we contact organizations regarding an incident and conduct compliance audits."
The National Institute of Standards and Technology has multiple publications on contingency plans for information systems, including NIST SP 800-34, which essentially is a primer to get started. "You can use these documents that NIST prepares, they have lots of stuff for any business," says Marianne Swanson, a senior advisor for information systems security. "And if you use them in sequence, they start to make sense."
Other useful guides include NIST 830 (risk assessment), 853A (assessing security controls) and 800-39 (enterprise risk management). Also available is 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach," which is applicable in many ways for non-federal systems. More information is available at nist.gov.