Disaster recovery plans are critical for any business, but the stakes are particularly high for healthcare organizations and businesses that handle healthcare data.
HIPAA regulations set forth requirements for organizations to create and implement contingency plans that enable the organization to continue to operate, even in times of disaster. Organizations that fail to create and implement such plans face severe financial penalties.
The first step to create a HIPAA disaster recovery plan is to review the HIPAA requirements for covered entities. These are organizations that are subject to HIPAA regulations.
HIPAA section 164.308(a)(7)(i) states that covered entities must "establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster,) that damages systems that contain electronic protected health information."
Steps to implement a HIPAA disaster recovery plan
Although the regulations give covered entities freedom to choose the products and methods they will ultimately use in the HIPAA disaster recovery plan, HIPAA does establish some basic requirements for the contingency plan. These requirements are outlined in HIPAA section 164.308(a)(7)(ii).
These implementation specifications require the organization to create or address the following:
- Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
- Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
- Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
- Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.
- Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.
Organizations can address these requirements with standard business continuity and disaster recovery activities (BCDR). Along with data backup and BCDR plans, activities that can aid in these processes include risk assessments, business impact analyses (BIAs) and tabletop exercises.
Risk assessments will highlight the most likely threats to the healthcare data, and a BIA will inform the organization of the potential repercussions of those risks on the business. A BIA will also address the impact of disruptive events on specific applications and areas of the business, so it can give organizations insight into the risks their healthcare data and applications may face.
A tabletop exercise can enable an organization to run through a theoretical disaster from start to finish. These exercises can help BCDR teams refine their procedures and contingency plans to recovery data quickly.
Penalties for Noncompliance
When a covered entity fails to comply with any of the HIPAA provisions, it is considered a HIPAA violation. Other HIPAA violations include failing to comply with HIPAA security, privacy, or breach notification rules.
HIPAA violations are categorized into four tiers. The first tier covers unintentional violations by an organization that is unaware that a violation exists and that has made a reasonable effort to adhere to all the HIPAA provisions.
The second tier applies to unintentional violations that the organization should have been aware of. Tier 3 covers situations of willful neglect, but where the organization has attempted to correct the violation. Tier 4 covers violations involving willful neglect, where the organization has made no effort to fix the violation.
Penalties vary based on the category of the violation. The chart below outlines the basic HIPAA penalties. These values are adjusted for inflation each year.
|Minimum fine per violation
|Maximum fine per violation
It is worth noting that HIPAA violations can also carry criminal penalties. Criminal violations are handled by the U.S. Department of Justice. There are three criminal tiers of HIPAA violations, with possible jail time penalties ranging from a minimum of one to 10 years in prison.