HIPAA disaster recovery plan

A HIPAA disaster recovery plan is a document that specifies the resources, actions, personnel and data that are required to protect and reinstate healthcare information in the event of a fire, vandalism, natural disaster or system failure. 

The disaster recovery plan is a required implementation, defined within the HIPAA Contingency Plan standard in the Administrative Safeguards section of the HIPAA Security Rule.  The Rule calls for HIPAA-compliant organizations to anticipate how natural disasters could damage systems that contain electronic health information and develop policies and procedures for responding to such situations. 

A HIPAA-compliant disaster recovery plan must state how operations will be conducted in an emergency and which workforce members are responsible for carrying out those operations.The plan must also explain how data will be moved without violating HIPAA standards for privacy and security.  It must also explain how confidential data and safeguards for that data will be restored.  Although HIPAA doesn't specify exactly how to do this, it does note that failure to adequately recover from a disaster could lead to noncompliance. Failure to comply exposes officers of the organization to repercussions, such as fines or jail time.

Learn more:

Meeting HIPAA disaster recovery requirements tough, but possible.

Tornado leaves hospital with a difficult road to disaster recovery.

New HIPAA laws change the landscape for patient data security.

Read a HIPAA compliance manual to plan for disaster recovery.

This was last updated in June 2010

Continue Reading About HIPAA disaster recovery plan

Dig Deeper on Electronic health record systems