Title: Successful Contingency Planning Complying With the HIPAA Security Rules
1(No Transcript)
2Successful Contingency Planning - Complying With
the HIPAA Security Rules
- HIPAA COWS FALL CONFERENCE
- September 30, 2005
- By Gregg Tushaus, Tushaus Computer
Services, Inc. - Mark T. Garsombke, Whyte Hirschboeck Dudek
S.C.
3WHAT IS CONTINGENCY PLANNING?
4BROADLY SPEAKING
- Contingency Planning is the business planning,
processes, and procedures that an organization
implements to address an undesired and
potentially unforeseen or unanticipated
non-market driven event that has a material
negative impact on the day-to-day operations of
the organization.
5THE HIPAA SECURITY RULES DEFINITION OF
CONTINGENCY PLANNING IS NARROWER.
- CONTINGENCY PLANNING MEANS. Creating and
implementing policies and proceduresfor
responding to an emergency or other other
occurrence (for example, fire, vandalism, system
failure, and natural disaster) that damages
systems that contain electronic protected health
information. 45 C.F.R. 164.308(a)(7)(i).
6There are Three Required Implementation
Specifications Under HIPAA
- Data Backup Plan
- Disaster Recovery Plan
- Emergency Mode Operation Plan
7And Two Addressable Requirements
- Testing and Revision Procedures
- Applications and Data Criticality Analysis
8Approach and Context
- HIPAA Security rules are designed to be
- Comprehensive
- Technology neutral
- Scalable
- Organizations can satisfy the requirements by
adopting standards that are reasonable in their
environments. - Disaster fire, vandalism, system failure, and
natural disaster.
9Reasonable and Appropriate
- Best Practices
- NIST National Institute of Standards and
Technology
10What is a Data Backup Plan?
11Data Backup Plan MeansTo establish and
implement procedures to create and maintain
retrievable exact copies of electronic protected
health information. 45 C.F.R.
164.308(a)(7)(ii)(A).
12Disaster Recovery Plan Means
- Establish and implement as needed procedures to
restore any loss of data. 45 C.F.R.
164.308(a)(7)(ii)(B).
13Emergency Mode Operations Plan Means
- Establish and implement as needed procedures to
enable continuation of critical business
procedures for protection of the security of
electronic protected health information while
operating in emergency mode. 45 C.F.R.
164.308(a)(7)(ii)((C).
14 15Testing and Revision Procedures Mean
- Implement procedures for periodic testing and
revision of contingency plans. 45 C.F.R.
164.308(a)(7)(ii)((D).
16Applications and Data Criticality Analysis Means
- Assess the relative criticality of specific
applications and data in support of other
contingency plan components. - 45 C.F.R. 164.308(a)(7)(ii)(E).
17CONTINGENCY PLANNING IN THE REAL WORLD
18Contingency Plan Components
- Disaster Recovery Plan
- Business Impact Assessment
- Risk Assessment
- Risk Management Review
- Business Continuity/Disaster Recovery Plan
- Data Backup Plan
19Feasibility
- Cost
- Perception vs. Reality
20Prevention and Contingency
- Hot Site, Cold Site
- Redundancy
- Anti-Virus
- Security
21Backup Plan Components
- Identify Information
- Schedule
- Storage
- Procedures
- Ownership, Roles, Responsibility
22Disaster Recovery Components
- Personnel
- Procedures
- Technology
- Information
- Facilities
23Contingency Planning Action Plan
- Assemble a Contingency Planning Team
- Identify All EPHI and Affected Computer Systems
Containing EPHI. - Involve All Affected Departments Within
Organization - Identify and Assess Risks to Organization
- Identify and evaluate threats, vulnerabilities,
and potential damages - Consider available options
24Contingency Planning Action Plan
- Have Legal Counsel, Compliance Department, and
Information Technology Group Review Your Policies
and Procedures - Implement and/or Update Contingency Planning
Policies and Procedures - Conduct Employee Training
- Monitor, Test, Review, and Adjust Plan in Light
of New Threats, Vulnerabilities, and Available
Options to Ensure Its Effective
25QUESTIONS?
26Thank You.Gregg A. TushausTushaus Computer
Services, Inc.10400 Innovation Drive, Suite
100Milwaukee, WI 53226(414) 908-2200greggt_at_tush
aus.comMark T. GarsombkeWhyte Hirschboeck
Dudek S.C.555 E. Wells Street, Suite
1900Milwaukee, WI 53202(414) 978-5518mgarsombke
_at_whdlaw.com