Successful Contingency Planning Complying With the HIPAA Security Rules - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Successful Contingency Planning Complying With the HIPAA Security Rules

Description:

NIST National Institute of Standards and Technology. What is a Data Backup Plan? ... Identify All EPHI and Affected Computer Systems Containing EPHI. ... – PowerPoint PPT presentation

Number of Views:89
Avg rating:3.0/5.0
Slides: 27
Provided by: Meli392
Category:

less

Transcript and Presenter's Notes

Title: Successful Contingency Planning Complying With the HIPAA Security Rules


1
(No Transcript)
2
Successful Contingency Planning - Complying With
the HIPAA Security Rules
  • HIPAA COWS FALL CONFERENCE
  • September 30, 2005
  • By Gregg Tushaus, Tushaus Computer
    Services, Inc.
  • Mark T. Garsombke, Whyte Hirschboeck Dudek
    S.C.

3
WHAT IS CONTINGENCY PLANNING?
4
BROADLY SPEAKING
  • Contingency Planning is the business planning,
    processes, and procedures that an organization
    implements to address an undesired and
    potentially unforeseen or unanticipated
    non-market driven event that has a material
    negative impact on the day-to-day operations of
    the organization.

5
THE HIPAA SECURITY RULES DEFINITION OF
CONTINGENCY PLANNING IS NARROWER.
  • CONTINGENCY PLANNING MEANS. Creating and
    implementing policies and proceduresfor
    responding to an emergency or other other
    occurrence (for example, fire, vandalism, system
    failure, and natural disaster) that damages
    systems that contain electronic protected health
    information. 45 C.F.R. 164.308(a)(7)(i).

6
There are Three Required Implementation
Specifications Under HIPAA
  • Data Backup Plan
  • Disaster Recovery Plan
  • Emergency Mode Operation Plan

7
And Two Addressable Requirements
  • Testing and Revision Procedures
  • Applications and Data Criticality Analysis

8
Approach and Context
  • HIPAA Security rules are designed to be
  • Comprehensive
  • Technology neutral
  • Scalable
  • Organizations can satisfy the requirements by
    adopting standards that are reasonable in their
    environments.
  • Disaster fire, vandalism, system failure, and
    natural disaster.

9
Reasonable and Appropriate
  • Best Practices
  • NIST National Institute of Standards and
    Technology

10
What is a Data Backup Plan?
11
Data Backup Plan MeansTo establish and
implement procedures to create and maintain
retrievable exact copies of electronic protected
health information. 45 C.F.R.
164.308(a)(7)(ii)(A).
12
Disaster Recovery Plan Means
  • Establish and implement as needed procedures to
    restore any loss of data. 45 C.F.R.
    164.308(a)(7)(ii)(B).

13
Emergency Mode Operations Plan Means
  • Establish and implement as needed procedures to
    enable continuation of critical business
    procedures for protection of the security of
    electronic protected health information while
    operating in emergency mode. 45 C.F.R.
    164.308(a)(7)(ii)((C).

14

15
Testing and Revision Procedures Mean
  • Implement procedures for periodic testing and
    revision of contingency plans. 45 C.F.R.
    164.308(a)(7)(ii)((D).

16
Applications and Data Criticality Analysis Means
  • Assess the relative criticality of specific
    applications and data in support of other
    contingency plan components.
  • 45 C.F.R. 164.308(a)(7)(ii)(E).

17
CONTINGENCY PLANNING IN THE REAL WORLD
18
Contingency Plan Components
  • Disaster Recovery Plan
  • Business Impact Assessment
  • Risk Assessment
  • Risk Management Review
  • Business Continuity/Disaster Recovery Plan
  • Data Backup Plan

19
Feasibility
  • Cost
  • Perception vs. Reality

20
Prevention and Contingency
  • Hot Site, Cold Site
  • Redundancy
  • Anti-Virus
  • Security

21
Backup Plan Components
  • Identify Information
  • Schedule
  • Storage
  • Procedures
  • Ownership, Roles, Responsibility

22
Disaster Recovery Components
  • Personnel
  • Procedures
  • Technology
  • Information
  • Facilities

23
Contingency Planning Action Plan
  • Assemble a Contingency Planning Team
  • Identify All EPHI and Affected Computer Systems
    Containing EPHI.
  • Involve All Affected Departments Within
    Organization
  • Identify and Assess Risks to Organization
  • Identify and evaluate threats, vulnerabilities,
    and potential damages
  • Consider available options

24
Contingency Planning Action Plan
  • Have Legal Counsel, Compliance Department, and
    Information Technology Group Review Your Policies
    and Procedures
  • Implement and/or Update Contingency Planning
    Policies and Procedures
  • Conduct Employee Training
  • Monitor, Test, Review, and Adjust Plan in Light
    of New Threats, Vulnerabilities, and Available
    Options to Ensure Its Effective

25
QUESTIONS?
26
Thank You.Gregg A. TushausTushaus Computer
Services, Inc.10400 Innovation Drive, Suite
100Milwaukee, WI 53226(414) 908-2200greggt_at_tush
aus.comMark T. GarsombkeWhyte Hirschboeck
Dudek S.C.555 E. Wells Street, Suite
1900Milwaukee, WI 53202(414) 978-5518mgarsombke
_at_whdlaw.com
Write a Comment
User Comments (0)
About PowerShow.com