This article describes how auditing HIPAA contingency planning is performed. HIPAA contingency planning also covers security incident response requirements. The HIPAA contingency planning requirements are covered in a separate post.

a person holding a clipboard, representing the act of auditing HIPAA contingency planningHIPAA contingency planning is a term used broadly to cover security incident response procedures and contingency planning for emergency situations that may compromise protected health information. HIPAA contingency planning is one of the administrative safeguards that a covered entity must employ. Auditing HIPAA contingency planning involves checking a number of specific requirements outlined below.

Auditing HIPAA Security Incident Procedures

“Implement policies and procedures to address security incidents.” [§164.308(a)(6)]

An auditor will meet with management and inquire about the security incident response policies. The auditor will also determine whether policies exist for documenting and maintaining records of security incidents and corrective actions. These policies will then be reviewed to ensure they are sufficient and appropriate, updated on a regular basis, and communicated to the relevant personnel.

This implementation specification is required.

Auditing HIPAA Contingency Planning

“Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” [§164.308(a)(7)]

An auditor will determine whether or not a formal contingency plan exists, and whether that plan states sufficiently defined objectives and actions. The plan will be checked to ensure that applications, data, operations and processes are prioritized. It will also ensure the contingency plan has sufficiently detailed the roles and responsibilities of those responsible for electronic protected health information during an event. An auditor will also determine how the covered entity identifies and implements measures that can prevent disruptive events from occurring.

Data Backup Plan

An auditor will determine whether formal policies exist to create exact backups of electronic protected health information. The auditor will ensure the plans are sufficient and maintain the access control levels appropriate for the storage of backup data. The auditor will also ensure the backups are available for restoration. Finally, the auditor will determine whether the backup plans are approved and updated regularly.

Disaster Recovery Plan

An auditor will determine whether formal policies exist to control access to backups of electronic protected health information and related documentation in the event of a disaster. The auditor will determine whether these backups can be restored in a timely manner after a disaster event. The auditor will also determine whether the disaster recovery plans are approved and updated regularly.

Emergency Mode Operation Plan

An auditor will determine whether policies and procedures are implemented to enable operation in emergency mode while continuing to protect electronic health information. An auditor will review formalized plans to ensure they are sufficient to enable critical business practices in a secure way, and will also verify that these plans are approved and updated on a periodic basis.

Testing and Revision Procedures

An auditor will determine whether policies and procedures are implemented that review and test contingency plans regularly. The auditor will also determine whether these plans sufficiently test all plans that involve electronic protected health information. An auditor will verify that the review and test plans are approved and updated on a periodic basis.

If this requirement is not applicable or reasonable for the entity to implement, the auditor will examine formal documentation explaining why it is not implemented, and what (if any) related controls are implemented instead.

Applications and Data Criticality Analysis

A covered entity’s contingency plans and actions should be prioritized based on the relative importance of the processes and data that they cover. An auditor will not require documentation of this requirement directly; rather, all contingency plans will be reviewed to determine whether plans and actions are prioritized appropriately.

If this requirement is not applicable or reasonable for the entity to implement, the auditor will examine formal documentation explaining why it is not implemented, and what (if any) related controls are implemented instead.

Summary

HIPAA contingency planning, including security incident response and other contingency plans, are key to managing protected health information. This article describes the process of auditing HIPAA contingency planning. Successfully demonstrating to an auditor that these requirements are appropriately addressed in your information security plan are key to being HIPAA compliant and avoiding penalties.