Does HIPAA require disaster recovery? | The Importance of Policies and Procedures

15. Does HIPAA require disaster recovery?

Answer: We’re often asked if HIPAA requires disaster recovery, and it does, and here’s why.  Under the HIPAA Security Rule, the following mandated provisions are in place regarding HIPAA business continuity and disaster recovery planning:

§164.308(7)(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. Additionally, the HIPAA Security Rule provides specifics regarding the standard for “Contingency Planning”, which effectively includes the following:

  • Data backup plan
  • Disaster recovery plan
  • Emergency mode operation plan
  • Testing and revision procedures
  • Applications and data criticality analysis


Key Components of A Comprehensive “Contingency Plan” | Business Continuity and Disaster Recovery
Remember that the language for “Contingency Plan” was authored some years ago, so it’s important to be realistic and practical regarding the mandates for such a standard. With that said, a best practice for meeting the “Contingency Plan” is to implement a comprehensive Business Continuity and Disaster Recovery Plan”, one that includes the following provisions:

  • Critical Business Information
  • Key Personnel
  • Meeting Information
  • Potential Hazards
  • Critical Organizational Assets - Information Systems
  • Critical Organization Assets – Prioritization of Critical Applications and Data
  • Critical Third Party Entities
  • Data Recovery Initiatives
  • Alternate Locations
  • Critical Recovery Location Supplies List
  • Miscellaneous Recovery Location Supplies List
  • Employees and Workforce Members Notification Procedures
  • Testing Procedures
  • Insurance Information

Remember that one of the most critical aspects of Contingency Planning is making sure that Protected Health Information (PHI) is backup up, with exact copies being made of such data. A best practice is to replicate one’s backup environment to another physical location, to a cloud provider, or to simply create backup tapes, ultimately having them stored at a secure third-party location. Being able to resume operations with the exact replicated data – with minimal downtime – is the ultimate objective for a sound and comprehensive contingency plan, one with essentially incorporates numerous initiatives found within one’s Business Continuity and Disaster Recovery Plan (link to products store!!!).  Lastly, don’t forget about critical hardware and related computing resources needed to get back online, essentially going “live” with a new production environment

And remember this – regardless of the industry or location a business is in, from HIPAA to making widgets – having a comprehensive, documented and real-world contingency plan in place is absolutely critical in today’s global economy. Imagine having no plan at all – nothing to fall back on – especially when it’s about critical customer data, such as Protected Health Information (PHI)? Look, accidents happen – just look around the world we live in and we see them occur every single day – so take the right steps in ensuring the safety and security of your critical data and assets.

Download HIPAA Policies and Toolkits Today offers an industry leading HIPAA BCDRP template, along with comprehensive HIPAA specific information security and operational policies and toolkits for immediate download today, along with expert HIPAA consulting services.

If your organization is in need of a HIPAA audit, and or SSAE 16 SOC 1, and SOC 2 assessments that include testing of HIPAA provisions & mandates, please contact Charles Denyer at This email address is being protected from spambots. You need JavaScript enabled to view it., or at 1-800-277-5415, ext. 705 with the NDB Alliance of Firms. Learn more about NDB by visiting today.