Disaster Recovery planning and HIPAA regulations

The firms which are regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) need to make a disaster recovery (DR) planning taking into consideration how various regulations and compliance issues will impact the firm after a disaster strikes because producing a DR plan is a HIPAA requirement. However, the act is written to be “technologically neutral,” which leaves room for each covered entity to choose the technology best suited to its needs:

“Each entity needs to determine its own risk in the event of an emergency that would result in a loss of operations. A contingency plan may involve highly complex processes in one processing site, or simple manual processes in another. The contents of any given contingency plan will depend upon the nature and configuration of the entity devising it.”
– (From the Department of Health and Human Services, 45 CFR Parts 160, 162, and 164, Health Insurance Reform: SecurityStandards; Final Rule)

As a covered entity subject to HIPAA requirements, you must be able to prove three main things which are:

1. That you’ve conducted a formal analysis of the risks to your data, including an assessment of the physical access and security in addition to technical threats.

2. That you have produced a DR plan with policies and procedures in place that cover backup, storage, and recovery.

3. That your plan adequately and reasonably addresses the risks identified in your analysis.

Thus, it can be concluded that while evaluating a DR plan for HIPAA compliance, your systems must be able to properly move data to the DR site without violating standards for privacy and security and also that if you do need to restore operations at another site, you are also able to restore all the safeguards required for the data as well.

Though HIPAA regulations are designed to make the transmission of patient and other data faster, easier and more secure, it is a difficult task for DR professionals to plan for all the possible scenarios. However, it is extremely necessary too as the fines that can result from not following the regulations can far outweigh the problems of avoiding them in the first place.