The contingency plan falls under the HIPAA Security Rule 164.308(a)(7)(i) which is under the Administrative Safeguards. The plan addresses the security principle of “availability” which addresses some of the risks and threats related to business disruption and ensuring protected information can still be accessed by authorized individuals whenever necessary.

Definition and Scope

The contingency planning or Business Continuity Planning (BCP) of an organization is about the implementation and use of strategies involving, procedures, technical measures, and plans necessary for the recovery of lost data, operations, and systems in the event of a business disruption. The BCP is all about developing particular procedures, policies, and processes that are necessary for hastening the recovery of a business’s systems and operations within a targeted time frame. Well, the main aim is to ensure that the risk levels are at a manageable level without compromising on costs that may otherwise, have an impact on your workforce, customers, and suppliers.

A Business Impact Analysis is normally carried out at the start of the disaster recovery or continuity planning to ensure any areas that could be a serious threat to an entity’s financial status or operations in case of disruption are arrested on time. This is normally to identify areas that are crucial to the running and operation of any business and assess the time taken for the business to recover fully in case of such a loss.

Definition of Contingency Plan in HIPAA regulation:

The contingency plan standard definition is in the HIPAA Security Rule under the Administrative Safeguards section. Other related requirements of the Contingency Plan are found in the implementation specification under the Physical Safeguards and Technical safeguards Section according to the HIPAA Laws.

HIPAA Citation HIPAA Security Rule Standard Implementation Specification Implementation
164.308(a)(7)(i) Contingency Plan
164.308(a)(7)(ii)(A) Data Backup Plan Required
164.308(a)(7)(ii)(B) Disaster Recovery Plan Required
164.308(a)(7)(ii)(C) Emergency Mode Operation Plan Required
164.308(a)(7)(ii)(D) Testing and Revision Procedures Addressable
164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis Addressable
164.310(a)(1) Facility Access Controls
164.310(a)(2)(i) Contingency Operations Addressable
164.310(d)(1) Device and Media Controls
164.310(d)(2)(iv) Data Backup and Storage Addressable
164.312(a)(1) Access Control
164.312(a)(2)(ii) Emergency Access Procedure Required

Data Backup Plan (Required)164.308(a)(7)(ii)(A)

Data Backup Plan is a Contingency Plan standard which is a required implementation specification according to the HIPAA Security rule under the Administrative Safeguards section.

The core objective of the Data backup plan is to create and establish procedures necessary to ensure the maintenance and retrievable exact copies of stored EPHI. Therefore, this is an updated and documented plan that will ensure the creation and maintenance of data that can be retrieved as an exact copy in event of a disruption. Otherwise, a successful backup plan is normally dependent on an entity’s processes and batch activities.

Disaster Recovery Plan (Required)164.308(a)(7)(ii)(B)

The disaster recovery plan is one of the Contingency Plan standards and an implementation specification requirement of the HIPAA security rule under the Administrative Safeguards section.

Therefore, the core objective of the Data backup plan is to create procedures and processes that will assist the restoration of any lost data in case of disaster, vandalism, or system failure. This plan is crucial especially in the case of natural catastrophes which may disrupt access to such data for a long period of time. This should also mean that the recovery plan which uses a designed IT plan should ensure the restoration of a system, computer, or application to a former state after the emergency.

The recovery plan also explains some of the data, processes, and actions necessary to ensure the restoration of a business’s operations after a disaster. This will also entail creating an inventory of all the sensitive data and systems that will be necessary to foster the restoration of an entity’s activity to an alternate state.

Emergency Mode Operation Plan (Required)164.308(a)(7)(ii)(C)

The emergency mode operation plan is one of the implementation specification requirements of Contingency Plan standards of the HIPAA Security rule under the Administrative Safeguards section.

The emergency mode operation plan is to ensure the continuity of a business’s operations through established rules and procedures and still ensure the protection of EPHI while in the emergency mode. Otherwise, this operation plan is meant to assist an entity in resuming its normal operations in the event of a disaster, emergency, vandalism, or system failure. It is usually advisable that you plan adequately for the emergency mode operation testing in terms of allocation of resources, budgeting, and creating a schedule.

Testing and Revision Procedures (Addressable)164.308(a)(7)(ii)(D)

This is a contingency plan standard and an addressable implementation specification of the HIPAA security rule under the Administrative Safeguards section.

The main aim of these procedures is to ensure that there are procedures put in place for the revision and testing of contingency plans. The main goal should be to process the periodic testing of written contingency plans to identify weaknesses and make necessary revisions to the documentation. Otherwise, without such testing, there is no telling how successful a test will be.

Applications and Data Criticality Analysis (Addressable) 164.308(a)(7)(ii)(E)

This is an addressable implementation specification according to the contingency plan standard of the HIPAA security rule under the Administrative Safeguards section.

The Criticality Analysis forms the basis or platform in which specific applications and data can be assessed in terms of their support and criticality to other contingency plan components. This is meant to assess the sensitivity of risks, weaknesses, and security of the information the entities can access, use, store or transmit. The procedure starts with data inventory and an application.

Contingency Operations (Addressable) 164.310(a)(2)(i)

The Contingency operation is one of the addressable implementation specifications of the HIPAA security rule and a standard of the Facility Access Controls under the Physical Safeguards section.

The main aim of contingency operations is to work on processes that can assist the facility to access its restored data under the emergency operation mode plan and the disaster recovery plan in case of an emergency. On the other hand, physical security cannot be overlooked when it comes to disaster and business continuity planning. In addition, administrative controls necessary for physical access must be established to ensure contingency operations run as planned in the plans.

Data Backup and Storage (Addressable) 164.310(d)(2)(iv)

The Data backup and storage is one of the Device and Media control standards and an implementation specification of the HIPAA security rule under the Physical Safeguards sections.

One of the key standards of this rule is that a covered entity has to ensure that it has a retrievable exact copy of EPHI whenever it is needed before moving equipment. It is important to ensure consistent backup of any data to ensure that the organization can still access its latest data in the event of a disaster or system failure. In addition, this will reduce the risks of losing critical data which is quite common if a database is not updated consistently.

Emergency Access Procedure (Required) 164.312(a)(2)(ii)

The Emergency Access Procedure is a key implementation specification requirement of the HIPAA security rule under the Technical Safeguards section within the Access Control Standard.

The main aim of the Emergency Access Procedure is to foster procedures that will assist access of EPHI during an emergency. Even though Emergency access is quite different from access in normal situations they are a key to access control and specifically during emergencies.

Contingency Planning: 7 Steps

Some of the seven steps recommended by the Nation Institutes of Standards and Technology are as follows:

  1. Develop the contingency planning policy statement. A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan.
  2. Conduct the business impact analysis (BIA). The BIA helps to identify and prioritize critical IT systems and components. A template for developing the BIA is also provided to assist the user.
  3. Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
  4. Develop recovery strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
  5. Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system.
  6. Plan testing, training, and exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.
  7. Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements.

How can Supremus Group help your Compliance efforts?

We can help you in three different ways depending on your need, involvement, time, available resources, and budget.
OPTION 1: If you are in a hurry to complete the HIPAA Security Contingency Plan and you don’t have internal resources to completely devote to this project then we can independently complete the project for you. The only involvement required will be providing information about your infrastructure, policies, processes, and current contingency plan, if any.

OPTION 2: If you have internal staff members who can completely devote their time to this project but don’t know the methodology, we will provide a project manager to work with your team and help to complete the Contingency plan document.

OPTION 3: If you have all the necessary resources for Business Continuity Planning and BIA project but need to save time on documentation, you can use our HIPAA Contingency Plan Template Suite documents. Many IT Security consulting companies, HIPAA consultants, and hospitals are using our HIPAA Contingency plan templates in their projects.

View HIPAA Security Policies and Procedures

Let us help you with your Contingency planning project.

Please contact us for more information at or call (515) 865-4591