Professional Documents
Culture Documents
70
RESOURCE GUIDE
1-800-277-5415
Recent historical events such as the 9/11 terrorist attacks, followed by hurricanes Katrina
and Rita have forced health care professionals to revisit their disaster recovery plans.
Though known informally as business resumption, disaster planning, or a number of other
phrases and abbreviations, this type of due-diligence activity should be considered
paramount in today’s ever-changing and volatile world. Fortunately, many organizations
have clearly understood the need to protect their valuable health care information and other
related data. Unfortunately, just as many organizations have ignored these calls for safety
and have looked upon HIPAA as nothing more than another legislative compliance mantra
pushed down by Congress. What’s worse, HIPAA guidelines were written in such a way that
interpretation of the law was difficult along with overall enforcement being lax. Here’s what
you need to know for ensuring compliance for HIPAA as it relates to organizations such as
health plans, health clearinghouses, and certain health care providers.
"Each entity needs to determine its own risk in the event of an emergency that would result
in a loss of operations. A contingency plan may involve highly complex processes in one
processing site, or simple manual processes in another. The contents of any given
contingency plan will depend upon the nature and configuration of the entity devising it." (1)
The Department of Health and Human Services, 45 CFR Parts 160, 162, and 164, Health Insurance
(1)
Reform: Security Standards; Final Rule and Mike Talon of Tech Republic.
Note: A copy of the final rule regarding HIPAA security standards can be obtained by visiting the
following link: http://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf
Without question, one can see how interpretation of the above phrase is directly left up to
the health care professional, void of any specific requirements from the law itself. With that
said, listed below are key items you should be concerned with for ensuring HIPAA
compliance for disaster recovery planning:
• Conduct a formal analysis of your organization’s risks and how your organization as a
whole can continue in the event of a major business interruption.
• Create a formal disaster recovery planning policy and document. These documents
can be developed internally with the aid of dozens of templates and white papers
available on the internet.
More than anything, because the HIPAA requirements for disaster recovery are vague, it's
up to your organization to use your best judgment as to what suffices for HIPAA compliance
and for overall good business practice. Talk to your I.T. experts, confirm with management,
and implement a sound, workable, and feasible plan.
Though by no means are the Department of HHS Security Standards and SAS 70 Audit
Control Objectives a perfect match, a one-for-one. However, the SAS 70 audit can be
utilized for helping achieve HIPAA compliance relating to information security standards.
What’s more, the SAS 70 audit can cover additional requirements as set forth by HIPAA if
these specific requirements are clearly addressed in the scope of the audit and
communicated in an effective manner to the auditors themselves.