Did you know, as custodian of your patients' protected health information, you are required by HIPAA to create a contingency plan?
As more providers, business associates, and subcontractors engage in HIPAA risk analysis and risk assessments, it is important to appreciate where vulnerabilities lie in relation to health IT systems and what should be addressed in some of the required medical practice policies and procedures, including contingency and notification plans. As required under the Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, November 2000, and the Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule, Section §164.308(a) (7), procedures for responding to events that damage systems containing electronic protected health information need to be created and implemented.
The functions, operations, and resources necessary to restore and resume operations, as it is installed at the primary and satellite locations where PHI is located, need to be identified. Additionally, the people, contact information, and other entities required in restoring the availability, integrity, and confidentiality of the PHI need to be identified and placed in the plan.
Certain vulnerabilities - weaknesses that a threat can capitalize on and exploit - are obvious, while others are more subtle. Below are some of the common threats that physicians and all other entities covered under HIPAA should address:
• Natural disasters;
• Computer viruses;
• Deliberate attack;
• Non-disaster downtime;
• Unauthorized access;
• Data integrity loss; and
• Communication loss.
As a practice, did you know that a contingency plan is required by HIPAA? If your practice has a contingency plan, does it address all potential scenarios related to adversely impacting the integrity, confidentiality, and availability of PHI? Have you asked your IT provider about redundancy testing, back-up data, and what would happen in the event of a natural disaster such as a hurricane, a flood, or a fire? Have you asked about data integrity and what happens in the event of data destruction? Is there an audit log and other mechanisms in place so that a potential threat can be identified?
The list goes on, but the take-away for physicians and other HIPAA entities alike is to become HIPAA compliant, ask the right questions, and appreciate what is required in various practice policies and procedures. Taking precautions now can greatly reduce the risk of IT threats, fines, and breaches.