HIPAA Security Compliance 101 - Lesson 2

HIPAA Compliant Disaster Recovery

Published on

HIPAA says you MUST have a Disaster Recovery Plan and an Emergency Mode Operations Plan, but gives limited advice about what should go into them.  These plans should be coordinated with your Backup Plan.

Typical Emergency Scenarios:

  • Internet access down
  • Internal network failure
  • Critical system failure (e.g., EHR down)
  • Natural disaster (storm, flood, etc)

Disaster Recovery (DR) Plan - identify the processes needed to restore critical data, systems and operations in the event one of the above scenarios occurs.  Common elements include:

  • Staff and resources required to execute recovery
  • Accessing and reloading backups; restoring failed systems (in order of criticality)
  • User and vendor communication strategy
  • Emergency Mode Operations Plan - describe how operations will continue (with PHI still protected) for each type of emergency.  Common topics include:
  • Switching to backup servers & networks or manual processes (e.g., paper records)
  • Where/how to record ongoing patient data updates
  • User and vendor communication strategy To protect your data and operations from a natural disaster, your backup data MUST be stored in a remote location.  See HIPAA Compliant Backups for further information.

Your DR plan should specify a DR site, where your systems will be restored and operate from until your primary site is restored.

Disaster Recovery site options:

  1. Cold – power, cooling, networking but no backup servers or other IT equipment
  2. Warm – contains backup servers, storage, switches, but not operational
  3. Hot – contains backup systems with continuous data mirroring We recommend options (2) or (3) as (1) could involve significant downtime acquiring or setting up replacement systems.

If your critical systems are maintained “in the cloud” by vendors:

  • Make sure your vendors have a DR plan
  • Make sure you have alternate internet access or an adequate service recovery warranty
  • You are still responsible for your local systems and network HIPAA says periodic testing of your DR plan is “addressable” for smaller organizations.  We STRONGLY recommend periodic DR testing or some form of validation of your DR plan.

Common Disaster Recovery mistakes:

  • Not having current backup copies of key software or configuration files
  • Exposing PHI during a recovery process or during emergency operations Disaster Recovery can get complex.  We recommend involving an experienced IT professional.