HIPAA requires you to establish and implement as needed, policies and procedures for responding to an emergency or other occurrence to protect protected health information (PHI). Other occurrences include the following examples:
- Fires
- Vandalism
- System failures
- Natural disasters
HIPAA Emergency and Incident Response Plans comprise of these main components:
Emergency and Incident Response Team
Establish who is on the Emergency and Incident Response Team.
Key considerations:
- You can add anyone who helps organize emergency responses, such as IT, the practice manager, or a doctor.
- You do not need to add everyone, just key contacts.
Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information (ePHI).
Key considerations:
- Who is responsible for backing up your critical data?
- How often and how many versions are stored?
- What method best serves your practice and protects ePHI?
- Is the data center far enough away from your practice?
- It must be in writing.
Emergency Mode Operations Plan
Establish (and implement as needed) procedures to enable the continuation of critical business processes for the protection of the security of ePHI while operating in Emergency Mode.
Key considerations:
- What are the critical business processes to continue business?
- Be practical. What's critical and who is responsible for each process?
- How is ePHI being protected during Emergency Operations Mode?
- What supporting technology will be needed?
- How will patients and employees be kept updated and informed?
- The plan should be periodically tested annually and revised (as needed).
- It must be in writing. Also document testing plans and revisions.
See Create Your HIPAA Emergency and Incident Response Plans for instructions.