After the Risk Assessment, Then What? Planning for Emergency Events

As we noted previously, there are numerous requirements for HIPAA compliance.  Being prepared for future emergency events is often identified in the Risk Assessment as a HIPAA compliance requirement that needs to be addressed.

Disaster AheadPreparing for future events is often overlooked by many healthcare entities.  Just dealing with the issues of the day can take up the majority of your time.  However, being prepared for future events, besides being a HIPAA requirement, also makes good business sense.

What HIPAA calls “Contingency Planning” is what most businesses call “business continuity/disaster recovery.”  Continued daily operations – data back-up, disaster recovery, and emergency mode operation are all required by HIPAA.  The testing of these contingency plans is highly recommended.  All of these are elements of business continuity/disaster recovery.

Planning for unexpected, natural or man-made disasters, allows your business to be prepared for such potential events.  Other things to consider include:

  • Emergency Plans vs. Disaster Recovery Plans
  • Remote colocations make life easier.
  • The cloud makes data storage easier.
  • Move to secure, encrypted local, remote (co-lo) and cloud backups.
  • Have a diagram of the top two tiers of applications, the servers, and networks to recover them.
  • Auto failover simplifies testing, just fail over quarterly to your backup location.

With high-speed networks, remote locations, co-location data centers, and cloud services – it is now far easier to plan for disaster recovery as you rollout new hardware and services.

In addition to Contingency Planning, Breach Awareness/Notification Planning needs to be in place as well.  In the event of a data breach involving unsecured PHI, there are requirements regarding

  • the notification of individuals whose PHI has been breached,
  • timeframes for such notification,
  • manner of notification,
  • and content of information contained in the notification.
  • If the breach involved more than 500 individuals in one state, notices to the media are required.
  • In most cases, notification to the federal Department of Health and Human Services (HHS)  is required.

Having a plan in place ahead of time to address all of these requirements is essential to a healthcare entity.  Here's an outline from our Disaster Recovery Plan to help you get started.


If you are interested in knowing where to start, try Third Rock’s HIPAA Quick-CheckTM (, This is a mini-risk assessment that will let you know very quickly your level of HIPAA compliance regarding the major areas of HIPAA(annual risk assessments, training, current policies and procedures, contingency plans, encryption of data, continuous monitoring of devices, etc.).  Remember, this is not a full risk assessment; it is just a Quick-Check.

Articles in the series:

  1. How to get Started: Risk Assessment
  2. Breach Detection
  3. Education
  4. Data Protections
  5. Planning for Emergency Events (This Article)

Sign up for our newsletter on the right side of this page to learn more and stay informed about HIPAA and cyber security.

About the Author

%d bloggers like this: