OCR issues reminders for disaster preparedness

PARCA eNews – Sept. 13, 2017 – In the wake of hurricanes Harvey, the Office of Civil Rights (OCR) that administers HIPAA, issued a reminder for protection of healthcare information during disasters and recovery.

OCR’s guidance reiterated that the HIPAA Security Rule – § 164.308(a)(7) – requires contingency plans to include a data backup plan, disaster recovery plan, and emergency mode operation plan.
These are all required elements of the HIPAA Security Rule including:

• The data backup plan must ensure retrievable, exact copies of electronic protected health information are created and maintained 
• The disaster recovery plan must ensure any data lost during a natural disaster or emergency can be recovered from backups 
• During emergency mode, security processes to protect ePHI must be maintained, even during power outages and technical failures 
• Procedures ensure data can be quickly recovered. 
• The guidance also emphasized that covered entities need to regularly test their contingency plans and revise them as necessary and priorities must be set for data backup, emergency operations, and disaster recovery. 

The OCR also pointed to its webpage offering an interactive tool for emergency preparedness for maintaining security of health information.

Source: HIPAA Journal