HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA-Compliant Disaster Recovery

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to develop and implement contingency plans. Contingency planning ensures that in the event of a natural or man-made disaster that disrupts operations, the business can continue to function until regular services can be resumed.

A HIPAA disaster recovery plan is a critical element of contingency planning. If disaster strikes and access to systems containing patients’ protected health information is blocked, the HIPAA disaster recovery plan is implemented. The disaster recovery plan contains a set of policies and procedures to follow and assigns responsibilities to staff to ensure the fastest possible response and recovery.

The HIPAA disaster recovery plan is implemented when a hospital enters into its emergency operations mode. Emergency operations mode involves following pre-defined, tested policies and procedures that ensure health information remains secure and business operations continue while systems and services are restored. An efficient recovery is essential. The longer the recovery time, the higher the recovery cost.

In addition to covering on-premises hardware and end points, the plan must cover cloud-based databases, applications, and websites. Many cloud services providers offer a range of disaster recovery services to help healthcare organizations meet their compliance responsibilities and ensure the fastest possible recovery of their cloud resources.

Please see the HIPAA Journal Privacy Policy

These managed HIPAA disaster recovery services typically include backup services for public and private cloud services. Always-on protection ensures that data is continuously backed up and can be recovered up to the point when data access was lost.

Backup solutions can allow healthcare organizations to perform file-level, volume-level, and full bare-metal restorations and restore data from a specific point in time. These services can be invaluable to busy IT departments with limited budgets and small backup windows to prevent data loss.

Hosting providers build considerable redundancy into their systems to support their disaster recovery services. If one server fails due to a cyberattack or hardware failure, it will fail over to a secondary, then tertiary server to ensure services are maintained. These servers are located in multiple geographically disparate locations to ensure that services can be maintained even in the event of a geographically widespread disaster or highly sophisticated cyberattack.

With effective contingency and disaster planning, healthcare organizations can ensure outages, cyberattacks, and natural disasters have the minimum impact and recovery is made in the shortest possible time frame.