According to the HIPAA Security Rule, organizations classified as “covered entities” must establish and implement policies and procedures for responding to emergency events that could damage systems containing electronic protected health information. In simple terms, all covered entities are required to have a contingency plan. It’s important to note that the same requirement for contingency planning applies to business associates, as noted in the 2013 HIPAA Omnibus Rule. In general, a business associate refers to an individual or organization that creates, receives, maintains or transmits protected health information.
In most circumstances, cloud services providers are business associates, making them equally liable for meeting the contingency plan requirements when handling ePHI on behalf of a customer that classified as a covered entity. Additionally, a CSP’s responsibility for meeting HIPAA requirements does not free your organization from its obligations to do the same.
There are numerous resources available that provide guidance for creating a contingency plan, including NIST SP 800-34, Contingency Planning Guide for Information Technology Systems. A template is also available in Appendix G of NIST SP 800-66.