white paper

How to Maintain HIPAA Compliant During Disaster Recovery

According to the HIPAA Security Rule, organizations classified as “covered entities” must establish and implement policies and procedures for responding to emergency events that could damage systems containing electronic protected health information. In simple terms, all covered entities are required to have a contingency plan.

It’s important to note that the same requirement for contingency planning applies to business associates, as noted in the 2013 HIPAA Omnibus Rule. In general, a business associate refers to an individual or organization that creates, receives, maintains or transmits protected health information.

In most circumstances, cloud services providers are business associates, making them equally liable for meeting the contingency plan requirements when handling ePHI on behalf of a customer that classified as a covered entity. Additionally, a CSP’s responsibility for meeting HIPAA requirements does not free your organization from its obligations to do the same.

There are numerous resources available that provide guidance for creating a contingency plan, including NIST SP 800-34, Contingency Planning Guide for Information Technology Systems. A template is also available in Appendix G of NIST SP 800-66.

Disaster Recovery
Disaster Recovery Design & Planning
Cybersecurity

Complete the form below to view the content.

To contact Flexential, complete the form below:

Additional Resources

White Paper: How to Improve Business Resiliency with Disaster Recovery-as-a-Service (DRaaS)
Read More
Enhancing Application Reliability with Cloud Backup and DRaaS: 451 Research Business Impact Brief
Read More
Simplified Steps to Improve Cybersecurity
Read More