Have you thought much about business continuity? What is your business continuity plan? HIPAA Citation 164.310(a)(2)(i) focuses on contingency operations. Below is a sample of a policy that you may want to document for your practice. It focuses on what you are going to do to continue to see patients during a disaster, or major hack on your business.

What is your Business Continuity Plan?

<PRACTICE NAME> allows access to its facility/facilities to restore lost data as outlined in its Disaster Recovery and Emergency Mode Operations plans. Specifically, <PRACTICE NAME> has established procedures for the following categories of

contingency planning:

  • People—the designated public spokesperson in time of crisis;
  • Physical Infrastructure—what processes take place in the event of an emergency e.g.,

power outage, broken water main, gas leak, etc.;

  • Electronic Infrastructure—the individual responsible for protecting <PRACTICE NAME> information assets; and
  • Third-party relationsrequirements for <PRACTICE NAME> partners

and/or vendors in the event of a disaster.

People—The IT manager, <PRACTICE NAME> /Administrator/Designated Security

Contact, or practitioner in charge acts as liaison with the public, police, fire and other local

Authorities of <PRACTICE NAME> .

Physical Infrastructure—In the event of interruption of utilities to any of <PRACTICE NAME> facilities, the Manager or <PRACTICE NAME> Administrator immediately notifies the local provider and closes the facility. Patients are escorted from the affected premises, and the facility remains closed until the service interruption is corrected.

Electronic Infrastructure—The IT resource or <PRACTICE NAME> Administrator/Designated Security Contact is responsible for protecting <PRACTICE NAME> ePHI and for providing the manager or practitioner in charge with regular reports of backup and recovery procedures and tests of the security system.

Third-party relations—<PRACTICE NAME> requires all vendors of hardware and

software systems and programs to respond promptly to internal or external disasters and to have adequate contingency plans in place.