“Once you have tasted flight you will walk the earth with your eyes turned skywards, for there you have been and there you will long to return.” – Leonardo da Vinci
Even though Leonardo never got to experience the magic that is soaring among the clouds, he’s not wrong. Many people enjoy the experience of flying and seek to recreate it by building their very own aircraft. With all of the technology and resources available today, it’s more doable than you think.
When you build an airplane, there will be certain engineering, design, and construction standards that you need to follow. There are those elements required for every sort of aircraft: you must have essential parts (think wings, an engine, landing gear), submit plans to the Federal Aviation Administration to approve your airworthiness, and follow the Major Portion Rule. However, much of how you build an aircraft is up to you. You get to choose the kinds of materials you use to build your plane, the different features you want it to have, the timeline in which you’ll build.
In this sense, creating a contingency plan that keeps your business HIPAA- and HITECH- compliant is similar to how you go about building your own airplane.
HIPAA and HITECH are both laws put in place to protect sensitive patient data. Essentially, HIPAA lays the basis for privacy and security of health-related information, while HITECH enforces HIPAA in terms of electronic health records.
Both HIPAA and HITECH regulations require that you have a business continuity (or contingency) plan in place when disaster, natural or man-made, strikes. There are certain specifications for a contingency plan that are required and ones that are addressable.
If a specification is required, it means that a business must have that specification implemented as a part of their plan with absolutely no exceptions.
If a specification is addressable, it means that it must either be implemented, a substitute for it must be implemented, or a compelling reason is documented as to why a business elected not to implement it.
So, what kinds of specifications are there? Being aware of some of the most common required and addressable elements is the first step in creating an actionable plan for regulatory compliance:
Risk Assessment – REQUIRED
In order to be compliant, you must conduct a thorough assessment of potential vulnerabilities and how critical they are.
Testing and Revision Procedures – ADDRESSABLE
The idea behind this specification is to make sure that plans are in place to periodically test and revisit your contingency plan, test for new risks, and revise documentation if necessary.
Data Backup Plan – REQUIRED
Maintaining regulatory compliance means having a plan in place to retrieve exact copies of protected health information in the event of a disaster (large or small). This plan must be documented and updated whenever something affecting it changes – a new software, server, regulation, etc.
Applications and Data Criticality Analysis – ADDRESSABLE
The purpose of this analysis is to determine the data and software applications that are most important to your business operations. This will help your company determine which applications and data to restore first in the event of a catastrophe.
Disaster Recovery Plan – REQUIRED
In the case of a catastrophe, HIPAA and HITECH compliance regulations require your business to have a plan in place in order to restore any lost data, applications, and system functionality. This kind of plan should be designed to get your business back up and running quickly and encompasses the resources, actions, and materials required to do that.
These are only a handful of required and addressable elements that make up a compliant business continuity plan. There are many more. And with HIPAA and HITECH regulations consistently in flux, new regulations frequently arise.
The best way to ensure that your business is up to par on regulatory compliance specifications is to enlist the help of a professional compliance consultant. We’re happy to be that expert. Even if you choose to go with a different service provider, we cannot stress enough the importance of making sure your business is compliant, enough. Violation fines can range from $100 to $1.5 million per violation, and the reputation damage from receiving one (let alone many) has the potential to ruin your business.
Thus, regulatory compliance is not something to brush off. To avoid future headaches, start getting your contingency plan in place today.