HIPAA TIP: Disaster Recovery Tabletop Exercises

When the subject of Disaster Recovery Plans is brought up with healthcare organizations’ management, most cringe. HIPAA requires organizations to create and implement contingency plans that enable the organization to continue operations, even in times of a disaster. As important as this is, HIPAA requires your business to be prepared for a disaster occurrence, whether natural/environmental or a cyberattack. Should your infrastructure be crippled by a disaster, this is NOT the time to start planning.

Once the Disaster Recovery / Business Contingency Plan is in place, testing the plan is key. This realistically prepares participants for a disaster and informs the organization of any weaknesses in the plan. The exercises can be a discussion-based session where team members meet in an informal setting to review their roles during an emergency, along with responses to a particular situation. Another exercise may include an “outage” for the main system or application the organization utilizes, such as the Electronic Medical Records (EMR) or Practice Management (PM) system, and steps to follow while this system or network is inaccessible.

Run Disaster Recovery exercises to identify potential weaknesses or barriers in the plan while in a controlled environment, address problem areas and use what you have learned to update the plan and any necessary or required documentation.

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.