Understanding HIPAA's Role in Business Continuity, Disaster Recovery

by Michael Ruano, CHS

Part eight in a 10-part series.

This article is the eighth of a 10-part series that introduces the domains of information security and relates them to federal HIPAA regulations. The information security domain of business continuity and disaster recovery includes topics that cover the plans required to continue in an emergency and those required to recover from an emergency. These topics provide a portion of the framework for securing the computer infrastructure required by business.

While HIPAA protects only individual healthcare information, the broad tenets of information security can be effectively used for HIPAA remediation. The concepts covered by business continuity and disaster recovery are also reflected in the HIPAA regulations when they state, “a covered entity must conduct an accurate and thorough assessment of the potential risks and vulnerabilities…assess the relative criticality of specific applications and data…establish procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode [and] to restore any loss of data.” This is impossible without a thorough understanding of business continuity and disaster recovery planning.

Business Continuity Planning

Business continuity plans are intended to prevent interruptions to normal business processes caused by either natural or man-made disasters. There are four important steps in the process of developing this type of plan:

• scope definition
• business impact assessment
• plan development
• implementation

In the scope definition phase, the operations of the organization are reviewed and the detailed work to be accomplished is documented. This portion of the plan bases the deliverables on what resources and processes within the organization are to be considered for protection and what resources are available to do the protecting.

In the business impact assessment, the resources described in the scope evaluation are prioritized based on their criticality to the business and the extent of time they can remain unavailable. This information is compared against an evaluation of the vulnerabilities of these same resources. The result is a prioritized list of critical resources with an adjoining list of their individual vulnerabilities to be addressed. This needs to be reviewed and approved by senior management.

The plan development starts with a strategy to guide the extent of the limited resources used to protect the agreed upon critical assets. From this strategy, the critical asset list, and their vulnerabilities, the actual plan is created.

The implementation starts with a final review and once again an approval, this time for the entire plan. The entire organization then needs to be made aware of the plan and any role they may be required to play. All measures called for by the plan must be put into place. Finally, the plan must be reviewed routinely and modified as needed to reflect the current organization and its needs.

Disaster Recovery Planning

Disaster recovery plans are intended to be the documented and approved procedures to respond to an emergency that has the capability to disrupt normal business activities. This process requires the same steps of developing a prioritized list of critical assets and their vulnerabilities. What remains to be accomplished are two other steps not covered in business continuity planning:

• technology infrastructure restoration planning
• disaster recovery plan maintenance

The technology infrastructure restoration plan has three main facets that include location plans, equipment plans, and information plans.Within each of these plans there must be provisions to account for replacement, restoration, and redundancy. The computing location can have a completely redundant site (hot site) that can take over operations when needed.

Another option is a relatively unprepared secondary site (cold site) to be used while the primary site is being restored. These same issues apply to the critical equipment and information required to run the organization and must be covered in the plan.

As with business continuity plan maintenance, the entire organization then needs to be made aware of the disaster recovery plan and any role that staff may be required to play. The disaster plan must be reviewed routinely for the same reasons as the business continuity plan.

The information security domain of business continuity and disaster recovery covers much more than is discussed in this article. An understanding of business continuity and disaster recovery plans is required to comply with the HIPAA regulations. By understanding these information security domains and their concepts, an information security program can be followed that will protect patients, their information, and the healthcare organization.

Michael Ruano, CHS, is the information security officer for Rockford Health System in Rockford, IL. He can be reached at (815) 971-6849 or via e-mail at ruano@rhsnet.org.