The 5 crucial components of a HIPAA contingency plan

July 7, 2015

Of all the HIPAA rules and regulations, having a contingency plan is easily the most critical. In dentistry, we use various terms like data backup, disaster recovery and practice continuity, but they all mean the same thing: you need to have a solid backup of your critical practice data.

Of all the HIPAA rules and regulations, having a contingency plan is easily the most critical. In dentistry, we use various terms like data backup, disaster recovery and practice continuity, but they all mean the same thing: you need to have a solid backup of your critical practice data.

Of course, dental practices can and should have backup plans in place, for reasons that go well beyond HIPAA compliance: any practice that loses their critical practice data would most likely not recover from that, and a practice that doesn’t have a way to get up and running quickly from a disaster will also suffer tremendous losses to the bottom line.

Related reading: Is your dental practice completely HIPAA compliant?

However, we need to discuss the five components on a HIPAA contingency plan. For those of you who want a reference, it’s HIPAA Rule 164.308 (a)(7).

Data backup plan. The actual wording from HIPAA is that you must “establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.” Hopefully, most of you already have this in place. The plan though should ensure that you are actually backing up all the ePHI (electronic Protected Health Information), that you have located the backup in a safe and secure place and that you back up frequently enough for your environment, which basically means daily for dental offices.

Disaster recovery plan. It’s not enough to have a plan to back up the data, you actually need to prove that you can restore that data should there be a disaster such as fire, flood or theft. Also, HIPAA basically requires that the data be in more than one place, such as locally and offsite.

Emergency mode operation plan. If you are running off a backup, the need for HIPAA compliance is still very much intact. Is that data encrypted? Does everyone have access to the data that can be monitored? Do you have other security measures in place to protect the data?

Testing and revision procedures. Here’s the sticking point that I estimate 95 percent of dental offices aren’t doing: you MUST test the backups on a regular basis. And, revise your existing contingency plan as needed.

Application and data criticality analysis. That’s a mouthful! Basically, it means figuring out which data needs to be restored first (practice management data, for example) and which can be restored later (existing images).

Related reading: HIPAA compliance and digital photography with personal mobile devices

So, what’s the best way to back up your data? I recommend a two-pronged approach. First, an “image” of your server, which is a snapshot of the entire server: programs, settings, data, everything. The beauty of an image is that you can restore an entire server in a matter of minutes. I normally recommend putting this image on a Network Attached Storage (NAS) device, which allows for backups every 15 minutes and rapid recovery. Of course, having this image locally won’t help you if the office burns down, so you need to also have an offsite backup. A cloud backup is the easiest and most secure way to handle this.

Dental offices should always have a backup and disaster recovery plan in place, but thanks to HIPAA, it’s now the law! There’s no time like the present to reevaluate how you are backing up and protecting your patient data.

 

About the author

Dr. Lorne Lavine, founder and president of Dental Technology Consultants, has more than 30 years invested in the dental and dental technology fields. A graduate of USC, he earned his DMD from Boston University and completed his residency at the Eastman Dental Center in Rochester, N.Y. He received his specialty training at the University of Washington and went into private practice in Vermont until moving to California in 2002 to establish DTC, a company that focuses on the specialized technological needs of the dental community. Dr. Lavine has vast experience with dental technology systems. He is a CompTia Certified A+ Computer Repair Technician, CompTia Network+-certified and will soon be a Microsoft Certified Systems Administrator. As a consultant and integrator, he has extensive hands-on experience with most practice management software, image management software, digital cameras, intraoral cameras, computers, networks and digital radiography systems. He also writes for many well known industry publications and lectures across the country. He was the regular technology columnist for Dental Economics Magazine, and his articles have appeared in Dentistry Today, Dental Economics, Dental Equipment and Materials, Dental Practice Report, New Dentist, Dental Angle Online and DentalTown magazine, where he is a moderator of 10 of their computer and software forums. He has lectured to the Yankee Dental Congress, American Academy of Periodontology, American Academy of Endodontics, the DentalTown Extravaganza and numerous state dental society and study club lectures. In addition, he is a member of the Speaking and Consulting Network. He is also the former technology consultant for the Indian Health Service.