Contingency Plan

§164.308(a)(7)(i): Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

Audit Inquiry

Does the entity have policies and procedures in place that include a formal contingency plan for responding to an emergency or other occurrences that damages systems that contain ePHI?

Does the entity have a contingency plan for responding to an emergency or other occurrences that damages systems that contain ePHI?

Obtain and review policies and procedures related to a formal contingency plan.

Elements to review may include but are not limited to:
• Identification of workforce members’ roles and responsibilities in the contingency process
• Workforce members or roles to which the contingency policies and procedures are to be disseminated
• Management involvement in contingency plans
• Coordination of contingency processes among business associates
• Identification of what steps should be taken in a contingency plan
• The frequency to review and update current contingency policies and procedures
• How frequently the contingency plan is tested

Obtain and review documentation demonstrating that a contingency plan is implemented. Evaluate and determine that the response to an emergency or other occurrence that damages systems that contain ePHI include appropriate capabilities to recover access to ePHI.

Required/Addressable

Required