§164.308(a)(7)(ii)(E): Assess the relative criticality of specific applications and data in support of other contingency plan components.
Audit Inquiry
Does the entity have policies and procedures in place to assess the relative criticality of specific applications and data in support of other contingency plan components?
Does the entity assess the relative criticality of specific application and data in support of other contingency plan components?
Obtain and review documentation of critical ePHI applications and their assigned criticality levels. Evaluate and determine if application criticality levels were assessed and categorized based on importance to business needs or patient care, in order to prioritize for data backup, disaster recovery, and emergency operations plans.
Obtain and review documentation of the procedures regarding how ePHI applications (data applications that store, maintain or transmit ePHI) are identified. Evaluate and determine whether all critical ePHI applications are identified.
Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.
Required/Addressable
Addressable