Contingency Planning, as defined by BusinessDictionary, is an activity undertaken to ensure that proper and immediate follow-up steps will be taken by management and employees in an emergency. Its major objectives are to ensure (1) containment of damage or injury to, or loss of, personnel and property, and (2) continuity of the key operations of the organization.

Nobody is perfect, even dentists! If you ever forgot your laptop holding electronic protected health information (ePHI) at a coffee shop, you’d immediately realize why the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires dentists to have a proper contingency plan. Whether it’s a human error by you or an employee, a hacker ransoming your files, or your office collapsing from a tornado – you are required to have a plan to constantly protect and immediately recover your exposed ePHI following disruptive events. 

Planning and risk assessment is important for all parts of life, but when it comes to contingency planning for dentists, it’s the law. Dentists are required to create a business contingency plan that includes a data backup plan, disaster recovery plan, and emergency mode operation plan. 

So how do you implement a contingency plan that meets HIPAA requirements? Read on!

Contingency Plans Required for HIPAA Compliance

Data Backup Plan

As a dentist, you are required to create and implement a plan that ensures your ePHI is always retrievable, no matter what happens to your practice. If a disastrous event occurs, you should be confident in your practice’s ability to restore your critical files. This means all data, all health information, x-ray images, electronic medical records (EMRs), accounting information, and other important documents must be regularly backed up.

Without a backup, it may be impossible for you to recover your data. A data backup plan also protects you from ransomware attacks that would otherwise bind your business by encrypting your ePHI. With a data backup plan, if your data is ever compromised by a cyberattacker, you can simply restore everything to its previous uninfected state. Since ransomware can also affect backup copies of ePHI as well as delete Windows Shadow Copies, one copy of ePHI should be stored on a device that isn’t connected to your network or Internet.

The best practice is the “3-2-1 backup method”, where you create three copies of any data that needs to be protected. For risk management, spread those three copies across at least two onsite devices and one copy stored securely offsite. For most dentists, this means you keep the original data on your computer, a backup on an external hard drive or network-attached storage (NAS), and another on a cloud backup service.

Cloud syncing like Dropbox and Google Drive are not backups. They’re fantastic for syncing files across devices, but lack the security you need that only comes with an end-to-end encrypted cloud backup service like Central Data Storage. In 2017, a HIMSS Analytics survey of healthcare IT decision-makers showed 84% consider the cloud to be a viable platform for data backup and disaster recovery. 

Dentists are embracing the cloud because of its flexibility, scalability, and reliability. Even if your laptop is stolen, your hard drive breaks, Internet crashes, or a natural disaster strikes, with the 3-2-1 backup method, you can create a plan that safeguards your practice from data loss and complies with HIPAA requirements.

Disaster Recovery Plan

Dentists are HIPAA-covered entities, meaning as a dentist you’re required to institute and execute a disaster recovery plan (DRP) for restoring any lost data following an unexpected event. If and when you face a data dilemma, whether it’s a natural disaster that wipes out your office or a ransomware attack brought on by a phishing email, you need a reviewed and tested procedure for restoring access to your data while ensuring patient confidentiality.

When creating your disaster recovery plan, you will need to decide:

1. How your data should be recovered from backups. Your plan should be a collaborative effort within your practice and should be understood by your entire staff. 
2. Which machines you will back up and which data is essential for your business to function. 
3. Who will oversee both primary data storage and backup, who will be handling these responsibilities daily, and a trusted third-party who also knows your system restore process.
4. Which data disasters are most likely to affect your practice, which will do the most harm, and if something were to happen, how long you can be without your critical systems. 

Your DRP should back up and restore your essential data in a timeframe that meets your recovery time objective. In addition to utilizing a cloud backup service, make sure you keep multiple copies of backup media onsite for additional redundancy. Remember to test your backups regularly and make sure data can be restored quickly and accurately.

Check out our Disaster Recovery Planning Checklist. This free checklist walks you through the proper steps to backup and recover your data. With the help of this checklist, you can develop a custom backup and recovery plan that ensures a potential data dilemma will never halt your practice.

Emergency Mode Operation Plan

When disaster strikes, how will you react? It’s often not the impending emergency that causes the most panic in your practice, but rather not knowing how to confidently handle the incident. Emergencies come in many forms. Sure, a doomsday situation would be considered an emergency, but when it comes to protecting ePHI and complying with HIPAA, so would something as common as a power outage or server malfunction.

Dentists are required to institute an emergency mode operation plan that guarantees constant data availability. Your plan should allow your practice to continue to operate despite events like an office fire and subsequent water damage, vandalism, stolen devices, natural disasters, or system failures. Just like a DRP, an emergency mode operation plan includes a budget and testing schedule to ensure lasting effectiveness.

To comply with HIPAA, your practice must have procedures that guarantee your administrative, technical and physical defenses remain fully functional in the event of an emergency. These processes must allow for constant access to your data while maintaining strict security standards throughout your disaster recovery. To help focus your resources, and to best continue operation during a data crisis, identify and prioritize your most critical systems and structure your emergency mode operation plan to start with what’s most important.

While all dentists are required to establish sufficient measures to maintain important business procedures and recover data in a reasonable timeframe, there are multiple ways to accomplish this:

• You could establish an offsite location to continue your data managing functions.
• You could mirror your data to a remote datacenter.
• You could have an arrangement with a supplier that would immediately provide the necessary equipment.
• You could purchase an uninterruptible power supply or backup generator.

Keep in mind; if your dental office loses power for an extended period of time, it should be considered an emergency that requires the implementation of your emergency mode operation plan. Therefore, it’s important that your plan emphasizes restoring electricity for continuous operations and protecting ePHI. 

Dental offices should always have a contingency plan in place containing data backup, disaster recovery, and emergency mode operation plans. Thanks to HIPAA, it’s not only a good idea, now it’s the law! Now is the time to rethink how you are protecting your patient data and ensuring business continuity. 

Want to learn more about contingency planning, HIPAA compliance, or secure cloud backup and recovery? We’d love to hear from you!