Articles & Blogs


September 4, 2023 | By Accorian
HIPAA Disaster Recovery Plan

The healthcare industry confronts an elevated risk of data. In the first half of 2023, healthcare data breaches have impacted more than 39 million individuals. These breaches encompass not only deliberate attacks like database hacks but also stem from inadvertent incidents, such as the unintended emailing of personal information to the incorrect patient. Despite a company’s best efforts, data breaches can cause severe damage to both affected individuals and an organization’s reputation. Therefore, healthcare organizations must establish a HIPAA disaster recovery plan to ensure that all necessary steps are taken. This plan is integral to the HIPAA compliance process, aiming to mitigate, report, and manage a breach.

HIPAA Disaster Recovery Plan

The HIPAA Breach Notification Rule, introduced in 2009 through the HITECH Act, mandates that HIPAA-covered entities and their business associates notify all individuals affected by a breach.

Creating a disaster recovery plan is imperative for healthcare organizations. It ensures HIPAA compliance and maintains awareness of the correct measures to restore operations swiftly. However, it’s crucial to emphasize that adhering to the HIPAA Breach Notification Rule alone does not mitigate further damage or restore operations. The real solution addresses the underlying vulnerabilities and weaknesses that initially permitted the breach.

Components of HIPAA Disaster Recovery Plan

Below is an outline of what your HIPAA disaster recovery plan should include:

1. Establishing an Incident Response Team and Plan
Establish an incident response team and plan to identify, assess, and manage incidents and breaches. Ideally, the team should comprise compliance, operations, communications, IT, legal, and human resources professionals. Their collective effort should result in creation of a comprehensive Incident Management Plan.

2. Defining What Constitutes a Breach
Define what qualifies as a breach to facilitate quick and efficient identification. It should also provide examples of potential violations specific to your organization, encompassing organization-specific devices, software, and activities.

3. Documenting the Breach (Ongoing Step)
Maintain an accurate record of all actions taken when the breach was detected. This entails documenting the following key details:

  • How the breach was initially discovered.
  • The precise date and time of breach discovery.
  • Completing the DHHS breach reporting website form, the time and date of internet disconnection, if applicable, and any remote access disabling.
  • Any password or credential changes, along with the timing.
  • A comprehensive account of all remediation steps aligned with breach response.
  • Detailed documentation of actions taken between the notification and resolution of the incident.
  • These records serve essential purposes, including breach notifications, supporting legal or insurance proceedings, and informing plan enhancements.

It is also crucial to preserve the forensic evidence related to the breach. Preserving this evidence can aid investigators in identifying the breach’s source, providing valuable insights into preventing further damage and future attacks.

4. Identifying a Breach vs. an Incident
As defined broadly, a breach encompasses the unauthorized access, use, or disclosure of Protected Health Information (PHI). It is crucial to articulate this definition, as the Department of Health and Human Services (DHHS) expects covered entities and business associates to presume that any incident constitutes a breach initially. Subsequently, a risk assessment is conducted, potentially altering the initial assumption from a breach to an incident, which would not necessitate reporting to the DHHS secretary or individuals.

In cases where there is an impermissible use or disclosure of protected health information, the default presumption is that it qualifies as a breach unless the covered entity or business associate, as applicable, can demonstrate a low probability that the protected health information has been compromised. This determination hinges on a comprehensive risk assessment that considers at least the following key factors:

  • The type of PHI involved
  • The likelihood of identifying individuals through the breached PHI
  • Details regarding the unauthorized individual(s) who accessed, used, or disclosed the PHI and to whom the PHI was disclosed (if applicable)
  • The extent of the breach’s success, specifically whether the PHI was accessed or disclosed. Providing your team with detailed strategies for conducting a proper risk assessment is essential.

For instance, consider incorporating potential tools such as intrusion detection systems and security information and event management (SIEM) systems to support this process.

5. Containing the Breach
Once the breach is confirmed, your organization should promptly initiate the necessary steps to contain the incident. This typically entails isolating affected systems to prevent the breach from propagating and causing additional damage.

6. Notifying Appropriate Entities of the Breach
After successfully containing the breach, your organization must promptly inform the relevant parties, including the affected individuals, the Department of Health and Human Services (DHHS) Secretary, and the media if applicable. It is essential to define the responsible party for notifying these entities.

  • Notifying Affected Individuals

Covered entities must notify each affected individual within 60 days of discovering the breach, whether within the covered entity or with a business associate. This notification can be sent via first-class mail or email.

  • Notifying the Secretary

When a breach impacts 500 or more individuals, covered entities must inform the Secretary within 60 days of discovering the breach. For breaches affecting fewer than 500 individuals, covered entities can submit annual reports to the Secretary. This reporting to DHHS must be conducted through the online portal.

  • Notifying the Media

In cases where a breach affects 500 or more individuals, covered entities must notify media outlets serving the affected state or jurisdiction within 60 days of the breach.

The notification to individuals must include the following details:

  • Contact information for the covered entity
  • A comprehensive description of the breach
  • Explanation of the actions taken by the covered entity to investigate, mitigate, and prevent further breaches
  • Definition of the types of information compromised in the breach
  • Guidance on the steps that breach victims can take to protect themselves from potential harm

It’s essential to note that breach notification requirements also extend to business associates. If a breach occurs or is caused by a business associate, they must promptly notify the covered entity. The covered entity then assumes responsibility for executing the notification plan and collaborates with the business associate to ensure accurate reporting of the breach.

7. Mitigating the Breach
Mitigation and implementing your incident response plan are pivotal stages within the breach notification process. These actions encompass immediate steps such as removing malicious software, deactivating compromised user accounts, altering passwords, or addressing software vulnerabilities through patching. It’s crucial to emphasize that mitigation steps are not distinct from the post-notification process; they are, in fact, an integral part of the breach response. When communicating with affected individuals, it is imperative to provide comprehensive information about the measures to mitigate the breach and safeguard their information.

8. Reviewing and Improving Your Breach Recovery Plan
The insights gleaned from the breach response represent valuable learning opportunities. Utilize these insights in conjunction with a comprehensive examination of the incident and the incident response plan to enhance preparedness for potential future attacks and breaches.

The most effective HIPAA breach recovery plans are subject to regular practice and evaluation, facilitated through security awareness training for the entire workforce. This training should encompass instructions on identifying and reporting suspected breaches, simulation exercises, and tabletop drills. These measures aid your organization in maintaining compliance and readiness for potential breaches.

The incident response team should remain vigilant regarding changes in technology and regulatory requirements and update the Incident Response Plan and any pertinent policies, procedures, and workforce training materials as necessary. Conducting a thorough review of the plan at least once a year or following any significant changes is advisable.

Create a HIPAA Disaster Recovery Plan with Accorian

At Accorian, we specialize in providing comprehensive solutions tailored to assist healthcare organizations in navigating the intricate landscape of HIPAA regulations. Our extensive expertise and pragmatic approach position us as the ideal partner for organizations committed to achieving and upholding compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.

We offer more than just a checkbox approach to compliance. Our dedicated team will guide your organization through every facet of the process, from detecting and containing breaches to the seamless notification of the relevant entities and enhancing cybersecurity risk management strategies.

Don’t wait for a breach to expose your organization’s vulnerabilities. Take a proactive stance and ensure your healthcare organization’s compliance with HIPAA regulations with Accorian.

Secure your future by fortifying your data security today.

Recent Blog

Ready to Start?

Shukla CPA, d.b.a Accorian Assurance is a licensed, certified public accounting firm registered with the American Institute of Pubic Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB). Esha IT Corp d.b.a Accorian is a global leader in cybersecurity and compliance professional services.

© 2023 Accorian. All Rights Reserved.

Ready to Start?

Drop your CVs to

Interested Position

Download Case study

Download SOC2 Guide