NIST Contingency Planning Guide in Works

Helps with HITECH and HIPAA compliance
NIST Contingency Planning Guide in Works
Healthcare organizations developing or updating information technology contingency plans for responding to emergencies, such as natural disasters, soon can take advantage of new guidance from the National Institute of Standards and Technology.

Having an I.T. contingency plan is an essential component of HITECH Act compliance, an attorney with the federal agency that enforces the Act says. The HIPAA Security Rule, toughened under HITECH, mandates contingency plans.

"Having a Plan B is very important, particularly in this age when we've had a number of natural disasters," says David Holtzman, an attorney in the health information privacy division at the HHS Office for Civil Rights. He stresses that even the smallest physician's office should have a contingency plan in place.

Holtzman also notes that if an organization reports a data breach, OCR investigators may conduct a HIPAA compliance review, which would include an assessment of a contingency plan.

New guidance

In crafting a contingency plan, OCR recommends healthcare organizations consider using the new guidance from NIST.

In June, NIST plans to issue its first update of its "Contingency Planning Guide for Federal Information Systems," known as SP 800-34, Rev. 1, says Marianne Swanson, NIST's senior information security advisor.

Although designed for federal agencies, the updated version of the document that was originally prepared in 2002 provides guidance that's applicable to healthcare organizations now working on HIPAA Security Rule compliance, she says.

The updated version of the guide contains templates for dealing with high-, moderate- and low-impact emergencies.

Technical updates

"The technical considerations section has been updated to better reflect current trends and standards in common platforms," Swanson says. The updated guide, however, will not cover cloud computing issues.

Swanson and Holtzman made their comments May 12 in Washington, D.C., at the conference: "Safeguarding Health Information: Building Assurance through HIPAA Security," sponsored by OCR and NIST.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.