NIST Contingency Planning Guide in Works
Helps with HITECH and HIPAA compliance
Having an I.T. contingency plan is an essential component of HITECH Act compliance, an attorney with the federal agency that enforces the Act says. The HIPAA Security Rule, toughened under HITECH, mandates contingency plans.
"Having a Plan B is very important, particularly in this age when we've had a number of natural disasters," says David Holtzman, an attorney in the health information privacy division at the HHS Office for Civil Rights. He stresses that even the smallest physician's office should have a contingency plan in place.
Holtzman also notes that if an organization reports a data breach, OCR investigators may conduct a HIPAA compliance review, which would include an assessment of a contingency plan.
New guidance
In crafting a contingency plan, OCR recommends healthcare organizations consider using the new guidance from NIST.
In June, NIST plans to issue its first update of its "Contingency Planning Guide for Federal Information Systems," known as SP 800-34, Rev. 1, says Marianne Swanson, NIST's senior information security advisor.
Although designed for federal agencies, the updated version of the document that was originally prepared in 2002 provides guidance that's applicable to healthcare organizations now working on HIPAA Security Rule compliance, she says.
The updated version of the guide contains templates for dealing with high-, moderate- and low-impact emergencies.
Technical updates
"The technical considerations section has been updated to better reflect current trends and standards in common platforms," Swanson says. The updated guide, however, will not cover cloud computing issues.
Swanson and Holtzman made their comments May 12 in Washington, D.C., at the conference: "Safeguarding Health Information: Building Assurance through HIPAA Security," sponsored by OCR and NIST.
