33% of Hospitals Do Not Have HIPAA-Compliant EHR Contingency Plans

by | Jul 27, 2016

In a recent report released by the Department of Health and Human Services’ Office of Inspector General, a third of hospitals do not have sufficient HIPAA-compliant EHR contingency plans in place, although the majority are “largely addressing” HIPAA requirements for EHRs.

In September 2014, OIG issued a survey to 400 hospitals that had applied for Medicare EHR incentive payments and asked questions to discover whether HIPAA-compliant EHR contingency plans had been developed and put in place. Respondents were also asked about the extent to which EHR systems had been affected previously. In addition to the survey, six hospitals were also chosen for in-depth reviews involving site visits, interviews with hospital staff, documentation checks, and checks of EHR contingency plans.

The aim of the study was to look into the state of hospitals’ EHR contingency planning and to find whether patient health information could still be accessed during natural disasters and other emergency situations where EHR system downtime happens. In light of the recent ransomware cyber attacks on hospitals, the results of the survey are most relevant.   

HIPAA-Compliant EHR Contingency Plans

The Security Rule of the Health Insurance Portability and Accountability Act requires covered bodies to put in place safeguards to ensure the confidentiality, integrity, and availability of electronic protected health data.

All hospitals (and other HIPAA-covered entities) must have a contingency plan established for responding to disruptions to electronic health record systems whether they are cyberattacks, natural disasters, power failures, hardware malfunctions, or Internet connectivity issues.

The HIPAA Security Rule states that five separate areas must be addressed in policies and procedures. A data backup plan must be in place to ensure that PHI can be recovered in the event of disaster. A disaster recovery plan must exist developed to ensure that PHI can be recovered. Covered bodies are required to have an emergency mode operations plan which can be put in action to ensure that critical business processes can persist during emergencies. Testing and revising of these contingency plans must also be addressed, and an applications and criticality review should be conducted. Fully HIPAA-compliant EHR contingency plans must address all five of these areas.

The Office of the National Coordinator for Health Information Technology (ONC) and the National Institute for Standards and Technology (NIST) have released advice on contingency planning for data systems to assist covered bodies.

OIG assessed hospitals on four out of the five areas outlined in the HIPAA regulations and found that most of hospitals had addressed three out of the four HIPAA requirements. Most had a data backup plan and were in a position to recover data in the event of an emergency. Most had a disaster recovery plan and also an emergency mode operations plan in place. However, only 73% of the hospitals reviewed had addressed testing and revision in their EHR contingency plans. In the OIG report, just 68% of hospitals had addressed all four requirements of HIPAA. Therefore, almost a 33% of hospitals did not have fully HIPAA-compliant EHR contingency plans.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy