1

HIPAA requirements seem to state that a disaster recovery plan is a required implementation, defined within the HIPAA Contingency Plan standard in the Administrative Safeguards section of the HIPAA Security Rule.

What about if the application in question is non mission critical, uses a copy of the system of record and not the original, and if it becomes unavailable will not affect the core services of a healthcare entity? In other words is HIPAA saying that if I have a healthcare business and I create a small application to improve an internal business process that uses an extract of my core ePHI database that I must provide a DR plan and make that tiny application fully recoverable at great expense?

Robert Pellerin
  • 11
  • 1

1 Answers1

1

First, I am not a lawyer, and this is not legal advice. Seek a qualified lawyer's advice before implementing any solution.

The intent of the availability rule is to make sure your patients always have the best possible chance for full access to your services. So if this is truly not "mission critical", it wouldn't be patient specific. If that's the case, I would work hard to de-identify the data so that it's no longer covered by HIPAA rules. Then it becomes a non issue.

If this is a patient specific process, then it's a service you are bound to provide, and I think it falls under the rule.

The problem is even if this tool is "just an optimizer", your patients may become dependent upon your improved processes and response times. That extends to response times for adjudication and billing activities, too. You might get away with it if you publish an SLA that encompasses your slowest possible response times. So if the optimized function normally runs in one second, and your unoptimized function runs in ten seconds, publish an SLA of 15 seconds, which would cover both.

John Deters
  • 33,650
  • 3
  • 57
  • 110