Business Continuity Planning and HIPAA: Business Continuity Management in the Health Care Environment

This book examines business continuity planning as adapted to encompass the requirements of The Health Care Portability and Accountability Act of 1996, or HIPAA. We examine the typical business continuity planning model and highlight how the special requirements of HIPAA have shifted the emphasis. The layout of this book was designed to afford assistance, hints, and templates to the person charged with the task of implementing business continuity planning into a healthcare organization. You will notice that this book does not address Emergency Management (building evacuations and other immediate response procedures) because this is outside the scope of the HIPAA regulations. Upon reading and re-reading the HIPAA regulations and the "Comments and Responses" in the federal register, it becomes quite evident that the "Contingency Plan" (read Business Continuity Plan) requirements were written by those looking to protect health information data. That being said, many of the examples that I use in this book relate to information technology and disaster recovery (recovery of computer capabili-ties). What is also important, and that I try to emphasize throughout the book, is that recovering the com-puter systems of a health care organization will not necessarily get it operational again after a disaster; a multitude of other production components must be present in order to deliver services and products to customers/patients. Where appropriate, I have identified procedures and strategies that are unique to healthcare provider organizations. If not so indicated, it can be assumed that I am referring to healthcare organizations in general. The audience for whom I have designed this book are the people who are responsible for implementing a plan in a healthcare organization that comes under the scope of the HIPAA regulations. At first reading, the book may appear to be an exact template to be used to design a business continuity plan. What I hope that you will get out of the book (perhaps on a reread once you are into the planning project) is that this is a pencil outline on a canvas and that your insights and knowledge of your healthcare organization will add the color that will make it a masterpiece. What you will notice in this book is that we present an approach that is similar to traditional business continuity planning. This is done purposefully. The basic business continuity planning model looks to protect and/or recover all critical components of production. This model assumes an industry-specific nature not by changing the model itself, but by placing greater emphasis on the protection and recovery of those production resources that characterize that industry. In our view, "thinking outside the box" is only required if the box was ill-conceived in the first place. This book includes the special precautions and procedures that address the unique concerns of HIPAA, but it will present them along with the other business components in order to emphasis the need to take a holistic approach when constructing and maintaining a business continuity plan.