Disaster Recovery Plan Creates HIPAA Breach

May 18, 2015

While the irony of a disaster recovery program creating a disaster is amusing, the outcome is tragic for both the Indiana State Medical Association and the patients, physicians, and employees whose data was stolen. The big question is whether the written procedure contained in the disaster recovery plan specified that mobile devices containing PHI should be encrypted and the procedure was ignored, or perhaps even whether there was a written procedure.

Having a disaster recovery plan is a basic HIPAA requirement. Making sure that the plan protects PHI at all stages is also a requirement as is training staff on procedures. The HIPAA compliance cycle should include a risk assessment performed to meet the NIST protocol, development of policies and procedures tailored to the organization’s business model, training and awareness based on the organization’s policies and procedures and documentation of all of these compliance activities.

Use of a SaaS toolset designed to manage this cycle, document the activities, and provide on-going proof of compliance is the most cost effective and efficient method. For under $200 per month a medium sized healthcare organization or business associate can get HIPAA compliant, stay compliant, and prove compliance with the Compliance Meter®. Check it out at www.compliancehelper.com


Back to News