Health Insurance Portability and Accountability Act (HIPAA) (1996)
Applies to the US health delivery and insurance industries
HIPAA, an act that passed to ensure that customers are able to switch between health insurance providers as smoothly as possible without unavailability, total loss, or loss of integrity of their health data, dictates that organizations must have a contingency plan in place in order to conform to the Act. This regulatory requirement is mandatory.
HIPAA Security Rule 164.308(a)(7)(i)
Applies to the US health delivery and insurance industries
This Rule identifies Contingency Planning as a standard under Administrative Safeguards. HIPAA Contingency plans address the “availability” security principle. The availability principle addresses threats related to business disruption –so that authorized individuals have access to vital systems and information when required. A data backup plan, disaster recovery plan, and emergency mode operation plan are required under the safeguards specifications.
Health Information Technology for Economic and Clinical Health Act (HITECH) (2009)
Applies to covered entities, business associates, vendors of personal health records (PHR) and related entities
Signed into law on February 17, 2009, this Act extends various HIPAA security and privacy requirements and lays the groundwork for increased enforcement. In a push to increase the use of electronic health records, the Act addresses breach notification requirements, protected health information (PHI) access rights and disclosure restrictions, and penalties and enforcement related to data breach events. Most importantly, the HITECH Act requires a covered entity to notify each individual as soon as the covered entity discovers or reasonably believes there has been a breach of PHI. Further, notice is to be provided to individuals without unreasonable delay, and in no case later than 60 calendar days following discovery of the breach. The time for notification must be calculated beginning on the date that the breach is first discovered, not on the date that that a covered entity has completed an investigation of a possible breach.
Joint Commission: Environment of Care Standards (2005)
Applies to healthcare delivery organizations
The Joint Commission sets standards for healthcare organization and issues accreditation to organizations that meet those standards. They dictate that all hospitals must have an emergency management program so that patient care can be continued effectively in the event of a disaster. This regulatory requirement is mandatory.
Joint Commission IM.2.30 (2008)
Applies to health care delivery organizations
The Joint Commission’s Standard IM.2.30 aims to ensure the continuity of information is maintained in hospitals. The standard mandates that a business continuity/disaster recovery plan is developed and maintained that identifies the most critical information needs for patient care, treatment, and services and the impacts if the systems were not available. The plan should also identify alternative means for processing and providing recovery of data.
Homeland Defense's Pandemic Preparedness Handbook (2007)
Applies to corporate and governmental emergency response and public health planners
This handbook has been prepared primarily to assist those working in the public health sector and especially those involved in pandemic preparedness planning to ensure appropriate measures are being taken to plan for combating potential pandemics. This handbook is voluntary.
FDA 21 CFR Part 11 (1999)
Applies to the life sciences and pharmaceutical industry
FDA regulations outline criteria for accepting electronic records, for documenting and validating authorized change processes to systems, and require backup power and backup software for key systems. This regulatory requirement is mandatory.