This article describes the HIPAA contingency planning and security incident response requirements. The relevant subsections of the HIPAA law are §164.308(a)(6) and §164.308(a)(7)

Emergency button signifying HIPAA Contingency Planning HIPAA contingency planning is a term used broadly to cover security incident response procedures and contingency planning for emergency situations that may compromise protected health information. HIPAA contingency planning is one of the administrative safeguards that a covered entity must employ. The audit requirements for HIPAA contingency planning is covered in a separate post.

HIPAA Security Incident Procedures

“Implement policies and procedures to address security incidents.” [§164.308(a)(6)]

A covered entity is required to be able to identify, mitigate and respond to security incidents in a timely and reasonable fashion. The procedure for responding to security incidents should be formally documented, and each incident response event should also be fully documented, including the corrective action taken and the outcome of the incident.

This implementation specification is required.

HIPAA Contingency Planning

“Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” [§164.308(a)(7)]

A covered entity must implement contingency plans to ensure that electronic protected health information is kept secure (but remains available to those with appropriate authorization) even in the event of an emergency. Such an emergency can be any event that disrupts the normal operational state of the organization, such as power outages, fires, floods, etc. Five main areas of contingency planning, listed below, must be addressed in order to be HIPAA compliant.

Data Backup Plan

A covered entity must have established procedures for creating and maintaining backups of any electronic protected health information. These backups must be exact copies, and must be retrievable at any time, but they also must be kept secure from unauthorized access.

This implementation specification is required.

Disaster Recovery Plan

There must be an established and implemented procedure for restoring lost data in the event of a disaster recovery scenario. This goes hand-in-hand with the previous requirement for data backup planning. When a disaster event has passed, the covered entity must possess the ability for an authorized user to retrieve and restore an exact backup of all electronic protected health information.

This implementation specification is required.

Emergency Mode Operation Plan

In addition to backup and recovery procedures, a covered entity must also establish and implement procedures that allow critical operations that secure electronic protected  health information to continue during emergency conditions. Examples of such procedures could include providing backup power to facilities that house protected health information, or maintaining a secondary offsite facility that provides redundant storage and processes.

This implementation specification is required.

Testing and Revision Procedures

Contingency plans must be periodically tested and revised based on changing conditions and requirements. A covered entity must have a procedure for testing contingency plans that cover the security and availability of electronically protected health information.

This implementation specification is addressable, so if it is not applicable or reasonable for the entity to implement, there must be formal documentation explaining why, and what (if any) related controls are implemented instead.

Applications and Data Criticality Analysis

A covered entity’s contingency plans and actions should be prioritized based on the relative importance of the processes and data that they cover. For instance, high priority planning for the availability of electronic protected health information would include the use of back-up power to ensure that systems remain online in the case of electrical problems at a facility. The covered entity should assess and document which plans and actions are the most important and highest priorities when dealing with a disaster situation.

This implementation specification is addressable, so if it is not applicable or reasonable for the entity to implement, there must be formal documentation explaining why, and what (if any) related controls are implemented instead.

Changes in the 2013 HIPAA Update

No changes to the HIPAA contingency planning requirements were included in the 2013 HIPAA Omnibus Rule. However, as described in this article, business associates of covered entities are also liable for complying with the Security Rule. Therefore, these requirements also apply to business associates.


Incident response and contingency planning are important practices when managing protected health information. The ability to respond to and mitigate security events can help contain the damage in the case of a breach, while contingency planning ensures that unexpected events such as natural disasters only have minimal impact on the availability of data to those who are authorized to use it.


This article has been cross-posted from the Gemini Security Solutions website.