Overview:
Implement procedures for periodic testing and revision of contingency plans.
Action Items:
1) Obtain and review policies and procedures related to periodic testing and revision of contingency plans. Elements to review may include but are not limited to: Methods used to test the plan (component, system, or comprehensive); Workforce members' roles and responsibilities in coordination of the test; How frequently tests will be conducted; How frequently contingency plans will be revised; Notification procedures.
2) Obtain and review documentation demonstrating the revision of contingency plans. Based on related procedures, evaluate and determine if the contingency plans have been approved, reviewed, and updated on a periodic basis.
3) Obtain and review documentation of contingency plan tests and related results. Evaluate and determine if the results of each contingency plan test indicate that tests have been conducted in a timely manner; involved the appropriate workforce members; has been documented; and, if necessary, that corrective actions were taken as result of the contingency plan test.
Related Documents:
1) Policies and procedures related to periodic testing and revision of contingency plans.
2) Documentation demonstrating the revision of contingency plans.
3) Documentation of contingency plan tests and related results.
Additional Guidance:
It is important to point out that this implementation specification applies to all implementation specifications under the Contingency Plan standard, including the Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operations Plan.
Disaster recovery and emergency mode operations plans might be tested by using a scenario-based walkthru (to avoid daily operations impacts) or by performing complete live tests. The comprehensiveness and sophistication of the testing and revision procedures depends on the complexity of the covered entity’s organization and other factors such as size and costs. It is expected that the frequency and comprehensiveness of the procedures will vary among covered entities.
Sample questions for covered entities to consider:
- Are the processes for restoring data from backuDo those responsible for performing contingency planning tasks understand their responsibilities?
- Have those responsible actually performed a test of the procedures?
- Have the results of each test been documented and any problems with the test reviewed and corrected?
Article ID: 458
Created: September 28, 2022
Last Updated: September 28, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-testing-and-revision-procedures-164-308-a-7-ii-d-458.html