ALL of these things and more are required BY LAW to be included in your contingency plan wherever you store your information.

Don't be blinded by "best practices".

This is just one of several guidelines directly taken from the National Institute of Standards and Technology (NIST SP 800-66 page F2) that we strictly abide by:

Standard 164.308(a)(7), Contingency Plan, requires covered entities to:Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure,and natural disaster) that damages systems that contain electronic protected health information.

Some guidelines included in our Contingency Plan include a:

1. Data Backup Plan (R) – 164.308(a)(7)(ii)(A): Establish and implement procedures to create and maintain

retrievable exact copies of electronic protected health information.

2. Disaster Recovery Plan (R) – 164.308(a)(7)(ii)(B): Establish (and implement as needed) procedures to restore any

loss of data.

3. Emergency Mode Operation Plan (R) – 164.308(a)(7)(ii)(C): Establish (and implement as needed) procedures to

enable continuation of critical business processes for protection of the security of electronic protected health

information while operating in emergency mode.

4. Testing and Revision Procedures (A) – 164.308(a)(7)(ii)(D): Implement procedures for periodic testing and

revision of contingency plans.

5. Applications and Data Criticality Analysis (A) – 164.308(a)(7)(ii)(E): Assess the relative criticality of specific

applications and data in support of other contingency plan components.