Is BCDR mandatory for any organization in the medical field? The short answer is YES, its a MUST! This includes doctors, dentist, covered entities (like testing labs) and business associates (3rd parties doing business with doctors). Why is this so important? It’s because of HIPAA. For those who don’t know HIPAA is, its referred to as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  For many in the medical industry in the United States,  HIPAA is the gold standard for personal privacy law. It protects, people like you and I from having our medical histories “protected health information” out on the street for all to see.

For the most part, even very small healthcare providers are VERY much aware that they should not allow unsecured access to their patient’s personal information. My wife worked for a doctor and that person was terminated from there job just because they looked at their own medical records without consent. That’s how tough this law is and how seriously it’s enforced. Also, this law carries substantial fines if protected health information is not handled in a secure way.

So how does this effect BCDR? Every regulatory law takes time to mature to the place where its impact on information technologies are firmly established and this is no different. This law was established in 1996 but it took almost seven years for these security rules for electronic information to be finalized.  In February 2003, the federal government came up with a final set of rules governing the security standards for electronic protected health information called the “HIPAA Security Final Rule“. These rules outline many areas in which protected health information is to be handled BCDR being one of them. These standards describe how the medical industry MUST protect the integrity, confidentiality, and availability of electronically protected health information. So for the rest of this article, I will talk about how HIPAA impacts BCDR on organizations (small or large) that handle protected health information electronically.

The BCDR Impact

The spirit of these standards outlines that is called the “Contingency Plan“. In simple terms, as outlined in this blog, its the business continuity and disaster recovery plan. HIPAA just uses different terminology. So the contingency plan is enabled by a set of rules:  HIPAA Security Rule 164.308, 164.310 and 164.312. In addition, there is implied an expansion of some of these rules in the Health Information Technology for Economic and Clinical Health Act (“HITECH”) of February 2009 signed into law by President Barak Obama.

There are three areas in BCDR that are listed in the HIPAA Security Fine Rule. These are the Administrative, Physical and Technical Safeguards. These three sets of rules determine how this information is to be handled in the event of normal data corruption, systems failure, local disasters (fire and theft) and catastrophic disasters like hurricanes, floods, tornados, earthquakes or regional wildfires.  This further describes how the data should be handled inflight (moving from place to place) and at rest (on disk). We will now discuss what they are and later what they mean to you as a medical business.

Administrative Safeguards

The HIPAA Security Rule 164.308 governs administrative safeguards. These safeguards essentially focus on internal organization, policies, procedures, and maintenance of security measures that protect patient health information.  The following table outlines what is required for administrative safeguards.

PLEASE NOTE: This table shows that is absolutely mandatory and what has to be addressed as part of your plan. Keep in mind that just because it’s not marked as mandatory doesn’t mean you should not do it. These processes build the proper procedures to fulfill the mandatory regulatory requirements.

Administrative Safeguards
What is Needed



Disaster Recovery Plan (Remote Recovery). This details how critical systems are to be restored in the event of natural disaster and catastrophic events. Yes
Data Backup Plan A procedure that enables recovery from an assortment of events including restoration of business data that is needed to restart business processes and operations. These are to ensure that a user has retrievable copies of their data. This plan ensures backups are done regularly perhaps multiple times per day. Yes
Emergency Mode Operations Plan Business Continuity Plan. This details how critical systems are restored in the event of a fire, vandalism, IT systems failure. (CFR 164.308(7)(ii) (C)) Yes
Testing and Revision Provides a process for periodic testing of the BCDR plan that ensures the plan will be executed successfully whether its data protection, local restoration of IT systems or recovery of IT systems at a remote location. The idea is to test and revise the plan based on the results of the testing increase the effectiveness of the plan. Needs to be Addressed
Applications and Data Criticality Analysis Business Impact Analysis needs to be performed Needs to be Addressed

Physical Safeguards

The HIPAA Security Rule 164.310 governs physical safeguards. Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.



What is Needed
Contingency Operations A plan and procedure to get access to restored data locally or at a remote location during a continuity event. Needs to be Addressed
Access control and validation procedures A plan to ensure only the right people get access to data during continuity event and recovery testing and revision. Needs to be Addressed

Technical Safeguards

The HIPAA Security Rule 164.312 governs physical safeguards. Technical safeguards how applications and people interact with protected health information.

Physical Safeguards What is Needed Mandatory?
Encryption Data MUST be encrypted in flight and at rest. CFR 164.312(e)(1)(B). This is also covererd by the HITECH Act Section 13402 (h) Yes HITECH Act Implied.
Emergency Access Some type of offsite recovery that will allow uses to get access to the data in the event of a disaster 164.312(a)(2)(ii) Yes

What Happens for Non-Compliance?

The fines for not complying with these standards can be quite hefty and can potentially ruin a small medical business. According to the, the HIPAA enforcement agency is the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). The OCR is the agency that determines the fines against an individual(s) or an organization that unknowingly, has reasonable cause or through willful neglect, does not enforce HIPAA security rules. The OCR looks that the impact on the person whose rights were violated and determines the fines. Here are the potential fines for these infractions.

HIPAA Violation Minimum Penalty Maximum Penalty
Unknowing $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million
Reasonable Cause $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
Willful neglect but the violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
Willful neglect and is not corrected within required time period $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million


Everything starts with the contingency plan. That contingency plan will include the three sets of standards that impact BCDR. These standards (rules) have been documented in their entirety for well over a decade. Regardless of the size of your business, you MUST enforce these rules. Interestingly although it seems like a lot, it doesn’t have to be difficult to implement these procedures. There are many IT consultancies, cloud service providers, and MSPs that specialize in HIPAA for BCDR. Here is what you should take away from this.

  • There MUST be a disaster recovery and business continuity plan. CFR 164.312(b)(1) and CFR 164.312(b)(2)(i)
  • There MUST be a recovery test plan. CFR 164.308(7)(ii) (D)
  • Medical practices and those share information with them MUST securely back up the data. CFR 164.308(7)(ii) (A).
  • Data MUST be backed up regularly (typically multiple times a day) and recoverable. CFR 164.308(a) and CFR 164.308(7)(ii) (B).
  • Data is transmitted or at rest MUST be encrypted CFR 164.312(e)(1)(B)
  • Data MUST be accessible in the event of a disaster. CFR 164.312(a)(2)(ii)

In these cases, an organization must be concerned with how they are preserving the data. They must also be concerned with how they restore data that was lost due to data corruption, systems failure, local disasters (fire and theft) and catastrophic disasters like hurricanes, floods, tornados, earthquakes or regional wildfires. They need to securely get the data offsite in the event of a catastrophic event. Finally, they will need to restore it remotely and strictly control who will have access to the data when they do. These are the paramount issues that need to be addressed and a plan needs to be developed to deal with them.

Sources for this Article



Comments are closed.