(515) 865-4591

Business Impact Analysis Survey: Long Version Template


Due to HIPAA Security Rule regulations, the organization must implement Contingency Planning Practices to ensure the protection of ePHI (electronic Protected Health Information).  In order to accomplish this undertaking, there are several steps that the organization will be completed to identify critical business functions, processes, and applications that process ePHI and to understand the potential impact to the business if a disruptive event occurred.

The first step of implementing the Contingency Program for the organization is to conduct a Business Impact Analysis (BIA).  This questionnaire will help each business unit identify their critical business functions and recovery requirements as well as estimating the impact of a disaster (or prolonged outage) on the business unit.  Once the survey is completed, the BIA Project team will review the data, analyze and create a prioritized recovery strategy to present to senior management.

For the purpose of this BIA, answer each question based on the “worst-case scenario”.  This means your workplace and all records; files and equipment in it are inaccessible.  The priority of this questionnaire is to identify any business process or application that currently contains ePHI.  However, please answer all questions regardless of ePHI status.  By completing all questions to the best of your knowledge, a recovery strategy that best meets the need of the business can be established.

Some questions will be directly related to a specific process whereas other questions are of the business unit in general. Some sections contain an additional “Notes” area to amplify or explain your responses.  While this is not a requirement, it can be useful in helping the Project Team understand the nature of your business unit operations.

Table of Contents: Business Impact Analysis Survey Template



  • Respondent Information
  • Business Unit / Department Information
  • ePHI (electronic Protected Health Information)
  • Service Providers
  • Business Unit Vulnerability
  • Recovery Complexity


  • Process Identification
  • Process Criticality & Frequency
  • Processing Periods
  • Process Unavailability Impact
  • Process Deferrable
  • Manual Work – Around Procedures for Processes
  • Alternate Facilities / Work-load shifting
  • Backlog Work 


  • Internal Received Dependencies (Same Company)
  • Internal Sent Dependencies (Same Company)
  • External Received Dependencies (Outside Provider)
  • External Sent Dependencies (Outside Provider)


  • Software Resources
  • Specialized Supplies and Clerical Type Resources
  • Equipment Resources
  • Manpower Resources
  • Reports


  • Financial Impact
  • Customer & Operational Impact
  • Legal & Regulatory Impact


To view a specific section of this document, please contact us at Bob@training-hipaa.net or call us at (515) 865-4591.