(515) 865-4591
Bob@training-hipaa.net

FAQ on Templates for Risk Assessment, Business Impact Analysis, Disaster Recovery & Business Continuity Plan

Question: Besides HIPAA, for which other compliance regulations I can use these templates?
Answer: As per research document published by Gartner in July 2005, Gartner analysts looked at four industry sectors — healthcare, government, finance, and utilities— to determine which laws and regulations most influenced Business Continuity Planning and Disaster Recovery Plan in these sectors.

  • Health Insurance Portability and Accountability Act (HIPAA) of 1996
  • Food and Drug Administration (FDA) Code of Federal Regulations (CFR), Title XXI, 1999
  • Sarbanes-Oxley Act (SOX) 2002
  • Federal Information Security Act (FISMA) of 2002
  • Title III of the E-Government Act of 2002 (PL 107-347, 17 December 2002)
  • COOP and Continuity of Government (COG). Federal Preparedness Circular 69, 26 July 1999
  • Federal Financial Institutions Examination Council (FFIEC) Handbook, 2003-2004
  • Basel II, Basel Committee on Banking Supervision,
  • Governmental Accounting Standards Board (GASB) Statement No. 34, June 1999
  • International Organization for Standardization (ISO) 27002

Question: Who can use Contingency Plan Template suite?
Answer: These templates can be used also by any organization from any industry that is looking to conduct a risk assessment based on best practices & accepted standards. The Industries which can use these templates are Automotive, Banking, Chemical and petroleum, Consumer products, Education, Electronics, Financial markets, Government, Healthcare and life sciences, Insurance, Media and entertainment, Retail, Telecommunications, Travel and transportation and Wholesale distribution.

These templates can also be used by covered entities like Hospitals, Insurers, Long Term Care/Skilled Nursing Facilities, Ambulatory Surgery Centers, Assisted Living/Intermediate Care Facilities, Clinical Laboratories, Clinics, Dialysis Providers, Employer Plans, HMOs, Home Health Agencies, Hospices, Pharmacies, Physicians, PPOs, Rehabilitation Facilities and other payees & providers. Purchase of the policy templates grants the organization a one site license. For additional sites license or enterprise license, please call for special discounted prices.

Question: We have questions on the use of these templates and start our project on Contingency plan. How can you help us?
Answer: After you buy the templates, you get one-hour free consultation with one of our Certified Business Continuity Professional (CBCP), who will explain to you how to use the templates. Additional consultation can be purchased on an hourly basis.

Question: We want to buy one site license before we buy the enterprise license (for multiple sites). Can we do it?
Answer: Yes. We request you to get the quote for enterprise license and then inform your sales rep that you want to use the product at one location before buying the enterprise license. You can buy one site license at regular price and when you decide on buying the enterprise license, price will be adjusted for the amount that you have already paid. For example the quote for enterprise license was $2500 and you have already paid $1200 for one site license, you just have to pay the balance $1501 for enterprise license. Please note that the enterprise license quote is valid for 3 weeks only.

Question: We plan to use a consultant to help us with the Contingency Planning project, how can your templates save money for us?
Answer: If you use consultant or do the project on your own, you will have to gather information about your location, persons responsible, server information, systems working on it, procedures etc. for the project. These templates will help you to gather all the necessary information; this will speed up your project and will reduce the time of consultant on the project. You can use the expertise of the consultant to evaluate the information that you have gathered through these templates and create the plan by fine tuning the templates to meet your company’s requirement and help you test the plan.

Question: We don’t have the necessary budget to hire a consultant to start the Contingency Planning project but have individuals whom we can spare for this project. How can I use the templates?
Answer: These are one of the most exhaustive templates that one can have for regulatory compliance. You can use your internal resources to populate the templates with the information. You can refer to sample plans given in the suite to understand how the final plan looks. When ever you have the necessary budget to start the project, you can use all the information that you have gathered using the templates to reduce the  consultant/Business Continuity Officer time spent on the project.

Question: We are planning to use your templates but we don’t have the budget for a full-time consultant, how can you help us in this scenario?
Answer: Using the templates will reduce your cost of the project considerably. We can provide a part-time project manager for your project who will guide your team on next steps and help in the successful completion of the project. In this way, you will have a Business Continuity expert to guide your team.

Question: I want to buy just one template from the whole suite. Can I buy it?
Answer: Yes. You need to contact us at Bob@training-hipaa.net to receive a quote for the single template that you want to buy. However, given the inter-relationship of many of the templates, they will be of greatest value to users if the suite as a whole is obtained. Purchase of the policy templates grants the organization a one site license. For additional sites license or enterprise license, please call for special discounted prices.

Question: Can I use the Risk Assessment templates for my organization even if our organization is not affected by HIPAA?
Answer: Yes. These templates are created based on best practices and standards. The complete package has Risk Assessment templates, forms, worksheets, policies, and standards. Risk Assessment and Business Impact Analysis (BIA) is conducted based on following types of disasters:
1) Weather related:
Earthquake
Flood / Flash Flood
Hurricanes / Tropical Storms
Severe Thunderstorms
Tornado
Winter Storms
2) Facility Related
Bomb Threat
Chemical Spills
Civil Disturbance
Electrical Failure
Fire
HVAC Failure
Water Leaks
Work Stoppage / Strikes
3) Technology Related
Human Error
Loss of Telecommunications
Data Center Outage
Lost / Corrupted Data
Loss of Network Services
Power Failure
Prolonged Equipment Outage
UPS / Generator Loss

Question: Does HIPAA Security rule require a Covered Entity to create Contingency Plan?
Answer: Yes. The HIPAA Security Rule 164.308(a)(7)(i) identifies Contingency Plan as a standard under Administrative Safeguards. Contingency Planning means the overall process of developing an approved set of arrangements and procedures to insure your business can respond to a disaster and resume its critical business functions within a required time frame objective. The primary objective is to reduce the level of risk and cost to you and the impact on your staff, customers and suppliers.

Contingency Plan templates can jump start HIPAA Contingency Plan project which includes Business Impact Analysis (BIA), Business Continuity Plan (BCP), Disaster Recovery Program (DRP), Emergency Mode Operation Plan (EMOP), Data Backup Plan, Testing and Revision Procedures and many other projects.

HIPAA Citation

HIPAA Security Rule Standard
Implementation Specification

Implementation

ADMINISTRATIVE SAFEGUARDS

164.308(a)(7)(i)

Contingency Plan

164.308(a)(7)(ii)(A)

Data Backup Plan

Required

164.308(a)(7)(ii)(B)

Disaster Recovery Plan

Required

164.308(a)(7)(ii)(C)

Emergency Mode Operation Plan

Required

164.308(a)(7)(ii)(D)

Testing and Revision Procedures

Addressable

164.308(a)(7)(ii)(E)

Applications and Data Criticality Analysis

Addressable

PHYSICAL SAFEGUARDS

164.310(a)(1)

Facility Access Controls

164.310(a)(2)(i)

Contingency Operations

Addressable

164.310(d)(1)

Device and Media Controls

164.310(d)(2)(iv)

Data Backup and Storage

Addressable

TECHNICAL SAFEGUARDS

164.312(a)(1)

Access Control

164.312(a)(2)(ii)

Emergency Access Procedure

Required

 

Allow us to jump start your Contingency planning project with the most comprehensive templates for the healthcare industry. Please contact us for more information at Bob@training-hipaa.net or call (515) 865-4591