Skip to content Skip to site navigation Skip to service navigation

HIPAA Security: Contingency Planning Policy

I. Scope & Applicability

This policy applies to Stanford University HIPAA Components (SUHC) information systems that maintain electronic protected health information (ePHI).

Information systems that are managed by, or receive technical support from, Stanford Health Care (SHC) or Stanford Children’s Health (SCH) are subject to the policies and procedures of those respective entities.

II. Policy Statement

SUHC will develop and implement for each information system a contingency plan for responding to and recovering from system outages or other emergencies that may damage or make unavailable the system or ePHI (e.g., natural disaster, fire, vandalism, system failure, software corruption, virus, operator error).


  1. Application and Data Criticality Analysis. SUHC System Owners will assess for each information system subject to this policy (i) the criticality of applications and data, (ii) the operational impact of unavailability, and (iii) the disaster readiness and service level agreements of supporting systems or infrastructure components on which the information system relies.
  2. Backups.  To reduce the likelihood of data loss or corruption, SUHC System Owners will create and maintain retrievable exact copies of ePHI and other data necessary for the operation of the information system.
    1. SUHC information systems will have backups performed on a regular basis, the schedule for which will be based on the potential risk of data loss or corruption and on the application and data criticality analysis.
    2. Backups will contain sufficient information to be able to restore the information system to a recent, operable, and accurate state.
    3. Backups will be performed in a systematic manner in accordance with the backup strategy and procedures outlined in the Contingency Plan, described in Section III.C, below, for that information system.
    4. Backup media will be stored in a secure location separate from the information system.
    5. Accurate and complete records of existing backups and the location of backup media will be maintained.
    6. Backup files will be retained for an appropriate time period, based on applicable state or federal mandated retention requirements, storage considerations, and costs.
  3. Contingency Plan. SUHC System Owners will create, document, and implement a Contingency Plan for each information system. When developing a Contingency Plan, the System Owner will consider an application and data criticality analysis and risk assessment results and will weigh trade-offs among system capabilities, capital and operating costs, and the operational impact of the system being unavailable while files are being backed up or restored.
    1. Contingency Plan Content. The Contingency Plan will address:
      1. Backups – the strategy and procedures for creating and maintaining system and data backups as described in Section III.B, above.
      2. Disaster Recover – procedures to restore any lost data or functionality in the event of a system outage or other emergency.
      3. Emergency Mode Operations – procedures to enable continuation of critical business processes and maintain the integrity of ePHI while the information system that normally provides the information is unavailable.
    2. Contingency Plan Review. Upon request, the Stanford University Chief Information Security Officer or delegate or Internal Audit may review an information system Contingency Plan.
    3. Documentation Retention. Each Contingency Plan will be retained for a minimum of six years from the date when it was last in effect.
  4. Testing and Revision. SUHC System Owners will implement procedures for periodic testing of the Contingency Plan and backup media.
    1. Contingency Plan Testing. The Contingency Plan will be tested at least once every 12 months and when material modifications are made to the Plan to substantiate that it will be effective and that workforce members understand their respective recovery roles and responsibilities. If testing reveals that the Contingency Plan will be ineffective in the event of an emergency or other occurrence, the System Owner will revise the plan accordingly.
    2. Backup Media Testing. Backup media will be tested periodically for readability and, if necessary, replaced so that at all times there is sufficient backup data available to enable the restoration of the system to a recent, operable, and accurate state.


Each department or program included in the SUHC will develop, document, implement, and train its workforce on the procedures necessary to comply with this policy. Departmental or program procedures will include identification by title of the person(s) responsible for complying with the required activities and provisions.


Any exceptions to this policy must be approved by the Stanford University Chief Information Security Officer or delegate.

Related Documents

Document Information

  1. Legal Authority/References
    ​Health Insurance Portability and Accountability Act of 1996: Administrative Simplification Rules (as amended through 3/26/13), §164.308(a)(7)
  2. Contact for Questions Related to this Policy
    Stanford University Chief Information Security Officer
  3. Document Review History
    Version Date Modified Comments
    1.0 04/28/2005 Yes  
    1.1 12/07/2015 Yes Reviewed and updated by Aaron Arutunian

This document is intended for use by Stanford University. No representations or warrants are made for outside use. Not for outside reproduction or publication without permission.

Last modified May 4, 2016