Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

Do You Have a Disaster Recovery Plan, and Have You Tested It?

As much as we hope every business is preparing a Disaster Recovery Plan (DRP) to deal with the growing technological advancements with storing and sharing ePHI, at this moment in time the majority are still lagging behind. When your company’s data or the Protected Health Information of your employees is compromised are you prepared to respond?

A Disaster Recovery Plan describes how an organization plans to handle potential disasters, created both by natural causes and human error. If you need an idea for where to start with your DRP, check out these 9 key elements to create your plan here.

Even if your business has created a DRP, have you tested it? A DRP cannot be assumed to work without testing the program. By testing, you are to identify deficiencies and validate you can implement the plan.

Here are 3 simple steps to take before you begin testing your Disaster Recovery Plan:

  1. Break it down – Look at your DRP and figure out how to divide it into different segments based on areas of responsibility. That way, when it comes to the lower levels of testing (checklist, walkthrough, and simulation), you do not have to perform a full-scale test.
  2. Periodically Review – We recommend your staff or your assigned Emergency Team Leaders meet at least quarterly to review the DRP.—Meaning, examine in great detail for missing information or deficiencies in the written plan.
  3. Set Objectives – Determine exactly what it is you want to accomplish with this test. Set goals for your workforce to meet and outline what steps should be taken in order to meet those goals.

After taking these steps you can begin the testing process. Let’s review the different types of tests:

  • Checklist Testing- Create a checklist specific to each business process. Select teams who will carry out the responsibilities of each process. Checklists are cheap and easy to implement. This should be done before any other test because it acts as a foundation for the rest of the testing.
  • Walk-Through Testing- Before trying any sort of simulation with your business, gather all workforce members in a meeting room to walk through each scenario step-by-step. Assure every employee understands their tasks and duties for the corresponding situation. Awareness of all members is key to a DRP and tabletop testing can effectively demonstrate their roles. Additionally, this is a great way to find documentation errors or inconsistencies in your DRP.
  • Simulation Testing- Simulate a disaster as closely to a real disaster as possible without disrupting the business operation. This is the nearest you can get to a full test without interrupting daily operations.
  • Full Interruption Testing- A full interruption test is costly and interrupts normal operations. This test is closest to the real thing so it will help reduce errors and will better prepare the workforce for a real disaster. In this case, you shut down operations at the primary site and recover at the alternate site as laid out in the procedures for your DRP. Only do this once your team has practiced enough and feels comfortable with your plan. Your business will literally be shut down during this test and will only come back if you successfully complete the recovery plan.

After completing a test, it is important to follow these steps in order to evaluate and document the effectiveness of your plan and your workforce:

  • Identify Strengths and Weaknesses of the Plan- After completing the test, determine which aspects can be improved upon and which ones are working well. It’s also important to evaluate the steps that are taken and determine if any need to be added or if any are unnecessary or repetitive and can be removed from the plan.
  • Give Feedback on Performance- Remember to take notes throughout the test on the performance of each team or function. This will make giving feedback easier. The teams need to know what they did well and what needs improvement in order to make the Disaster Recovery Plan most effective.
  • Write Final Report- The final report should include objective results, performance overall and by teams, a summary of the test, and future recommendations. It should sum up the results of the test for future reference.

You should run a simulation of your disaster recovery plan so that your procedures become routine to your organization and team members. It is not enough to have a DRP written down and filed away. The DRP should be tested and ready to be successfully implemented.

Edwards, B. and Cooper, J. (1995) ‘Testing the disaster recovery plan’, Information Management & Computer Security, 3(1), pp. 21–27.

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)