Administrative Safeguards

HIPAA Contingency Plan for a Small Practice

5 min read · Last reviewed May 22, 2026

The contingency plan is one Security Rule standard with five specifications

45 CFR 164.308(a)(7)(7)) requires a contingency plan with five implementation specifications:

  • Data Backup Plan — required
  • Disaster Recovery Plan — required
  • Emergency Mode Operation Plan — required
  • Testing and Revision Procedures — addressable
  • Applications and Data Criticality Analysis — addressable

Three required, two addressable. The required ones must be implemented; the addressable ones must be implemented, met with an equivalent alternative, or have a documented "not reasonable and appropriate" decision under 164.306(d)(3)(3)).

What each specification asks for

Data Backup Plan

Procedures to create and maintain retrievable exact copies of ePHI. For a small practice this means:

  • The EHR's vendor-side backups
  • Practice-side backups of anything that lives outside the EHR (scanned documents, exports, shared drives, email holding PHI)
  • Encrypted backup media or cloud backup
  • A documented retention period
  • A documented restoration test

A backup that has not been test-restored is not a backup. The required restoration test is part of what "retrievable exact copies" means.

Disaster Recovery Plan

Procedures to restore any loss of data. The plan should cover:

  • What constitutes a disaster (ransomware, hardware failure, fire, flood, prolonged power outage, vendor outage)
  • Roles and responsibilities
  • Recovery time objective (RTO) and recovery point objective (RPO) for each system
  • Vendor contact information
  • Restoration procedures step by step
  • Communication plan during recovery

Emergency Mode Operation Plan

Procedures to enable continuation of critical business processes for protection of ePHI security during operation in emergency mode. This is the harder one in practice — what does the practice do during a multi-day EHR outage? Some elements:

  • Paper documentation procedures during system outage
  • Manual scheduling and check-in
  • Emergency access procedures under 164.312(a)(2)(ii)(2)(ii)) (required)
  • Communications with patients about delayed services
  • Clearinghouse backup path if claims cannot be submitted electronically

The February 2024 Change Healthcare incident made this specification newly concrete for many small practices.

Testing and Revision Procedures (addressable)

How the plan is tested and how the results feed back into revision. Patterns that work at small scale:

  • Annual tabletop exercise — a one-to-two-hour walkthrough of a scenario with the team
  • Quarterly partial test of backup restoration on a sample data set
  • Documented results, including what was found and what was changed

If the practice elects not to test annually, the documented decision should explain the alternative and the residual risk.

Applications and Data Criticality Analysis (addressable)

A ranked list of which systems and which data are most critical to the practice's operation and patient safety. Used to prioritize recovery during a multi-system incident.

Inputs from the risk analysis

The contingency plan should flow directly from the risk analysis at 164.308(a)(1)(ii)(A)(1)(ii)(A)). The threat list in the SRA includes the events the contingency plan is built to respond to. The contingency plan in turn becomes part of the risk management response under 164.308(a)(1)(ii)(B)(1)(ii)(B)).

What "small-practice scale" looks like

The contingency plan does not need to be the same document a hospital uses. A defensible small-practice plan is:

  • 4-10 pages of actual procedure
  • A simple incident-classification matrix (what counts as a disaster vs an outage)
  • A ranked list of critical systems (EHR, practice management, clearinghouse, email, document storage)
  • A vendor contact list with after-hours numbers
  • A backup-and-restore procedure with the most recent test date
  • A paper-mode operation procedure
  • A communication template for patients
  • A signed approval by the Security Official
  • An annual test record

NIST SP 800-66 r2 alignment

NIST SP 800-66 r2 walks through contingency planning at small-provider scale and references NIST SP 800-34, Contingency Planning Guide for Federal Information Systems. The 800-34 vocabulary (BCP, DRP, COOP, ISCP) is useful when working with consultants; small practices can use simpler language as long as the substance is covered.

What HHS guidance says about ransomware specifically

The HHS Office for Civil Rights Ransomware Fact Sheet addresses how the Security Rule applies to ransomware. The contingency plan obligations and the breach notification analysis interact: a ransomware incident is presumed to be a breach unless the four-factor analysis demonstrates a low probability of compromise, and the contingency plan determines how quickly the practice can recover and how much data is at risk during the incident.

Common gaps

Recurring contingency-plan gaps in published Resolution Agreements:

  • No documented backup test
  • Backup that runs but has not been restored end-to-end
  • No emergency mode operation procedure
  • No criticality ranking (every system treated as equally important)
  • Plan signed years ago, never updated for new systems or vendors
  • Plan not tested in the past year

What a defensible test looks like

A tabletop exercise with the team takes one to two hours. A simple script:

  1. Scenario: ransomware affects the EHR vendor and the practice loses access for an undetermined number of days.
  2. Walk through the first 24 hours: who is notified, what is documented on paper, how patients are communicated to.
  3. Walk through restoration: which backup, which vendor contact, which workflow returns first.
  4. Walk through claims: how does revenue continue, what is the clearinghouse fallback.
  5. Document what was discovered and what changes are needed.

A documented tabletop exercise is one of the easiest ways to satisfy the testing specification at small-practice scale.

Restraint about claims

A contingency plan reduces the impact of incidents; it does not prevent them. The Security Rule expects covered entities to plan for the contingencies that the risk analysis has identified, and to keep the plan current.

How D3rx fits

D3rx SRA Binder Studio includes the contingency plan as a section of the binder, prompts for each of the five specifications, surfaces the most recent test date, and links each section back to the underlying HHS, OCR, eCFR, and NIST sources. It is a point-in-time administrative documentation aid; the practice remains responsible for actually maintaining and testing the plan.

Next steps

See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.

Where do you stand on your SRA today?

Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR 164.308(a)(7)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
  2. 164.306(d)(3)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.306#p-164.306(d
  3. 164.312(a)(2)(ii)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312#p-164.312(a
  4. SP 800-66 r2https://csrc.nist.gov/pubs/sp/800/66/r2/final
  5. SP 800-34https://csrc.nist.gov/pubs/sp/800/34/r1/final
  6. Ransomware Fact Sheethttps://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
  7. published Resolution Agreementshttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

Sources verified as of May 22, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides