We will also compare hospitals’ contingency plans with government- and industry-recommended practices. The HIPAA Security Rule requires covered entities to have a contingency plan that establishes policies and procedures for responding to an emergency or other occurrence that damages systems that contain protected health information (45 CFR, Part 164 § 308(7)(i)). (OEI; 01-14-00570; expected issue date: FY 2015)
Source: https://oig.hhs.gov/reports-and-publications/archives/workplan/2015/FY15-Work-Plan.pdf