Every practice should have plans in place in the event of an emergency or disaster. This could be anything from a cyber-attack to a natural disaster. The Contingency Plan standard requires that covered entities “Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”
The following 3 implementation specifications are required:

• Disaster Recovery Plan: Focused on restoring an organization’s protected health data.
• Emergency Mode Operation Plan (or Continuity of Operations): Focused on maintaining and protecting critical functions that protect the security of protected health data.
• Data Backup Plan: Focused on regularly copying protected health data to ensure it can be restored in the event of a loss or disruption.