Business Continuity Plan for Healthcare: HIPAA, Patient Safety, and Regulatory Requirements

The Change Healthcare ransomware attack in February 2024 didn’t just knock down a billing system. BlackCat/ALPHV ransomware hit a Citrix portal with no multi-factor authentication, took down a clearinghouse that processes 15 billion healthcare transactions annually — touching 1 in 3 patient records — and left 340,000+ physicians and 60,000+ pharmacies unable to submit claims for weeks. UnitedHealth Group ultimately paid $22 million in ransom and reported $2.457 billion in total costs through Q3 2024. The breach affected 192.7 million individuals, the largest healthcare breach in U.S. history. Providers who had tested their downtime procedures survived. Those who’d been running the same untested continuity plan since 2019 found out what that oversight actually costs.

Healthcare business continuity is not an IT project. It’s a clinical operations, regulatory compliance, and patient safety obligation — and the regulators who oversee it have real enforcement teeth.

TL;DR

• HIPAA Security Rule requires five contingency plan components under 45 CFR 164.308(a)(7): Data Backup, Disaster Recovery, Emergency Mode Operation (all required), plus Testing and Criticality Analysis (addressable)
• CMS Conditions of Participation (42 CFR 482.15) require hospitals to maintain, test, and annually update an all-hazards emergency preparedness program — separate from HIPAA
• Healthcare BCP must account for life-critical systems, clinical workflow continuity during EHR downtime, and patient safety in a way no other industry requires
• OCR enforcement is increasingly citing inadequate contingency planning in ransomware-related settlements — $337,750 to USR Holdings in 2025 is a recent example
• EHR systems, medical devices, and clinical communications infrastructure need RTO/RPO targets rooted in clinical impact analysis, not just IT recovery timelines

The Regulatory Landscape: Who’s Watching and What They Want

Healthcare organizations face a layered compliance environment for business continuity. The three primary frameworks are HIPAA, CMS Conditions of Participation, and The Joint Commission — and they’re not interchangeable.

HIPAA Security Rule: 45 CFR 164.308(a)(7)

The HIPAA Security Rule requires covered entities and business associates to implement a contingency plan. The standard lives at 45 CFR 164.308(a)(7) and breaks into five implementation specifications.

Two are required — meaning you must implement them regardless of your organization’s size, structure, or resources:

Two are addressable — you must implement them OR document why they’re not reasonable and appropriate for your organization (and implement an equivalent alternative if applicable):

The “addressable” label misleads people constantly. Addressable does not mean optional. OCR has cited organizations for treating addressable specifications as if they could simply be skipped. If you haven’t tested your disaster recovery plan or conducted a data criticality analysis, you need a documented reason — and “we haven’t gotten to it” doesn’t qualify.

CMS Conditions of Participation: 42 CFR 482.15

Hospitals participating in Medicare and Medicaid must comply with CMS emergency preparedness requirements at 42 CFR 482.15. This is a separate framework from HIPAA, broader in scope, and tied to your facility license and federal reimbursement — not just your data protection obligations.

The four core elements CMS requires:

1. Emergency Plan — An all-hazards emergency plan reviewed and updated at least every two years, based on a documented facility-based and community-based risk assessment.

2. Policies and Procedures — Written policies addressing how the organization will respond to emergencies, including patient care and treatment during an emergency and staff roles and responsibilities.

3. Communication Plan — A plan that addresses how the organization will communicate with staff, external healthcare providers, and the community during emergencies, including sharing patient information consistent with HIPAA.

4. Training and Testing — Hospitals must conduct exercises to test the emergency plan at least twice per year, including at least one full-scale community-based exercise or individual facility-based functional exercise annually. Organizations that experience a real emergency can count that event toward one of the exercises for that year.

Organizations that fail CMS emergency preparedness surveys can face Medicare/Medicaid reimbursement consequences — a very different threat vector than HIPAA fines.

The Joint Commission: Emergency Management Standards

For accredited hospitals, The Joint Commission’s Emergency Management standards (EC.02.06.01 through EC.04.01.01) add another layer of requirements, including hazard vulnerability analysis (HVA), mutual aid agreements with community partners, and documentation of how the hospital will handle patient surge, loss of utilities, and extended mass casualty events.

Joint Commission surveyors look at whether your emergency operations plan is realistic for your facility’s actual patient population, staffing model, and geographic risk profile. A generic template that clearly wasn’t written for your organization will get flagged.

What Makes Healthcare BCP Fundamentally Different

Every business continuity practitioner understands the pain of an unplanned outage. In healthcare, that pain has a patient safety dimension that doesn’t exist anywhere else.

Life-Critical Systems Don’t Have a Grace Period

In financial services, a trading system outage is costly. In a hospital, an outage affecting ventilator management, IV infusion pumps, or patient monitoring systems can be immediately life-threatening. Your BIA needs to distinguish between:

• Class I: Immediately life-critical — systems whose failure, without rapid alternative procedures, poses direct patient harm risk (ventilator management, monitoring, code response systems)
• Class II: Clinically essential — systems whose failure significantly degrades care quality but has workarounds (EHR, CPOE, PACS)
• Class III: Operationally important — systems whose failure creates workflow disruption but no direct patient harm (scheduling, billing, non-clinical communications)

The distinction matters for RTO prioritization — and for how you justify your recovery objectives to CMS and Joint Commission surveyors.

EHR Downtime Is a Clinical Operations Problem

“Downtime procedures” sounds like an IT term. In practice, it means: what does your nursing staff do when the electronic health record is unavailable? How do physicians document orders? How does pharmacy verify medication history? How does radiology receive and communicate results?

Well-designed healthcare BCPs include laminated downtime procedure cards at nursing stations, pre-printed paper order forms, manual medication administration records, and communication trees that don’t depend on the EHR or the network it runs on. Organizations that discover their downtime procedures during an actual outage — rather than in a tabletop exercise — tend to discover them the hard way.

The 2021 Scripps Health ransomware attack illustrates the patient care stakes. The attack forced four weeks of EHR downtime, required diversion of trauma, stroke, and heart attack patients to competing hospitals for more than a week, and resulted in $112.7 million in combined losses ($91.6M in lost revenue, $21.1M in incremental expenses). Scripps staff reverted to paper charts. Patients were rerouted from a hospital that couldn’t safely receive them.

The 2022 CommonSpirit Health attack — the second-largest nonprofit hospital chain in the U.S. — impacted more than 100 facilities across 13 states, exposed data on 623,774 patients, and ultimately cost $160 million. Facilities that had rehearsed downtime procedures kept clinical operations running. Those that hadn’t were improvising clinical documentation for weeks.

Healthcare organizations hit by ransomware face average downtime costs of $900,000 per day and average downtime of 17 days per incident. A study covering 2018–2024 found ransomware attacks on U.S. healthcare organizations compromised nearly 89 million patient records and cost an estimated $21.9 billion in total downtime losses.

Patient Location and Continuity of Care

Healthcare BCP must address patient tracking during evacuations, transfers, and multi-day outages. If you’re transferring patients to another facility because yours is offline, you need a mechanism to share clinical information in a form that’s both usable and HIPAA-compliant under emergency conditions. Your communication plan needs to address this specifically.

OCR Enforcement: What’s Actually Being Cited

OCR’s enforcement posture on contingency planning has sharpened considerably since 2023 as ransomware attacks on healthcare entities have multiplied. OCR announced 20 enforcement actions since the start of 2024 resulting in $9.4 million in payments.

Several settlements explicitly cite contingency planning failures:

• Heritage Valley Health System (July 2024 — $950,000): OCR’s third ransomware settlement explicitly cited failure to implement a contingency plan as a violation. Three-year corrective action plan required.
• Doctors’ Management Services (October 2023 — $100,000): OCR’s first-ever ransomware settlement following a GandCrab attack affecting 206,695 individuals. Findings included inadequate risk analysis and system monitoring.
• Virtual Private Network Solutions / Oklahoma EMS provider (October 2024 — $90,000): Fourth OCR ransomware settlement, focusing on Security Rule gaps including contingency planning.
• Plastic Surgery Associates of South Dakota (2024 — $500,000): OCR’s sixth ransomware enforcement action. PSASD was hit by ransomware in 2017 and discovered it could not restore affected servers from backup — a direct failure of the Data Backup Plan and Disaster Recovery Plan requirements. Two-year corrective action plan required.
• USR Holdings / Florida business associate (January 2025 — $337,750): Multiple Security Rule violations including contingency planning failures across mental health and substance abuse facilities.

The pattern in OCR enforcement is consistent:

1. A ransomware attack or extended outage disrupts access to ePHI
2. OCR’s investigation finds the organization lacked an adequate data backup plan or disaster recovery plan
3. The investigation often also finds the contingency plan had never been tested
4. Multiple Security Rule violations are cited simultaneously — not just contingency planning, but also risk analysis, access controls, and audit logging

The practical implication: a ransomware attack that triggers OCR scrutiny will expose every gap in your Security Rule compliance simultaneously. The organizations that walk away with manageable settlements are the ones that had documented, tested contingency plans — even if the plans weren’t perfect.

Building the Healthcare BCP: Key Components

Step 1: Business Impact Analysis with Clinical Weighting

Your BIA needs to go beyond “this system supports X business function” to address “this system failure affects patient care in the following ways.” Document:

• Maximum tolerable downtime for each clinical application (not just “critical” vs. “non-critical”)
• Clinical impact of each outage duration: 1 hour, 4 hours, 24 hours, 72 hours
• Minimum staffing and resource requirements to maintain safe patient care during each tier of outage
• Dependencies on external parties (EHR vendor hosting, cloud providers, medical device manufacturers)

Step 2: Recovery Objectives Rooted in Clinical Impact

Generic RTO/RPO targets are a compliance trap. Regulatory reviewers — CMS surveyors, Joint Commission surveyors, OCR investigators — are increasingly sophisticated about whether your stated RTOs actually reflect clinical reality.

A hospital that claims a 24-hour RTO for its CPOE (computerized physician order entry) system, but whose nursing staff has no tested downtime procedures for manually managing medication orders for 24 hours, has a credibility gap. Tie your RTOs and RPOs directly to the clinical impact documentation in your BIA.

For EHR systems specifically, most healthcare organizations target:

• RPO: ≤4 hours (maximum acceptable data loss, given patient safety implications of lost clinical documentation)
• RTO: 4–24 hours for core EHR functions, with the lower end for ICU/emergency/surgical settings

Step 3: Downtime Procedures That Actually Work

For every clinical system in your Class I and Class II categories, you need written downtime procedures that:

• Don’t require the system that’s down to access
• Are accessible during a network outage (paper copies, offline-accessible devices)
• Are rehearsed by staff at least annually
• Address the full patient care workflow, not just documentation

The Joint Commission and CMS both look for evidence that downtime procedures are tested and that staff can actually execute them. “We have a procedure document on the intranet” is not sufficient evidence of operational readiness.

Step 4: Recovery Procedures for ePHI Systems

Your HIPAA Disaster Recovery Plan needs to address:

• Data backup verification: How do you confirm backups are complete, uncorrupted, and restorable? (Not just that backup jobs ran — but that you’ve tested restoration)
• Offsite or offline backup copies: Ransomware encrypts what it can reach. Air-gapped or immutable backups are now table stakes for healthcare
• Recovery sequence: Which systems come back first and why (connected to your criticality analysis)
• Third-party recovery dependencies: Your EHR vendor, your cloud infrastructure provider, your HIE connections — what are their RTOs and how do they mesh with yours?

Step 5: Annual Testing with Documentation

HIPAA requires testing of contingency plans (as an addressable specification). CMS requires at least two exercises per year. The Joint Commission expects documented exercise outcomes and evidence of improvement.

For OCR purposes, what you want to show is a documented testing history: scenario, date, participants, findings, and — critically — the plan updates made in response to those findings. An exercise report that ends with “no action items identified” will raise eyebrows. Every real exercise identifies something.

The HIPAA + CMS Overlap: Staying Compliant Without Duplicating Effort

Organizations frequently run two parallel compliance processes — one for HIPAA Security Rule and one for CMS emergency preparedness. That duplication isn’t required. The frameworks are complementary, and a well-designed healthcare BCP can address both simultaneously.

The key is structuring your BCP document set to map explicitly to both frameworks:

When an OCR investigator and a CMS surveyor both ask about your contingency planning, you should be able to point to the same underlying program — with framework-specific cross-references in your documentation.

So What?

If your healthcare organization’s business continuity plan was built around a generic template, hasn’t been tested since your last CMS survey, and doesn’t address clinical workflow continuity during EHR downtime — you’re not ready.

The regulatory floor is 45 CFR 164.308(a)(7) and 42 CFR 482.15. The enforcement reality is that OCR is increasingly scrutinizing contingency planning in the aftermath of ransomware attacks, and CMS surveyors are looking for operational readiness, not just documentation.

The difference between organizations that weather major outages with manageable impact and those that improvise clinical operations for weeks is almost always the same: tested downtime procedures, verified backup restoration, and a BIA that drove recovery objectives based on clinical impact rather than IT convenience.

For teams building or overhauling their healthcare BCP, the Business Continuity & Disaster Recovery Kit includes BIA templates, BCP plan frameworks, and recovery documentation structured to map to HIPAA and CMS requirements.

Related reading:

• Business Continuity Plan Template: Complete Guide
• RTO vs RPO: Recovery Objectives Guide
• FFIEC Business Continuity Management Requirements

Sources:

• 45 CFR 164.308(a)(7) — HIPAA Security Rule Contingency Plan Standard
• 42 CFR 482.15 — CMS Condition of Participation: Emergency Preparedness
• HHS OCR Settles Ransomware Investigation — Heritage Valley Health System ($950,000)
• HHS OCR Settles Ransomware Investigation — Washington Eye & Skin Clinics ($250,000)
• HHS OCR Settles Ransomware Investigation — Virtual Private Network Solutions ($90,000)
• HIPAA Rules on Contingency Planning — HIPAA Journal
• CMS Emergency Preparedness Rule — Federal Register
• Scripps Health Cyberattack EHR Downtime Caused $112.7M in Lost Revenue — SC Media
• CommonSpirit Health Ransomware Attack Exposed Data of 623,000 Patients — BleepingComputer