Establishing Testing and Revision Practices for HIPAA Contingency Plan

Purpose

The purpose of this Establishing Testing and Revision Practices document is to assist with creating and implementing plan testing and maintenance activities. Testing determines if documented recovery strategies and associated recovery procedures can recover critical business processes within their stated recovery time objectives (RTO).  Testing validates planning assumptions and identifies the strengths and weaknesses of the plan.  Some other objectives of testing:

• Enables plan deficiencies to be identified and addressed
• Helps evaluate the ability of the recovery staff to implement the plan quickly and effectively
• Identifies incorrect, outdated, or no longer valid contact names, vendor names, procedures, alternate locations, etc.

Most written plans are not maintained.  Within a year or less the plan becomes useless because the staff has changed, vendors are different, and the resources required to get continue business operations have evolved.  By maintaining the plan on a regular basis, the business will avoid the time required to create a plan from scratch and it will be prepared whenever a disaster strikes.  Some objectives of maintenance:

• Constant “living” plan, meaning the data is accurate and up-to-date
• Create awareness to staff by having them update their personal information
• Avoid having to go through the entire Planning Process (BIA, RA, etc) because plans are so old and out of date that the information can’t be updated

So much time and effort go into developing recovery plans that if proper testing and maintenance aren’t completed, the plan is little of value or in some cases worse than no plan at all.  This document will introduce a variety of methods of testing and maintaining your plans, procedures, and strategies.

Table of Contents for Establishing Testing and Revision Practices Template

INTRODUCTION

Purpose
Compliance

TESTING PROCESS

Establish Testing Process
Determine Testing Requirements
Types of Tests
Test Objectives & Scope
Test Measurement Criteria
Develop Realistic Scenarios
Create a Testing Schedule
Prepare Test Plan
Post-Test Reporting & Feedback

TEST PARTICIPANT ROLES & RESPONSIBILITIES

Test Controllers
Test Project Manager
Test Facilitator
Test Observer (Evaluator)
Test Recorder (Scribe)
Test Participants

MAINTENANCE OF PLANS

Define Plan Owner and Maintenance Schedule
Formulate Change Control Process
Audit Objectives
Responsibility
Objectives of Auditing
Audit Criteria
Audit Evaluation
Audit Schedule

APPENDIX ITEMS

Appendix A – Business Unit Test Plan
Appendix B – Technology Test Plan
Appendix C – Example of Test Schedule
Appendix D – Audit Checklist
Appendix E – Audit Notification Memo
Appendix F – Final Audit Report
Appendix G – Test Notification Memo
Appendix H – Types Of Tests

To view a specific section of this document, please contact us at Bob@training-hipaa.net or call us at (515) 865-4591.

To buy individual template packages, visit the following links:
Business Impact Analysis Template Packages
Risk Assessment Template Packages
Data Center Recovery Template Packages
BCP & DRP Template Packages