Saved · this browser
Chapter 6 · §164.308(a)(6)+(7) / §164.404

If Something Goes Wrong

Every other chapter is about steady state. This one is about the day something goes wrong. The regulator expects you to have thought about it in advance, on paper. A rough plan converts a crisis into a checklist.

Why this chapter exists, in plain English

The HIPAA Administrative Safeguards pair two standards that belong together here: §164.308(a)(6) security incident procedures (how you identify, respond to, and document an incident) and §164.308(a)(7) contingency plan (backups, disaster recovery, emergency-mode operation). Underneath both sits 45 CFR 164.400–414, the breach-notification rule — the legal reason any of this matters. The 60-day clock starts on the day you discover the incident, not the day the incident itself happened.

Two things make this chapter less scary than it sounds. First, having a plan on paper is worth a surprising amount — even a rough plan converts a crisis into a checklist and gets you credit for §164.308(a)(6)(ii) response-and-reporting. Second, most of the “what if” scenarios share the same foundation: a backup you trust, a written list of who to call, and the muscle memory of documenting what happened. Build those two foundations first, then we’ll walk through the specific scenarios.

01

Foundations

2 questions
§164.308(a)(7)(ii)(A)

Do you have a data backup plan?

§164.308(a)(6)(ii)

If something went wrong right now, do you know who to call?

Backup & recovery for your insurer (optional)

Optional, and not required to finish this chapter. A backup you have actually restored from is the one you can trust. These answers pre-fill the backup-test, 3-2-1, and restoration-target rows of your Carrier-Mapped Insurance Summary — CRC Group and Chubb ask for all three.

Carriers ask this

When did you last test restoring from a backup?

Do you follow a 3-2-1 backup rule (3 copies, 2 media types, 1 off-site)?

After a serious ransomware or malware incident, how quickly could you restore?

02

Scenarios

Pick the scenarios you want to think through

Pick every one that feels like a realistic risk for your practice — or has actually happened.

03

Where you stand

Not quite there yet

Answer the foundations and walk through every scenario you’ve picked to see your chapter resolution.