The virtual world offers opportunities and obligations not found in nature.

For a couple of years, my wife has followed the adventures of a bonded eagle couple, Liberty and Freedom, residing in the hills near Hanover, Pennsylvania. A strategically positioned webcam offers a round-the-clock view of nesting activities. Last year the pair hatched two eggs and cared for the eaglets until they fledged.

This year, it appears as if calamity struck. Liberty has disappeared, and a new female, Lucy, has taken her place in the nest, destroying one of the eggs. Although the other egg remains in the nest, it is widely believed that the disturbance has rendered it unviable and that it will not hatch. It is possible that Lucy fought with the older Liberty and killed her.  The body has not been found.  It is also possible that Freedom and Lucy will now bond, but most viewers do not expect them to produce eggs this year.

In the virtual world, health care providers, health plans, health care clearinghouses, and their business associates have a responsibility to protect the treasured asset of individually identifiable information from predators and other dangers. But unlike eggs, which cannot be recovered if stolen or damaged, data is retrievable.

In a recent comment under HIPAA’s privacy and security rules, the Department of Health and Human Services highlighted the importance of contingency planning. Contingency planning includes making appropriate arrangements to:

  • Back up data on a consistent and timely basis
  • Promptly recover data and resume regular operations
  • Continue critical functions while the recovery of data is in process.

HIPAA covered entities and business associates need to analyze risks and identify the data and functions most critical to their operations. They need to prepare policies and implement measures to back up and retrieve data that will allow them to operate in the event that data is lost, stolen, or inappropriately altered. And they need to test systems to make sure they are ready if a security incident occurs.

Under HIPAA, it is not enough to build a safe nest. There must be a plan in place in case disaster strikes.