Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Hospitals Largely Reported Addressing Requirements for EHR Contingency Plans


Disruptions, such as natural disasters or technical malfunctions, can make electronic health records (EHRs) unavailable to hospital staff. Prior OIG work found, for example, that hospitals experienced substantial challenges responding to the effects of Superstorm Sandy, which included damage to health information systems and curtailed access to patient medical records. More recently, cyberattacks on hospitals have similarly prevented or limited access to EHRs. The Office for Civil Rights (OCR) enforces the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which requires all covered entities to have a contingency plan for responding to disruptions to electronic health information systems. Contingency plans specify processes to recover EHR systems and access backup copies of EHR data in the event of a disruption. This evaluation provides information about the status of hospitals' contingency plans in light of evolving threats to their electronic health information systems.


We sent a questionnaire to a projectable sample of 400 hospitals that received Medicare incentive payments for using a certified EHR system as of September 2014. We asked hospitals about their EHR contingency plans in relation to the following: HIPAA requirements, the practices for contingency planning recommended by two Federal agencies, and hospitals' experiences with EHR disruptions. To gain a deeper knowledge of hospital EHR contingency plans and experiences, we also conducted site visits at six hospitals, where we interviewed hospital staff and reviewed EHR contingency plans and related documents.


Almost all hospitals reported having written EHR contingency plans, and about two-thirds reported that their contingency plans addressed the four HIPAA requirements we reviewed, i.e., having a data backup plan, having a disaster recovery plan, having an emergency-mode operations plan, and having testing and revision procedures. Most hospitals also reported implementing recommended practices, such as maintaining backup copies of EHR data offsite, supplying paper medical record forms for use when the EHR is unavailable, and training and testing staff on contingency plans. Over half of hospitals reported an unplanned EHR disruption, and about a quarter of those experienced delays in patient care as a result. Finally, we found that OCR considers HIPAA compliance broadly and does not target EHRs when reviewing a covered entity's contingency plans.


Persistent and evolving threats to electronic health information reinforce the need for EHR contingency plans. This review and cyberattacks that have occurred since 2014 underscore our previous recommendation that OCR fully implement a permanent audit program for compliance with HIPAA.