Contingency Plan
164.308(a)(6)
Administrative Safeguards
Critical Risk
Complex
Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ePHI.
Implementation Guidance
Develop and implement comprehensive contingency planning including:
• Data backup plan with regular backups and testing
• Disaster recovery plan with recovery time objectives
• Emergency mode operation plan for critical functions
• Testing and revision procedures for all plans
• Applications and data criticality analysis
• Emergency access procedures
• Communication plans for emergencies
Key components:
- Data backup and recovery procedures
- Disaster recovery planning
- Emergency mode operations
- Business continuity planning
- Regular testing and updating of plans
- Critical system identification
• Data backup plan with regular backups and testing
• Disaster recovery plan with recovery time objectives
• Emergency mode operation plan for critical functions
• Testing and revision procedures for all plans
• Applications and data criticality analysis
• Emergency access procedures
• Communication plans for emergencies
Key components:
- Data backup and recovery procedures
- Disaster recovery planning
- Emergency mode operations
- Business continuity planning
- Regular testing and updating of plans
- Critical system identification
NIST References
NIST SP 800-66 Rev. 2: Section 3.1.6
NIST Cybersecurity Framework: RS.RP-1, RS.RP-2, RS.RP-3, RS.IM-1, RS.IM-2
NIST SP 800-53: CP-1, CP-2, CP-3, CP-4, CP-5, CP-6, CP-7, CP-8, CP-9, CP-10, CP-11, CP-12, CP-13
NIST Cybersecurity Framework: RS.RP-1, RS.RP-2, RS.RP-3, RS.IM-1, RS.IM-2
NIST SP 800-53: CP-1, CP-2, CP-3, CP-4, CP-5, CP-6, CP-7, CP-8, CP-9, CP-10, CP-11, CP-12, CP-13
Best Practices
• Develop comprehensive contingency planning
• Implement regular data backup procedures
• Create detailed disaster recovery plans
• Establish emergency mode operations
• Regular testing and updating of plans
• Document all critical systems and applications
• Establish clear communication procedures
• Coordinate with external service providers
• Implement regular data backup procedures
• Create detailed disaster recovery plans
• Establish emergency mode operations
• Regular testing and updating of plans
• Document all critical systems and applications
• Establish clear communication procedures
• Coordinate with external service providers
Testing Procedures
• Review contingency plan documentation
• Test data backup and recovery procedures
• Verify disaster recovery capabilities
• Test emergency mode operations
• Review testing and revision procedures
• Verify critical system documentation
• Test emergency communication procedures
• Conduct tabletop exercises
• Test data backup and recovery procedures
• Verify disaster recovery capabilities
• Test emergency mode operations
• Review testing and revision procedures
• Verify critical system documentation
• Test emergency communication procedures
• Conduct tabletop exercises
Frequently Asked Questions
Q: How often should contingency plans be tested?
A: Contingency plans should be tested at least annually, with more frequent testing for critical systems.
Q: What should be included in a data backup plan?
A: A data backup plan should include what data to backup, how often to backup, where to store backups, and how to restore data.
Q: What is emergency mode operation?
A: Emergency mode operation is the ability to continue critical business functions during an emergency or disaster.
A: Contingency plans should be tested at least annually, with more frequent testing for critical systems.
Q: What should be included in a data backup plan?
A: A data backup plan should include what data to backup, how often to backup, where to store backups, and how to restore data.
Q: What is emergency mode operation?
A: Emergency mode operation is the ability to continue critical business functions during an emergency or disaster.
Control Information
Control ID:
164.308(a)(6)
164.308(a)(6)
Category:
Administrative Safeguards
Administrative Safeguards
Subcategory:
Security Management Process
Security Management Process
Risk Level:
Critical
Critical
Implementation Difficulty:
Complex
Complex
Estimated Cost:
High
High
Implementation Timeframe:
3-6 months
3-6 months
Views:
4
4
Last Updated:
Oct 1, 2025
Oct 1, 2025
Related Controls
Additional Resources
• NIST SP 800-66 Rev. 2: Contingency Plan Guidance
• HHS Contingency Plan Guidance
• Business Continuity Planning Guide
• Disaster Recovery Best Practices
• Emergency Response Procedures Template
• HHS Contingency Plan Guidance
• Business Continuity Planning Guide
• Disaster Recovery Best Practices
• Emergency Response Procedures Template