Fire EMS, Leadership

HIPAA Security Tip #28: Applications And Data Criticality Analysis

By Iseman Cunningham Riester & Hyde LLP

The Security Rule requires covered entities to assess the “criticality” of specific “applications and data” in support of its other contingency plan components. This is an addressable requirement under the contingency plan standard. (See Tips 8, 9 and 10 for more information on contingency plans.) Covered Entities must perform this assessment unless doing so would be inappropriate or unreasonable and the purpose of the standard cannot be met through a reasonable alternative measure.

Criticality refers simply to the importance of the application (program) or data (information) to the covered entity’s specific business functions. One result of an applications and data criticality analysis is a prioritized list of programs and information to be recovered or restored in the event of system failure.

The importance of different programs and information will vary widely from covered entity to covered entity depending on many different circumstances. In a multi-facility medical group practice, for example, the availability of scheduling information and electronic medical records may be of highest priority so that if one facility is damaged patients may be easily rescheduled and seen at other locations. In a small group or solo office that keeps health records primarily on paper, electronic billing information may be the most important information to recover, since it will provide necessary cash flow during restoration. An ambulance provider would have little immediate need for past medical records, but would have a great need for information and computer programs supporting scheduling and dispatching.

Keep in mind that “criticality” is a function of time. Electronic medical records, for example, are very important in short to mid-term timeframes. Once applicable records retention requirements have been met, however, such records quickly lose their importance. Data criticality analysis should take data aging into consideration when prioritizing recovery and restoration efforts.



HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.

(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.

HIPAA Security Tips Archive