Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) make provisions for employees and their families to keep their health insurance when they change or lose their jobs. HIPAA also established national standards for security and privacy of electronic transmission of health care data.

HIPAA and DR Planning

HIPAA's security rule states that each organization must determine its own risk in the event of an emergency (that would result in loss of operations). However, there are three things that companies must be able to substantiate in regards to DR planning:

● There has been a formal analysis of risk to data (physical and virtual access).
● A DR plan exists that covers backup, storage and recovery.
● The DR plan adequately addresses the risks outline in the analysis.

FDA Title 21 Part 11

The U.S. Food and Drug Administration (FDA) is a public health agency that protects American consumers by enforcing laws that regulate the manufacture, storage, import and sale of food and medicine for humans and animals, as well as medical devices and cosmetics. CFR Title 21 Part 11 Electronic Records; Electronic Signatures (Part 11) is the rule regarding how all companies regulated by the FDA must maintain electronic records4 in order to remain compliant with Good Clinical, Laboratory and Manufacturing practices (GxP). Though finance and planning are excluded from Part 11, all other functional areas of FDA-regulated companies that involve GxP must comply or face legal sanctions and even criminal charges.

Title 21 Part 11 and DR Planning Part 11 has two basic requirements: that companies are able to generate accurate and complete copies of records for inspection and review during an audit, and that those records are protected so that they are readily retrievable throughout the required retention period. Data availability and protection at this level require a good business continuity plan that takes into consideration high availability, or "failover", and disaster recovery. The FDA realizes the potential impact of interruptions to critical business applications and therefore requires that electronic GxP applications must be always available – or at least quickly recoverable. For example, if a Windows based application involved in the supply chain for a critical drug fails – interrupting the national supply of the drug – millions of lives are at risk. Another goal of continuous business operation is disaster recovery – the ability to restore critical data and operations, to new hardware at the original site or at a different physical site, after a disaster.