Business Continuity Planning for Healthcare Organizations

On February 21, 2024, a single ransomware attack on Change Healthcare brought billing, claims processing, and prescription services to a halt for tens of thousands of medical practices across the country. Within days, 94% of U.S. hospitals reported financial impact, with more than half calling the disruption significant or serious. For independent practices, the damage was even more acute: 80% reported lost revenue, 31% couldn’t make payroll, and 55% dipped into personal funds to keep the lights on. All because one clearinghouse had no meaningful business continuity plan.

Business continuity planning is not a large-hospital luxury. It is a HIPAA requirement for every covered entity—solo practices included. And the cost of getting it wrong, as Change Healthcare demonstrated, extends far beyond regulatory fines.

What Does HIPAA Actually Require for Business Continuity?

The HIPAA Security Rule’s Administrative Safeguards contain a specific standard that most small practices underestimate: the Contingency Plan requirement at §164.308(a)(7). This standard mandates that every covered entity establish policies and procedures for responding to emergencies or other occurrences—including cyberattacks, fires, floods, and hardware failures—that damage systems containing electronic protected health information (ePHI).

The standard is not vague. It breaks down into five implementation specifications:

• Data Backup Plan (Required) – §164.308(a)(7)(ii)(A): Establish and implement procedures to create and maintain retrievable, exact copies of ePHI. The regulation does not specify backup frequency, but most compliance frameworks recommend daily incremental backups with weekly full backups, stored separately from production systems.
• Disaster Recovery Plan (Required) – §164.308(a)(7)(ii)(B): Document procedures to restore any loss of data. This is distinct from your backup plan—it defines the steps to actually execute a recovery, including who does what, in what order, and with what tools.
• Emergency Mode Operation Plan (Required) – §164.308(a)(7)(ii)(C): Establish procedures to keep critical business processes running while operating in emergency mode. For a medical practice, this typically means paper-based downtime procedures for patient intake, medication orders, and care documentation.
• Testing and Revision Procedures (Addressable) – §164.308(a)(7)(ii)(D): Implement procedures for periodic testing and revision of contingency plans. Addressable does not mean optional—it means you must either implement it or document a justified alternative.
• Applications and Data Criticality Analysis (Addressable) – §164.308(a)(7)(ii)(E): Assess and prioritize data and applications based on their criticality to patient care so you can sequence your recovery appropriately.

The proposed 2025 HIPAA Security Rule update—expected to be finalized in May 2026—goes further. It would require full system restoration within 72 hours, make all previously addressable specifications mandatory, and require business associates to notify covered entities within 24 hours of activating their own contingency plans. If your EHR vendor or clearinghouse goes down, you could be on the clock for a notification before you’ve even assessed the scope.

How Much Does Healthcare Downtime Actually Cost?

The financial case for business continuity planning is stark. According to healthcare IT research, the average cost of downtime in healthcare is $7,900 per minute, with direct revenue loss averaging $208,600 per incident and lost end-user productivity adding another $138,200. For small and mid-sized practices operating on thin margins, even a few hours offline can be catastrophic.

Ransomware is the primary driver. In 2024, there were 181 confirmed ransomware attacks on U.S. healthcare providers. The average ransom demanded was $5.7 million, and the average ransom paid was $900,000—while total ransomware-related downtime costs for the healthcare industry exceeded $21.9 billion between 2018 and 2024, averaging $1.9 million per day across affected organizations. The 2025 Ponemon/Sullivan Research study found that 55% of healthcare respondents consider their organizations vulnerable or highly vulnerable to a ransomware attack, and among those who experienced one, 67% reported it negatively impacted patient care.

The human cost is just as real. A University of Minnesota study found that patient mortality rates increase 20% during ransomware attacks, with the most severe attacks causing 36–55% higher mortality among patients already admitted. For your practice, business continuity is not just about keeping revenue flowing—it is about not putting patients at risk when your systems fail.

What Happened at Change Healthcare—and What It Means for Your Practice?

The Change Healthcare breach is the definitive case study for healthcare business continuity planning. In February 2024, attackers from the ALPHV/BlackCat ransomware group used a single stolen credential—lacking multi-factor authentication—to access a Citrix portal. They spent nine days inside the network before deploying ransomware on February 21, 2024, exfiltrating approximately 4 TB of data in the process.

The cascading effects were unprecedented. Change Healthcare processes 15 billion healthcare transactions annually. When its systems went offline, practices nationwide lost the ability to submit claims, verify patient eligibility, process electronic payments, and e-prescribe medications. By some estimates, the outage caused $100 million per day in deferred patient care revenue for the more than three weeks it took to restore systems. The final breach count reached 190 million individuals—the largest healthcare data breach in U.S. history—and UnitedHealth Group’s total costs from the incident exceeded $2.9 billion.

The lesson for independent practices is not simply to use MFA (though you absolutely should). It is that your business continuity depends on your vendors’ business continuity. Your clearinghouse, your EHR vendor, your billing service—all of them are part of your operational continuity chain. HIPAA’s proposed updates directly address this: business associates must now notify covered entities within 24 hours of plan activation, and your Business Associate Agreements should include contractual SLAs for recovery timelines. If they do not, you have no leverage when a vendor’s outage takes your practice down for weeks.

What Should a Healthcare Business Continuity Plan Include?

A HIPAA-compliant business continuity plan for a medical practice is more than a backup schedule. It is a living document that addresses every scenario in which your ability to deliver care and protect ePHI could be disrupted. Here is what it must cover:

• ePHI Asset Inventory and Criticality Analysis: List every system, application, and device that stores or transmits patient data. Rank them by clinical and operational criticality. Your EHR and e-prescribing system are Tier 1. Your billing system is Tier 2. Your internal HR portal is Tier 3. Recovery sequencing follows that priority.
• Defined RTOs and RPOs: A Recovery Time Objective (RTO) defines how long you can survive without a system before patient safety or operations are critically impaired. An RPO defines the maximum acceptable data loss. For most EHR systems, an RTO of 4–8 hours is appropriate; your emergency department or urgent care cannot tolerate 24 hours. Define these metrics for each critical system—and then test whether your backup infrastructure can actually meet them.
• Tested, Offline Backups: Backups connected to your network are not backups—they are ransomware targets. Compliance frameworks recommend the 3-2-1-1-0 rule: three copies of data, on two different media, with one offsite, one offline (air-gapped), and zero unverified backups. Test restores must happen on a schedule: daily automated verification, weekly spot restores, monthly targeted restores, and quarterly full-restore rehearsals.
• Downtime Procedures: Document paper-based workflows for every critical clinical function—patient check-in, medication orders, lab results, care notes. These procedures should be stored offline and accessible from every care location. Staff should practice them at least annually. When Change Healthcare went dark, practices that had tested manual workflows recovered faster than those improvising in the moment.
• Vendor Contingency Requirements: Review every Business Associate Agreement for SLAs covering incident notification, recovery timelines, and your right to audit. Request your vendors’ disaster recovery documentation. If your EHR vendor cannot provide a recovery time commitment, that is a gap in your HIPAA compliance program—and your operational resilience.
• Tabletop Exercises: The proposed HIPAA updates encourage regular tabletop exercises to validate incident response readiness. Run a ransomware scenario at least annually. Walk your team through: who gets called first, how you notify patients, how you shift to paper workflows, and when you engage law enforcement or outside counsel. Tested plans reduce breach costs significantly—organizations with practiced incident response plans identify and contain breaches faster and at lower cost.

How Does HIPAA Enforce Business Continuity Requirements?

HHS OCR has not been shy about enforcing §164.308(a)(7). To date, OCR has settled or imposed civil money penalties in 152 HIPAA enforcement cases totaling over $144.8 million. Private practices and physician offices are among the most common targets, second only to general hospitals.

The enforcement pattern is consistent: a breach occurs, OCR investigates, and investigators find that the organization either had no contingency plan, had an outdated one that was never tested, or had a plan that did not actually reflect how their systems worked. The settlements that follow almost always include a Corrective Action Plan (CAP) requiring the organization to build and test a proper contingency plan—alongside a monetary penalty.

The HITECH Act also creates a meaningful incentive to get ahead of this: organizations that can demonstrate at least 12 months of compliance with recognized security practices—such as HHS’s Health Industry Cybersecurity Practices (HICP) under the 405(d) program—may receive reduced penalties and shorter audit periods in the event of a breach. For a small practice, this is one of the most cost-effective compliance investments available.

For a broader view of what HIPAA compliance requires at the organizational level, see our article on what HIPAA IT compliance actually requires from healthcare organizations.

What Are the Most Common Business Continuity Failures in Medical Practices?

After working with dozens of healthcare organizations, we see the same gaps repeatedly:

• Backups that have never been tested: A backup that has never been restored is not a backup—it is a hope. Automated backup jobs fail silently all the time. The only way to know your backup works is to restore from it.
• No offline or air-gapped copy: Cloud backups synchronized in real-time are encrypted by ransomware right alongside production data. You need at least one copy that ransomware cannot reach.
• Contingency plans that exist on paper but not in practice: Staff have never seen the downtime procedure binders. The binders are locked in the IT closet. No one knows the manual intake process. When the system goes down, everything improvised creates new HIPAA risk.
• No vendor SLAs in BAAs: Most Business Associate Agreements are boilerplate legal language with no operational commitments. Your vendors may have no contractual obligation to notify you within 24 hours of an incident—let alone restore services within 72.
• Criticality analysis was never done: Without a formal criticality analysis, practices treat every system as equally important—and then discover during recovery that they have been restoring the wrong things first.

To understand how risk assessments fit into the broader HIPAA picture, read our guide on how often a medical practice should perform a HIPAA risk assessment.

What Should Healthcare Organizations Do Next?

Business continuity planning is not a one-time project. It is an ongoing program that evolves with your technology environment, your vendors, and the threat landscape. Start with the basics: conduct a data criticality analysis, define your RTOs and RPOs, verify your backups include an offline copy, and document your downtime procedures. Then test everything. A tabletop exercise run annually is worth more than a binder that has never been opened.

The proposed HIPAA Security Rule updates—expected to take effect in late 2026—will make many of these controls mandatory for the first time. Organizations that build their programs now will be ahead of enforcement, ahead of the next ransomware wave, and in a demonstrably better position if OCR ever comes calling.

At NorthStar Technology Group, we work exclusively with healthcare organizations to design, implement, and test HIPAA-compliant business continuity programs—from EHR backup architecture to downtime procedure documentation and vendor BAA reviews. If your practice has not formally tested its contingency plan in the past year, now is the time to act. Learn more about our Healthcare IT & Cybersecurity Services or visit northstartechnologygroup.com to schedule a consultation.