Description: 

164.308(a)(7)(ii)(C) - Contingency Plan — Emergency Mode Operation Plan - Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.


Audit

The customer is responsible for determining how AWS will be used if customer is operating in an emergency mode. As one illustrative example, the customer should determine whether it expects to have access to networks with access to AWS when operating in an emergency mode.


Rationale: 

In this architecture, the use of multiple AWS Availability Zones (AZs), Amazon S3 storage, and a replicated RDS database constitutes a built-in, live alternate storage and processing capability that dynamically provides transfer and resumption of all system operations, to include any critical business processes instantiated by the customer in this environment. The multiple AWS availability zones and redundant storage and processing employed by this architecture provide identical security safeguards for the protection of ePHI.


Impact of Resource Type(s):
AWS::EC2::AvailabilityZone

AWS::AutoScaling::AutoScalingGroup

AWS::RDS::DBSubnetGroup

AWS::RDS::DBInstance

AWS::S3::Bucket

AWS::EC2::Subnet


References: 

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf