Skip to main content
MorningsideHealth & Risk

Business Protection

Business Continuity Planning for NY Healthcare Practices: HIPAA §164.308, SHIELD Act, and What a Real Plan Covers

HIPAA's Contingency Plan standard, the NY SHIELD Act, and operational realities that hit NY practices hardest, from Con Edison outages to ransomware downtime. A working BCP template for NY medical practices.

NY healthcare practice team reviewing HIPAA Contingency Plan and SHIELD Act continuity procedures

Reviewed by Akili Hinson, Managing Principal

Every New York medical practice acting as a HIPAA covered entity is required under 45 CFR 164.308(a)(7) to maintain a documented Contingency Plan with five specific administrative safeguards: data backup, disaster recovery, emergency mode operation, testing and revision, and applications and data criticality analysis. The NY SHIELD Act at General Business Law §899-bb layers on a separate reasonable-safeguards duty that includes incident response and risk assessment. Taken together, the federal and NY requirements mean that business continuity planning is not an optional operational hygiene exercise for NY practices: it is a regulatory compliance obligation under two statutes, a practical determinant of claim defensibility after a cyber or physical incident, and a line item reviewed at every cyber-insurance and malpractice-insurance renewal.

TL;DR. HIPAA §164.308(a)(7) mandates five Contingency Plan safeguards for every NY covered entity. SHIELD Act reasonable-safeguards duty compounds it. Real-world NY continuity risks cluster around Con Edison outages, severe-weather disruption, cyber/ransomware downtime, and key-person departures. Insurance coverage should map to the threat matrix: property business interruption for physical events, cyber business interruption for ransomware, contingent business interruption for supply-chain and EHR-vendor failure. See our cyber liability guide for healthcare and healthcare practice risk checklist for the renewal cadence.

What HIPAA §164.308(a)(7) actually requires

The HIPAA Security Rule's Contingency Plan standard is organized around five implementation specifications. Three are required (data backup, disaster recovery, emergency mode operation) and two are addressable (testing and revision, applications and data criticality analysis), which in HHS OCR practice means they are effectively required for any practice of meaningful size.

Data backup plan

Written procedures for creating and maintaining retrievable exact copies of electronic protected health information. The practical test is whether the practice can restore patient records after an incident with low data loss. For NY practices using a cloud-hosted EHR, the vendor typically handles primary backup; the practice retains responsibility for confirming the contract requires it and for periodic restoration testing.

Disaster recovery plan

Procedures to restore any loss of data. The disaster recovery plan defines recovery time objective (how quickly systems must be restored) and recovery point objective (how much data loss is tolerable). For a NY ambulatory practice, a defensible benchmark is a 24-hour RTO for critical clinical systems and a 24-hour RPO for patient data.

Emergency mode operation plan

Procedures to enable continuation of critical business processes for protection of electronic PHI while operating in emergency mode. In plain language: how the practice keeps seeing patients and protecting records when systems are down. This is the standard most often weakly documented in NY practice audits. Written procedures should address paper workflow, offline medication access for scheduled patients, and a designated communication path with patients and referring providers during the outage.

Testing and revision procedures

Periodic testing and revision of contingency plans. HIPAA does not specify cadence. Common practice is at least annually, with documented findings and remediation. Cyber carriers increasingly ask about testing cadence on renewal questionnaires, and a documented annual tabletop exercise satisfies both regulatory and underwriting expectations. For context on how cyber underwriting interacts with operational controls, see our cyber liability guide for healthcare.

Applications and data criticality analysis

Assessment of the relative criticality of specific applications and data in support of other contingency plan components. The practical deliverable is a ranked list of systems (EHR, billing, clinical-device management, phone, patient-communication) with each system's criticality to clinical operations and the recovery-priority sequence if multiple systems fail simultaneously.

The NY threat matrix: what actually hits practices

HIPAA provides the regulatory skeleton; the actual continuity plan has to address the threats that hit NY practices most frequently. Five threat categories account for most real-world NY continuity events.

Cyber incidents and ransomware

Healthcare is the most targeted sector for ransomware, with small and mid-size practices (10 to 50 employees) representing the majority of incidents rather than large hospital systems. Recovery time for a scoped ransomware event routinely exceeds one week; major events have run past a month. Cyber liability insurance, specifically the business-interruption coverage block, is the response line; a standard property BOP does not cover meaningful cyber downtime. For the coverage mechanics, see our cyber insurance for NY medical practices explainer and the Morningside cyber insurance service page.

Utility outages

NY urban practices face a higher frequency of Con Edison outages than practices in lower-density markets. A loss of power is also a loss of HVAC for refrigerated medications and vaccines, a loss of EHR access for any on-premises server, and often a loss of phone coverage for scheduling. Con Edison's emergency preparedness resources document typical outage durations; for NY practices with refrigerated pharmaceuticals, generator or UPS coverage is a continuity-plan line item, not an optional upgrade.

Severe weather and coastal flooding

Hurricane Sandy (2012) and subsequent severe-weather events have reshaped NY practice continuity planning. Low-lying Manhattan, Queens, Brooklyn waterfront, and Long Island practices face specific flood-zone considerations that affect both physical continuity planning and insurance (FEMA flood maps and standard property-policy exclusions). Practices in flood zones should confirm flood coverage is carried separately and that business-interruption waiting periods account for realistic access delays.

Key-person departures and succession

A departure of the lead clinician, practice manager, or lead coder creates continuity risk that property-based planning does not address. Key-person life insurance and documented cross-training workflows are the operational responses. For buy-sell and partnership-transition mechanics, see our guide on physician life-insurance-backed buy-sell arrangements.

Supply chain disruption

EHR-vendor outages, medical-device recalls, pharmaceutical shortages, and third-party coding-vendor failures each interrupt practice operations without a physical event on the practice's premises. Contingent business interruption coverage, typically endorsed to a cyber policy or a commercial property policy, is the response line. Practices using single-vendor EHR platforms or single-source clinical supplies should confirm the contingent BI endorsement names the relevant vendors.

The insurance coverage map

A defensible NY practice continuity plan maps each threat category to a response coverage. Four coverage lines carry most of the load.

Cyber liability (first-party BI + third-party regulatory)

Covers ransomware payment and negotiation (where legally permissible), forensic investigation, breach notification, regulatory defense, and business-interruption revenue loss. Standard NY small-practice limits run $1M to $5M with ransomware sublimited separately. Waiting periods of 8 to 12 hours apply before BI attaches.

Commercial property and business interruption

Covers direct physical loss to the building, furniture, equipment, and tenant improvements, plus business-interruption revenue loss while operations are suspended due to a covered physical event. Confirm the BI calculation method (gross revenue, gross profit, net income) on the declarations, and confirm the waiting period matches realistic recovery timelines.

Equipment breakdown

Covers mechanical and electrical failure of covered equipment, including refrigeration systems, HVAC, phone systems, and (in many forms) imaging and diagnostic equipment. Often bundled with a BOP at low incremental cost. For a NY practice with refrigerated pharmaceuticals, equipment breakdown is a material coverage, not an add-on.

Professional liability coordination

A malpractice policy does not cover business interruption or data breach directly, but malpractice carriers increasingly ask about continuity-plan documentation at renewal, and the claim mechanics of a cyber-adjacent malpractice incident (for example, a medication error triggered by a ransomware-locked EHR) require coordination between the cyber and malpractice carriers. For the coordination dynamic, see our healthcare liability overview and real cost of a $2M NY malpractice verdict walkthrough.

A working continuity plan template for a NY ambulatory practice

A defensible continuity plan for a typical NY ambulatory practice runs 8 to 15 pages and addresses four components. It does not need to be elaborate; it needs to be documented, current, and tested.

1. Risk assessment

Identify the specific threats most likely to affect the practice. For a Manhattan solo practice on the 14th floor of a Class B office building, the threat profile is different from a Long Island multi-location group with outpatient surgery. Tailor the assessment to actual location, patient volume, and service mix.

2. Critical-function inventory

List every function that must continue for the practice to operate safely. Typical inventory for a NY ambulatory practice: patient scheduling, prescription management, lab ordering and results review, billing and payer communication, emergency communication with patients and referring providers. For each function, document the owner, the system dependencies, and the manual fallback.

3. Recovery procedures

For each identified risk, document the activation steps. This includes the authority chain for declaring a continuity event, communication protocols for notifying staff and patients, alternate work arrangements including telehealth fallback where appropriate, data backup and restoration procedures (coordinate with the EHR vendor), and vendor-contact information for critical third parties.

4. Testing and maintenance

Annual tabletop exercise at minimum. A tabletop walks the practice through a realistic scenario (EHR ransomware lockout, 24-hour Con Edison outage, key-clinician unexpected departure) and surfaces gaps in the written plan. Document findings, assign remediation, and update the plan. The combination of annual testing plus documented remediation is what SHIELD Act and HIPAA examiners look for.

What to do now

Three concrete actions carry disproportionate continuity-readiness value for a NY medical practice.

  1. Gap-check the current written plan against §164.308(a)(7). If the practice has no written Contingency Plan, or if the plan was written more than two years ago and has not been tested, this is the starting point. Our healthcare practice risk checklist identifies the specific BCP items most often missing in NY small-practice audits.
  2. Map the insurance coverage to the threat matrix. If the BOP is being relied on for cyber BI, there is a gap. If equipment breakdown is not on the policy, refrigerated-pharmaceutical loss exposure is uncovered. If contingent BI is not endorsed, EHR-vendor and supply-chain risks are uncovered. For the cyber-specific coverage walkthrough, see our cyber liability guide for healthcare and our first-time business insurance guide for practices still building out the full coverage stack.
  3. Schedule an annual tabletop. A 90-minute tabletop exercise with the clinical lead, practice manager, IT contact, and (where relevant) the cyber-insurance carrier's risk-management consultant is the highest-ROI continuity exercise a NY practice runs in any given year. Document the findings.

For a walkthrough of the continuity-insurance coverage stack against the current declarations page, schedule a consultation with a NY broker who places both the cyber and property sides of the coverage map.

Frequently asked questions

Ready to talk?

Our team can help you find the right coverage for your situation.