Downtime Documentation and HIPAA: What You Are Required to Have in Writing

14 July 2026

AUTHORED BY: Chloe Williams

HIPAA compliance during an EHR downtime event is an area where many healthcare organizations have significant gaps, often without realizing it. The conversation about HIPAA and downtime tends to focus on the obvious risk: if patient data is exposed or breached during an outage, HIPAA breach notification obligations may be triggered. That risk is real and important, but it is only part of the compliance picture.

The broader HIPAA compliance question for downtime events is whether the organization has the written documentation, the policies, the procedures, and the audit trail that the Security Rule and the Privacy Rule require, not just in normal operations but specifically for the conditions that exist during a downtime event. Most organizations that have strong HIPAA compliance programs in normal operations have not fully thought through what happens to those compliance obligations when the EHR is offline.

What HIPAA Requires in the Context of Downtime

The HIPAA Security Rule applies to the protection of electronic protected health information (ePHI) at all times, including during system failures and downtime events. Several specific provisions of the Security Rule are directly relevant to downtime preparedness:

  • The Contingency Plan standard (45 CFR 164.308(a)(7)) requires covered entities to establish policies and procedures for responding to an emergency that damages systems containing ePHI. This includes a data backup plan, a disaster recovery plan, an emergency mode operation plan, testing and revision procedures, and an applications and data criticality analysis
  • The Emergency Mode Operation Plan required under the Contingency Plan standard specifically requires that covered entities enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode
  • The Access Control standard (45 CFR 164.312(a)(1)) requires that covered entities implement technical policies and procedures that allow only authorized persons or software programs access to ePHI, including during downtime when the normal access control mechanisms of the EHR may not be functioning
  • The Audit Control standard (45 CFR 164.312(b)) requires that covered entities implement hardware, software, or procedural mechanisms that record and examine activity in information systems that contain ePHI, which applies to any downtime system that stores or provides access to patient data

Each of these requirements has documentation implications. They are not satisfied by having the technology in place. They require written policies, written procedures, and evidence that both are implemented and tested.

What Must Be in Writing

A HIPAA-compliant downtime documentation framework must include written policies and procedures that specifically address the following:

  • How ePHI stored in the downtime system is protected from unauthorized access during an outage, including the access control mechanisms that apply to the downtime workstations and who is authorized to use them
  • How the organization ensures that only the minimum necessary patient information is accessible during a downtime event, consistent with the Privacy Rule’s minimum necessary standard
  • How the organization tracks and logs who accessed patient information through the downtime system during the outage, satisfying the Audit Control requirement
  • How ePHI collected or accessed during the downtime period is protected against unauthorized disclosure, including physical security for downtime workstations and printed materials
  • What happens to downtime data after the EHR is restored, including how it is transferred back into the EHR, how it is retained or deleted from the downtime system, and how the audit log for the downtime period is preserved
  • How the organization identifies and responds to a potential breach of ePHI that occurs during a downtime event, including the notification obligations under the HIPAA Breach Notification Rule if a ransomware attack or other security incident is the cause of the outage

These are not theoretical requirements that HHS occasionally cites in guidance documents. They are enforceable provisions of the Security Rule that OCR reviewers look for during investigations and audits, and they are areas where downtime-specific gaps are commonly found.

The Audit Trail Requirement During Downtime

One of the most practically important and most frequently overlooked HIPAA requirements in the downtime context is the audit trail. Under normal operations, the EHR maintains an audit log that records every instance of ePHI access, including who accessed it, when, and from which system. During a downtime event, that EHR audit log is not running. Whatever system is being used to access patient data during the outage needs its own audit capability.

dbtech’s Downtime Solution maintains an activity log that records access to patient data through the downtime workstations, supporting the audit trail requirement during the outage period. This log captures which workstations were accessed, when, and by whom based on the access credentials used, providing the evidence of controlled access that a HIPAA audit reviewer would expect to see. The log is preserved after the EHR is restored and is available as part of the post-outage documentation record.

Organizations that rely on paper-based downtime procedures have no equivalent audit trail capability. Printed forms and handwritten records do not capture who accessed the information, when, or in what context. In a HIPAA audit or investigation that touches a downtime period, that absence is a significant compliance gap.

Access Control During Downtime

The HIPAA Security Rule requires that access to ePHI be limited to authorized users. During a downtime event, the normal EHR access control mechanisms, including role-based access permissions, single sign-on authentication, and session timeout rules, are not running. The downtime system needs its own access control framework.

dbtech’s downtime workstations support defined user access with authentication requirements that limit access to authorized clinical and administrative staff. Access to patient data through the downtime system is not open to anyone who walks up to the workstation. This access control framework is part of the HIPAA Security Rule compliance posture of the downtime solution, and it should be documented in the organization’s contingency plan policies as the mechanism by which authorized access is maintained during an outage.

What to Include in Your HIPAA Contingency Plan Documentation

The HIPAA Contingency Plan required under the Security Rule should be a standalone documented policy that includes:

  • A written emergency mode operation plan specific to EHR outages, covering how ePHI access is controlled, how clinical operations continue, and how the audit trail is maintained during the outage
  • A written data backup plan that addresses how ePHI contained in the EHR is protected during a downtime event and how data captured during the outage is secured and eventually transferred to the EHR
  • A written testing and revision procedure that documents how the contingency plan is tested, how frequently, and how test results are used to update the plan
  • An applications and data criticality analysis that identifies which systems and data are most critical to the organization’s operations and prioritizes their protection and recovery accordingly
  • Documentation of training for workforce members on HIPAA obligations during downtime events, including how to handle ePHI appropriately when normal system controls are not functioning

To review whether your organization’s downtime documentation satisfies these HIPAA requirements and identify specific gaps, schedule a dbtech Downtime Audit Assessment or contact our team to discuss how dbtech supports HIPAA-compliant downtime preparedness.

Want to learn more? Fill out the form below and a representative will call you ASAP!