Why ABC HIPAA Exists

The Problem We Saw Firsthand

ABC HIPAA emerged from direct experience working with health care organizations across multiple disconnected health systems. The pattern was consistent and troubling: IT resources at organization after organization were stuck in the same place. They knew they needed disaster recovery plans. They knew HIPAA required contingency planning. But when it came to "what do we actually do" and "where do we start," the available guidance left them stranded.

The information existed. There was no shortage of frameworks, standards, templates, and compliance checklists. And yet the IT professionals responsible for keeping these systems running - often a single person managing an entire hospital infrastructure - were paralyzed by the gap between what the guidance said to do and what was actually achievable with their resources.

We also saw something that should be impossible: organizations that claimed to conduct annual disaster recovery tabletop exercises without ever asking their long-standing IT staff for a single piece of information about the actual environment. No questions about system configurations, no review of backup strategies, no discussion of dependencies or recovery procedures. The exercises existed on paper. The capability did not exist at all. These were not bad-faith organizations - they were doing what the traditional approach told them to do, and the traditional approach allowed the people who actually run the systems to be left entirely out of the process.

That is compliance theater, and it puts communities at risk.

Discovering Adaptive Business Continuity

After being introduced to the core concepts behind Adaptive Business Continuity (ABC) methodology by David Lindstedt and Mark Armour, the reaction was immediate: this is how disaster recovery planning should work. The emphasis on practical capability over documentation volume, on continuous improvement over annual checkbox exercises, on preparing for effects rather than exhaustively cataloging causes - it addressed everything wrong with the traditional approach.

We were sold. Until it came time to implement.

That is when we discovered the fundamental tension: HIPAA requires things that pure ABC methodology explicitly tells you to omit. Risk analysis is not optional in health care - it is federal law. Contingency planning documentation is not bureaucratic overhead - it is a regulatory mandate protecting patient data. These are reasonable requirements for an industry handling the most sensitive information in existence.

The very thing pure ABC tells you to skip, HIPAA rightly tells you that you must do. How could health care benefit from this more efficient and realistic mindset without abandoning regulatory obligations?

ABC HIPAA is the answer to that question. The framework synthesizes ABC methodology with HIPAA regulatory requirements, applying adaptive principles to HOW organizations fulfill their regulatory obligations rather than WHETHER they fulfill them. It is not a shortcut around HIPAA. It is a practical path through it.

Our Contribution

This is our contribution to health care in the United States. We hope it is helpful to even a single organization out there struggling with the same gap we watched others fall into.

The methodology is designed for the realities of US health care - particularly the resource constraints, staffing realities, and geographic isolation facing rural and critical access hospitals. But the framework scales. Any US health care organization committed to building actual disaster recovery capabilities while satisfying HIPAA requirements can apply ABC HIPAA.

Authors and Contributors

Based on Adaptive Business Continuity methodology by David Lindstedt, Ph.D. and Mark Armour. ABC HIPAA is independently authored and is not affiliated with, endorsed by, or officially representing the Adaptive Business Continuity project.

Framework Status

Open Methodology, Managed Brand