Adaptive Business Continuity for US Health Care Organizations

Note for readers: This framework uses ITIL (Information Technology Infrastructure Library) terminology as the standard for IT service management. ITIL provides common language for health care organizations to communicate about technology components and dependencies. Technical terms are explained throughout for clinical staff, administrators, and executives.

The Problem

US health care organizations are trapped between regulatory requirements and operational reality. HIPAA Security Rule requires risk analysis and contingency planning, including disaster recovery and emergency mode operation procedures. Traditional business continuity (BC) approaches respond with massive documentation projects that are costly and can consume months or even years of time, if ever being completed at all, while providing no actual protection.

Many health care organizations know WHAT they need to do for HIPAA compliance - but they are lost on HOW to do it practically.

Rural hospitals understand they need disaster recovery plans, but how can a 1 or 2 person IT team create actionable procedures while also taking calls about printers and resetting passwords? Large health systems know they need risk assessments, but how do you avoid six-month documentation projects that produce shelf-ware? These organizations all recognize they need disaster recovery capabilities, but how do you build real protection within limited budgets?

This creates a dangerous gap: compliance theater that satisfies auditors while leaving real systems vulnerable.

Rural health care organizations face these challenges with particular intensity - IT teams of 1-3 people managing entire hospital infrastructures, limited budgets competing with patient care needs, and geographic isolation from vendor support. But the problem affects all US health care: when compliance becomes documentation instead of capability, patients and operations remain at risk.

Traditional BC methodology demands completion of extensive, and largely hypothetical, risk assessments and business impact analyses before any protective work can begin. In 2017, David Lindstedt and Mark Armour published Adaptive Business Continuity (ABC) - a methodology that challenged everything traditional BC got wrong. ABC replaced massive documentation projects with concise reference materials intended to support trained responders. It shifted organizations away from pass/fail plan validation and toward continuous capability improvement. It emphasized practical recovery planning benchmarks over rigid target-setting detached from operational reality. And it said what practitioners had been thinking for years: drop the traditional risk assessment and business impact analysis entirely. Stop producing shelf-ware. Start building actual recovery capabilities.

For most industries, ABC is the answer. For US health care, it is an answer you cannot fully use - and for good reason.

This is health care, not a donut shop. HIPAA Security Rule requires risk analysis because patient data demands it. It requires contingency planning because lives depend on system availability. These are not bureaucratic overreach - they are reasonable expectations for an industry handling the most sensitive data in existence. Health care organizations cannot simply choose to skip risk assessment; it is federal law, as it should be.

The problem is not that HIPAA requires these things. The problem is that neither available methodology can satisfy those legitimate requirements practically. The very thing pure ABC tells you to omit, HIPAA rightly tells you that you must do. And the traditional approach that does satisfy the requirements buries organizations in documentation that provides little to no actual protection during real incidents.

The problem is accelerating. HIPAA requirements are under active regulatory pressure to become stricter and more numerous - for both covered entities and business associates. HHS has proposed changes that would make the Security Rule significantly more prescriptive, and specifications previously classified as addressable - meaning organizations could implement alternatives with documented rationale, though some simply treated them as optional - are proposed to become explicitly required. Whether or not every proposed change becomes final, the regulatory direction is clear. Organizations that build capabilities ahead of these changes will be positioned; those waiting to react will be scrambling. The total compliance burden is growing, and it competes for the same limited staff time and/or budget that disaster recovery planning needs. A methodology that advances multiple compliance requirements simultaneously through a single effort - which CI (Configuration Item) mapping does - is simply a wise approach to an overwhelming problem.

And the traditional approach allows something that should be impossible: producing a "compliant" disaster recovery plan without ever involving the people who would actually execute it. Organizations have produced disaster recovery plans without asking IT a single question about how systems are configured, connected, or recoverable. Others dump disaster recovery planning entirely on IT without any clinical or operational involvement. Both failure modes produce documentation that cannot support actual recovery - which is the clearest evidence that the traditional approach values the document over the capability.

The Solution: ABC HIPAA Framework

ABC HIPAA synthesizes Adaptive Business Continuity methodology with HIPAA regulatory requirements using the "neo-compliance" approach: fulfill HIPAA requirements efficiently through practical implementation, not bureaucratic documentation.

ABC HIPAA was developed specifically because pure ABC methodology cannot work in regulated health care environments. HIPAA mandates certain documentation and risk assessments that cannot simply be omitted. The solution is not to abandon ABC principles, but to apply them to HOW you fulfill regulatory requirements.

ABC HIPAA provides the practical "how" framework for health care organizations lost between knowing WHAT they need to do for HIPAA compliance and HOW to actually implement it within real-world constraints. The framework stands on four assumptions that shape every recommendation that follows.

Framework Cornerstones

These foundational assumptions underpin the entire ABC HIPAA methodology. They inform how every element of the framework should be understood, applied, and evaluated.

PHI Protection Continuity

Strip out the PHI protection thread, and ABC HIPAA becomes a perfectly good IT disaster recovery methodology for any industry. What makes this specifically a health care framework is the regulatory obligation to protect patient health information during every phase of operations - including the phases where normal systems and controls are unavailable.

HIPAA does not pause during outages.

During normal operations, ePHI protection is handled by technical controls: access controls, audit logs, role-based permissions, encryption. When systems go down, those controls go down with them. The organization does not get a compliance holiday.

In many post-incident reviews, the hardest control failures emerge during and immediately after the incident itself: emergency access granted but never revoked, break-glass account usage never reviewed, paper records created during downtime not secured appropriately, no audit trail for actions taken during the emergency period. These are the predictable consequences of not planning for PHI protection during the exact moments when protection is hardest to maintain.

PHI Protection Continuity is operationalized through four safeguard domains applied to every CI in the framework: Emergency Authorization (who can authorize emergency access and how), Minimum Necessary Scope (what access is permitted and what is not), Manual Logging Requirements (what must be recorded, where, and by whom), and Post-Restoration Reconciliation (how emergency-period activity is reviewed after restoration). Structure is uniform across every CI. Content varies - CIs with ePHI impact carry substantive procedures; CIs without ePHI impact carry a documented N/A determination that confirms the assessment was made.

PHI Protection Continuity is the health care differentiator, not the DRP scope limiter.

The framework's disaster recovery planning scope encompasses the entire CI inventory. PHI Protection Continuity adds a layer of additional rigor for systems that store, transmit, or gate access to ePHI. It does not define the boundary of what gets recovery planning; it defines which CIs require the four safeguard domains to carry substantive procedures.

The Neo-Compliance Philosophy

Create abbreviated compliance documents quickly, then focus time on building actual recovery capabilities.

A single comprehensive CI mapping effort satisfies multiple HIPAA requirements simultaneously - ePHI system inventory, risk analysis, contingency planning, emergency mode operations, emergency access procedures, disaster recovery planning, criticality analysis, audit controls, and information system activity review. The organization builds one set of documentation that works both operationally and for compliance.

The Security Rule requires a Risk Analysis of all ePHI to identify risks and vulnerabilities. You cannot perform that analysis without first knowing every system that stores, transmits, or processes ePHI. It is the position of this framework that a complete CI inventory is a highly defensible operational method for satisfying that requirement, and the basis of thorough contingency and recovery planning.

ABC HIPAA satisfies the risk analysis requirement through two complementary deliverables: a global Threat and Vulnerability Context document that identifies reasonably anticipated threats organized by effect category with likelihood ratings, and the CI documentation set that captures per-system vulnerability, impact, and risk treatment through dependency mapping. Together these constitute a complete risk analysis without the redundancy of repeating overlapping threat analysis for every system. The analytical effort focuses on actual system relationships and real organizational vulnerabilities rather than theoretical threat enumeration.

ABC HIPAA Principles

Implementation Philosophy

Crown Jewel Fast Track

Focus to learn, not defer to circle back. Begin with your 3-5 most critical clinical applications, complete full CI inventory and DRP processes (contingency plans, recovery plans, and emergency mode safeguards), measure and demonstrate recovery capabilities, then expand the proven methodology to remaining systems.

Crown Jewels receive the same complete documentation you would do for the full environment - you are just limiting the initial scope to learn the methodology while delivering immediate value.

Business Associate Continuity Verification

HIPAA requires covered entities to obtain satisfactory assurances from business associates that ePHI will be appropriately safeguarded, formalized through written contracts meeting 45 CFR 164.314(a). ABC HIPAA's recommended approach includes vendor questionnaires, shared responsibility matrices, regular capability verification, and contract requirements ensuring BAAs explicitly address business continuity.

Vendor questionnaires must be short enough to actually get completed. Short-form questionnaires focused on the questions that matter get completed and provide actionable data. SOC 2 reports should be accepted as supplemental evidence, not substitutes for specific answers about how vendor capabilities support your recovery objectives.

Resource-Appropriate Implementation

The framework scales from critical access hospitals to major health systems, with phased implementation that builds standalone value at each step and special attention to the multi-hat reality of rural health care IT staff.

Call to Action

US health care organizations deserve disaster recovery planning that protects patients, staff, and operations while satisfying regulatory requirements. HIPAA compliance should enhance security through practical capabilities, not create documentation burdens that divert resources from patient care.

The gap between compliance theater and operational reality puts communities at risk. Rural health care organizations especially cannot absorb the costs of this gap - limited resources demand maximum protection from every IT investment.

Stop accepting the false choice between compliance and capability. Stop being lost in the "how." Start building adaptive, practical, sustainable health care preparedness.

Begin with Crown Jewel identification. Build real capabilities. Document appropriately. Expand systematically.

Designed for the resource constraints and geographic realities of rural health care, applicable across all US health care organizations committed to practical preparedness over compliance theater.