§164.308(a)(7)(ii)(D): Implement procedures for periodic testing and revision of contingency plans.

Audit Inquiry

Does the entity have policies and procedures for periodic testing and revisions of its contingency plans?

Does the entity periodically test and revise its contingency plans?

Obtain and review policies and procedures related to periodic testing and revision of contingency plans.

Elements to review may include but are not limited to:
• Methods used to test the plan (component, system, or comprehensive)
• Workforce members’ roles and responsibilities in coordination of the test
• How frequently tests will be conducted
• How frequently contingency plans will be revised
• Notification procedures

Obtain and review documentation demonstrating the revision of contingency plans. Based on related procedures, evaluate and determine if the contingency plans have been approved, reviewed, and updated on a periodic basis.

Obtain and review documentation of contingency plan tests and related results. Evaluate and determine if the results of each contingency plan test indicate that tests have been conducted in a timely manner; involved the appropriate workforce members; has been documented; and, if necessary, that corrective actions were taken as result of the contingency plan test.

Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.