Information security in general practice

Information security strategy

Business continuity and information recovery

      1. Business continuity and information recovery

Last revised: 21 Apr 2023

Business continuity and information recovery

Your general practice needs a documented business continuity plan which includes information on recovery procedures to preserve access to your practice data. In the event of an ‘information disaster’, this will ensure you can respond as soon as possible to minimise potential loss or corruption of information.

An effective business continuity and information recovery plan brings your practice information systems back to working order when a system failure occurs. The plan should detail how to maintain critical business functions when there is an unexpected system event. It is also important to include how your practice will function in the event of an environmental or natural disaster.

Business continuity and information recovery plans should be reviewed, updated and tested periodically. This includes when there is a technology or procedure change in the practice, or when any changes to legislative requirements occur.

Create a policy: Business continuity and information recovery processes

Ensure all business continuity and information recovery processes are fully documented in your policy so your practice team knows their individual roles and responsibilities in the event of an emergency or disaster.


Standards indicator

C6.4D Our practice has a business continuity and information recovery plan.

You must operate a server backup log, maintain and test a business continuity plan for information recovery and have a privacy policy.

Business continuity

Your business continuity plan should cover:

  • access to education and training for your practice team on business continuity processes and procedures
  • how your general practice functions in the event of an environmental or natural disaster
  • how to transfer information between your practice, other healthcare providers, services and government bodies.

When creating your business continuity and information plan, you should:

  • identify the functions and resources required to operate your practice at a minimum acceptable level without functional computers
  • train your practice team on how your practice systems will be managed ‘manually’, and which information needs to be collected for re-entering after recovery
  • provide advice on how to revert to a paper-based system
  • provide advice on basic practice systems such as;
    • enabling clinical team members to provide adequate clinical care while not having access to electronic health records
    • appointment scheduling
    • billing
    • issuing of prescriptions
    • business financial operations (e.g. payroll, Medicare claims)
    • payroll processing
    • financial reconciliations.​ 

If you are using cloud-based services, you will need to consider creating a cloud services plan. This could include:

  • documenting an internet failover plan, including setting up multiple internet connections with different service providers
  • establishing manual workarounds (if available) for when your business and clinical applications cannot be accessed
  • migration plans to accommodate a sudden change of cloud provider
  • documenting key contacts for your cloud service provider including the support desk, account manager, and the address of any websites that display service status.

Information recovery

See module on Data recovery and restoration for more information.