**HIPAA Security Rule (§164.308(a)(7)):** Requires a contingency plan including data backup plan, disaster recovery plan, and emergency mode operation plan. Testing and revision are required but frequency isn't specified. - **HIPAA doesn't specify RTO/RPO** — but CMS and state regulators expect heal