Contingency planning gives organizations an effective way to address issues when they happen. HIPAA requires a plan as part of administrative safeguards for responding to an emergency such as a system failure. It must include a data backup plan, disaster recovery procedures, emergency mode operation plan, and testing and revision procedures. A well-documented plan will cover many possible scenarios and provide the tasks and procedures necessary in the event that data is lost or stolen or a physical disruption to systems and services takes place. Most importantly, it will lay out the communication protocol and delineate who is making the decisions in a crisis. Security experts say some organizations fail to conduct an annual assessment of the plan and test it to ensure its effectiveness. Drills help improve procedures and create a culture of security and privacy within the organization, experts say.