After a disaster, not only do you have to get back up and running within the time constraints set forth by regulatory compliance, but you're going to have to continue to ensure that you can meet or exceed standards. This is especially true for privacy regulations like HIPAA, which do not go away just because you're on alternate servers in another location. Quite the contrary, failing over or restoring to new systems is a red flag that you might not be in compliance anymore. In order to prove that the disaster has not destroyed your organisation's ability to protect data, you will have to ensure that security and encryption protocols are being enforced at the backup site, and that compliance-software implementations are performing the same tasks at the alternate site as they do at the production site.
One of the places I find some push back from those who want to be in compliance, but still don't understand how it really works is in the area of disaster recovery. The reason why it is included in the HIPAA rules is that data handling has to be seamless---- it is an end to end process that goes from creation to distruction, and your data needs to be protected along every detour it might take, whether through a BA or through a temporary home in your back-up servers.