When we talk about Disaster Recovery and Emergency Preparedness, hurricanes often come to mind, and for good reason! The past few years we have experienced hurricanes that have caused incomprehensible destruction (e.g., Hurricane Michael). Yet, hurricanes are just one example of types of disasters that we need to consider.
There are other types of disasters such as tornadoes, earthquakes, fires, and power outages that can impact your systems and data. For that reason, it is important for all healthcare organizations to have a disaster plan in place regardless of location.
Disaster Recovery Plans
Disaster Recovery may not be the first thing the person in charge thinks about when they wake up in the morning. However, managers that ignore disaster planning do so at their own peril! The recent weather events of the past year alone have reminded us that disasters can strike at any time, in any community or business and at any time. Yet, many medical offices and hospitals have not developed effective plans for responding to natural disasters. Some may falsely assume that their EHR vendor or IT company will be handling it, and they have it all under control.
HIPAA regulations require organizations to maintain up-to-date disaster recovery plans. These plans detail how providers will protect and restore access to electronic Protected Health Information (ePHI) when affected by an unforeseen event.
In the event of a disaster – natural or otherwise – covered Entities and their business associates must create and document their disaster recoveries plan (DRP) to recover information systems. The DRP must be implemented, reviewed regularly and revised as necessary.
It is critical for your DRP provides a clear, structured approach to responding to an unforeseen event that could threaten your organization’s IT infrastructure (i.e. hardware, software, networks, etc.).
Your DRP Implementation plan may look like the following:
1. Accountable personnel will activate our Disaster Recovery Plan.
2. Missing data will be restored.
3. Damaged machines will be repaired or replaced as soon as possible.
4. ePHI and programs will be restored from the most recent backup (on or off-site).
5. If applicable the network administrator will be contacted.
6. After the organization is up running again, you will secure copies of any missing software licenses.
7. Also, ensure that all damaged equipment is thoroughly purged of any ePHI and then document that process
Simply having a DRP isn’t enough. It is equally important to periodically test, provide regular training to your employees, and ensure employees have a current copy of the plan. In addition, an appropriate number of current copies of your DRP must be kept off-site.
Emergency Mode Operation Plan and Emergency Access Procedures
Covered entities and business associates must also have a formal, documented emergency mode operation plan for protecting information systems containing ePHI during and immediately after a crisis situation. Just like a DRP, employees must receive regular training and awareness on their emergency mode operation plan.
Your emergency mode operation plan establishes procedures that will enable you to continue critical business processes for the security of your ePHI while operating in emergency mode. In the event of an emergency, you and your business associates will implement this plan.
Your Emergency Mode Operations plan may look like the following:
1. We will print our appointment lists, encounter forms (with balance forward), and medical record chart “pull” lists for the next day.
2. We will print extra blank encounter forms and have them available for use.
3. We will hand-write appointments that are added while our system is down.
4. We will use a manual payment log to record receipts of cash, checks, and credit cards including account numbers.
5. We will utilize laptops and/or notebook PCs with charged spare batteries, if necessary, for secondary versions of ePHI.
6. When our system is restored, we will enter the data recorded on hard copies into our information systems.
Your Emergency Mode Operations plan should also include emergency access procedures:
If an emergency occurs at our office which will require a workforce member to access ePHI that he or she does not usually have the authorization to access but is required to access in order for a patient to receive treatment, we will do the following:
1. The workforce member involved nearest the emergency situation will be designated to access the patient’s PHI.
2. The workforce member will access the minimum PHI necessary in order for the patient to receive treatment; either paper or electronic PHI may be accessed.
3. The workforce member will log the access to the PHI; what was accessed and for what treatment reason.
4. The HIPAA Compliance Officer will audit the access to the PHI to ensure that appropriate access was made by the workforce member.
Disaster recovery is becoming increasingly important to businesses. You must be aware of the threat of both man-made and natural disasters. Having a disaster recovery plan, emergency mode operations plan and Emergency Access Procedures in place will protect your organization’s essential data from loss and mishandling. Additionally, creating these plans will help you refine your business processes and enable your business to recover operations more smoothly in the event of a disaster.