What You Need to Know about Disaster Recovery Plans
Your region will be prone to some type of natural disaster. Some regions are known to have intersecting risks of severe environmental conditions such as fires, floods, earthquakes, tornadoes, and many more examples.
Each year demonstrates the destruction of hurricanes and tropical storms along the coastal regions. For instance, the Atlantic Ocean brewed Hurricane Irma (Category 5), destroying parts of Florida and nearby places. Meanwhile, the Pacific Ocean generated Hurricane Lane (Category 5), battering Hawaii with 46 inches of rain in several areas.
Organizations across the country can prepare for natural disasters, reduce uncertainty or panic, and mitigate operational risks. A well-built Disaster Recovery Plan can minimize damage, offer your organization's staff a protocol, and recover faster to regular operations.
Let's take a closer look at some of the components of effective Disaster Recovery Plans and Emergency Mode Operation Plans.
Let's Discuss Your Disaster Recovery Plan
Most people don't wake up in the morning thinking of a Disaster Recovery Plan (DRP) for their organization. Even though it is very important, it just isn't something that is thought of often, only when it's needed. Those ignoring disaster planning do so at their own peril.
Recent natural disasters have reminded us once more, that disasters can strike anytime, in any community, region or business. Most medical offices and hospitals have not developed effective plans for responding. You might want to think "our EHR vendor is handling that" or "our IT guys have that under control." But, the assumption that someone else is handling it is problematic.
HIPAA regulations require organizations to maintain up-to-date disaster recovery plans. For instance, these plans detail how the provider will protect and restore access to electronic Protected Health Information (ePHI) when affected by an unforeseen event.
In the event of a disaster - natural or otherwise - covered entities and their business associates must create and document their disaster recoveries plan (DRP) to recover information systems. The DRP must be implemented, reviewed regularly, and revised as necessary.
It is critical for your DRP to provide a clear, structured approach to responding to an unforeseen event that threatens your organization's IT infrastructure (i.e. hardware, software, networks, etc.).
Your DRP Implementation plan may look like the following:
- Accountable personnel will activate our Disaster Recovery Plan.
- Missing data will be restored.
- Damaged machines will be repaired or replaced as soon as possible.
- ePHI and programs will be restored from the most recent backup (on or off-site).
- If applicable the network administrator will be contacted.
- After the organization is up and running again, you will secure copies of any missing software licenses.
- Ensure that all damaged equipment is thoroughly purged of any ePHI and then document that process.
Simply having a DRP isn't enough. It is equally important to periodically test, review and hold regular training for your employees, and ensure employees have a current copy of the plan. In addition, an appropriate number of current copies of your DRP must be kept off-site.
Emergency Mode Operation Plan and Emergency Access Procedures
Covered entities and business associates must also have a formal, documented emergency mode operation plan for protecting information systems containing ePHI during and immediately after a crisis situation. Just like a DRP, employees must receive regular training and awareness on their emergency mode operation plan.
Your emergency mode operation plan establishes procedures that will enable you to continue critical business processes for the security of your ePHI while operating in emergency mode. In the event of an emergency, you and your business associates will implement this plan.
Your Emergency Mode Operations Plan may include the following:
- We will print our appointment lists, encounter forms (with balance forward), and medical record chart "pull" lists for the next day.
- We will print extra blank encounter forms and have them available for use.
- We will hand-write appointments that are added while our system is down.
- We will use a manual payment log to record receipts of cash, checks, and credit cards including account numbers.
- We will utilize laptops and/or notebook PCs with charged spare batteries, if necessary, for secondary versions of ePHI.
- When our system is restored, we will enter the data recorded on hard copies into our information systems.
Your Emergency Mode Operations plan should also include emergency access procedures:
If an emergency occurs at our office which will require a workforce member to access ePHI that he or she does not usually have access authorization, but is required to access for a patient to receive treatment, we will do the following:
- The workforce member involved nearest the emergency situation will be designated to access the patient's PHI.
- The workforce member will access the minimum PHI necessary for the patient to receive treatment; either paper or electronic PHI may be accessed.
- The workforce member will log the access to the PHI; what was accessed and for what treatment reason.
- The HIPAA Compliance Officer will audit the access to the PHI to ensure that appropriate access was made by the workforce member.
Disaster recovery is becoming increasingly important to businesses. Being alert to any potential man-made threats or natural disasters is of utmost importance. Having a Disaster Recovery Plan and Emergency Mode Operations Plan with Emergency Access Procedures in place will protect your organization's essential data from loss and mishandling. Additionally, creating these plans will help you refine your business processes and enable your business to recover operations more smoothly in the event of a disaster.
Health Care Compliance Pros is here to support and assist our clients being affected by this natural disaster.
If you have any questions, please feel free to reach us by phone toll-free at 855-427-0427 or send us an email at firstname.lastname@example.org.