Who is responsible for our Disaster Recovery Plan?

Who is Responsible for our Disaster Recovery Plan?

Recently, the Kansas City Royals won the World Series becoming the 2015 champions. They beat the New York Mets four games to one, leaving the Mets organization feeling "stunned." For the New York Mets fans the last two games of the World Series may have seemed like a disaster.

We've also witnessed large scale natural disasters (Hurricanes Joaquin and Patricia) that have wreaked havoc in the lives of many people this fall. What if your organization experiences a disaster? How will your team recover? How would you recover from a loss?

Below, we will discuss your Disaster Recovery Plan, Emergency Mode Operation plan and Emergency Access Procedures.

Let's discuss your Disaster Recovery Plan

Disaster Recovery may not be the first thing an executive thinks about upon waking in the morning. However, managers that ignore disaster planning do so at their own peril. As recent events in baseball and in our weather unfold, we are reminded that disaster can strike any team, any community, and any business at any time. Most medical offices and hospitals have not developed effective plans for responding. You might think "our EHR vendor is handling that" or "our IT guys have that under control."

HIPAA regulations require organizations to maintain up-to-date disaster recovery plans. These plans detail how the provider will protect and restore access to electronic Protected Health Information (ePHI) when affected by an unforeseen event.

In the event of a disaster natural or otherwise covered Entities and their business associates must create and document their disaster recoveries plan (DRP) to recover information systems. The DRP must be implemented, reviewed regularly and revised as necessary.

It is critical for your DRP to provide a clear, structured approach to responding to an unforeseen event that threatens your organization's IT infrastructure (i.e. hardware, software, networks, etc.).

Implementation plan

Your DRP Implementation plan may look like the following:

  1. Accountable personnel will activate our Disaster Recovery Plan.
  2. Missing data will be restored.
  3. Damaged machines will be repaired or replaced as soon as possible.
  4. ePHI and programs will be restored from the most recent backup (on or off-site).
  5. If applicable the network administrator will be contacted.
  6. After the organization is up running again, you will secure copies of any missing software licenses.
  7. Also ensure that all damaged equipment is thoroughly purged of any ePHI and then document that process

Simply having a DRP isn't enough. It is equally important to periodically test, provide regular training to your employees, and ensure employees have a current copy of the plan. In addition, an appropriate number of current copies of your DRP must be kept off-site.

Emergency Mode Operation Plan and Emergency Access Procedures

Covered entities and business associates must also have a formal, documented emergency mode operation plan for protecting information systems containing ePHI during and immediately after a crisis situation. Just like a DRP, employees must receive regular training and awareness on their emergency mode operation plan.

Your emergency mode operation plan establishes procedures that will enable you to continue critical business processes for the security of your ePHI while operating in emergency mode. In the event of an emergency, you and your business associates will implement this plan.

Your Emergency Mode Operations plan may look like the following:

  1. We will print our appointment lists, encounter forms (with balance forward), and medical record chart "pull" lists for the next day.
  2. We will print extra blank encounter forms and have them available for use.
  3. We will hand-write appointments that are added while our system is down.
  4. We will use a manual payment log to record receipts of cash, checks, and credit cards including account numbers.
  5. We will utilize laptops and/or notebook PCs with charged spare batteries, if necessary, for secondary versions of ePHI.
  6. When our system is restored, we will enter the data recorded on hard copies into our information systems.

Your Emergency Mode Operations plan should also include emergency access procedures:

If an emergency occurs at our office which will require a workforce member to access ePHI that he or she does not usually have authorization to access, but is required to access in order for a patient to receive treatment, we will do the following:

  1. The workforce member involved nearest the emergency situation will be designated to access the patient's PHI.
  2. The workforce member will access the minimum PHI necessary in order for the patient to receive treatment; either paper or electronic PHI may be accessed.
  3. The workforce member will log the access to the PHI; what was accessed and for what treatment reason.
  4. The HIPAA Compliance Officer will audit the access to the PHI to ensure that appropriate access was made by the workforce member.

Disaster recovery is becoming increasingly important to businesses. You must be aware of the threat of both man-made and natural disasters. Having a disaster recovery plan, emergency mode operations plan and Emergency Access Procedures in place will protect your organization's essential data from loss and mishandling. Additionally, creating these plans will help you refine your business processes and enable your business to recover operations more smoothly in the event of a disaster.

How we can help

After performing Security Risk Analyses for our clients, we have noticed that many organizations do not have a formal DRP in place. Did you know we can help your organization implement and maintain your disaster recovery plan? If you would like more information about our disaster recovery plan services please do not hesitate to contact one of our professional consultants.