Preparation is Less Costly Than Learning Through Tragedy
Hurricanes Ida, Sam, and Nicholas remind us of the importance of hoping for the best but planning and preparing for the worst. Before an emergency, having a plan in place will determine how well your organization can "survive the storm."
Organizations must have these plans in place in the event of natural disasters, unsafe conditions that may impact the area, or even when a global pandemic happens, as we have all been experiencing since early 2020.
When these types of events occur, organizations must be prepared to respond quickly. All healthcare organizations must have an Emergency Action Plan (EAP) and a Disaster Recovery Plan (DRP) written, communicated, tested, and activated when necessary.
Emergency Action Plan
An Emergency Action Plan is typically a written document required under OSHA. Even though smaller organizations (10 or fewer employees) are not required to have a written plan, they must communicate it orally to their employees. We highly recommend all healthcare organizations have a written EAP, regardless of their size.
The purpose of the EAP is to facilitate and organize employer and employee actions during workplace emergencies. According to OSHA, a poorly prepared plan can lead to a disorganized evacuation or emergency response, resulting in confusion, injury, and property damage.
The elements of an Emergency Action Plan must include, but are not limited to:
- Means of reporting fires and other emergencies
- Evacuation procedures and emergency escape route assignments
- Procedures to be followed by employees who remain to operate critical plant operations before they evacuate
- Processes to account for all employees after an emergency evacuation has been completed
- Rescue and medical duties for those employees who are to perform them
- Names or job titles of persons who can be contacted for further information or explanation of duties under the plan
At HCP, we also recommend training employees on the different alerts they will hear for various emergencies. You can broadcast such signals using sirens or even public address systems. It's also important to designate an alternative meeting place if the primary one is unable to be used or reached because of safety concerns such as fire or explosions.
Disaster Recovery Plan
In the event of a disaster, natural or otherwise, covered entities and their business associates must create and document their Disaster Recovery Plan to recover information systems. The DRP is a HIPAA requirement and must be implemented as part of HIPAA policies and procedures, reviewed regularly, and revised as necessary (when changes occur to processes, etc.).
Your DRP must provide a straightforward and
structured approach to responding to an unforeseen event that could threaten
your organization's information technology (IT) infrastructure (i.e., hardware,
software, networks, etc.). Additionally, your DRP must clearly explain:
1. Who is responsible for activating the Disaster Recovery Plan?
2. How will missing data be restored?
3. What is the process for repairing damaged machines, systems, etc.?
4. Methods used for ePHI and programs to be restored from the most recent backup (on or off-site)
5. The name and contact information for the network administrator and instructions for reaching them, when applicable
6. How will copies of missing software licenses be secured once the organization is up running again?
7. The plan will ensure all damaged equipment is disposed of properly (including a thorough purge of any ePHI, and then documenting its destruction)
More than ever before, Emergency Action Plans and Disaster Recovery Plans are essential for businesses, including healthcare organizations. Being prepared for emergencies starts with being alert to any potential man-made threats or natural disasters and watching for updates to ensure there is adequate time to activate the plan(s). Having an Emergency Action Plan and Disaster Recovery Plan in place are two important requirements that will help protect your organization's essential operations and reduce the potential for mishandled or lost data.
Have questions about Emergency Action Plans or Disaster Recovery Plans? We can help. Contact us by email: email@example.com or reach us by phone: 855-427-0427.