Superstorm Sandy has had major impact on the lives of large numbers of our fellow Americans and colleagues who live in the Northeast U.S. The loss of life, property, and access to conveniences like electricity, warm showers, and transportation has made clear how vulnerable we are to the impacts of catastrophic events.
Sandy has also given us the unfortunate opportunity to evaluate the policies and procedures we have in place for dealing with physical catastrophes.
The Health Insurance Portability and Accountability Act (HIPAA) requires that organizations have in place a Contingency Plan (STANDARD § 164.308(a)(7) Contingency Plan, see page 19):
The Contingency Plan standard requires that covered entities:
“Establish (and implement as needed) policies and procedures for
responding to an emergency or other occurrence (for example, fire,
vandalism, system failure, and natural disaster) that damages systems that
contain electronic protected health information.”
This requirement is not aimed at giving you one more thing to do. The purpose is to protect the health information of your patients and to make sure that they have access to continuing care. Hurricane Andrew in 1992 and Hurricane Katrina in 2005 demonstrated how poorly prepared we have been to maintain continuity of care for our patients. The requirements of HIPAA are designed to prevent such huge failures as happened previously.
FiercePracticeManagement newsletter suggests three key steps.
- Know how your remote data is stored and can be accessed. This assumes that you have your data stored offsite, as it should be. Knowing just where it is and how to access it so you can get your system back up and running without delay is crucial.
- Duplicate needed paper and have it with you. Make sure you have a copy of your schedule with you. Assure that you have with you ways to contact your patients so you can let them know your alternative arrangements for meeting with them.
- Plan where you will relocate physical data. Know where that alternative location will be so you can get access to your data again quickly.
In HealthCare IT News, Benjamin Harris covers some of the same ground. He also suggests three basic processes, but starts at a more basic level.
- On-site safety. How is your hardware and software and record systems protected at your site? Is your server located in the building basement along with the generator? As demonstrated by Sandy, the basement is not the best location for such equipment or records in the case of flooding . . . something that had previously been an issue in hurricanes Andrew and Katrina.
- Off-site data. If you are relying on a remote (cloud) storage facility or you need to access your data by means of the Internet, what do you do if your ISP (internet service provider) is down? And if your EHR is an online product, what do you do if those remote computers are underwater and without electricity? Having your schedules for the next week and treatment summaries for each of those patients printed out gives you a week of buffer time to give your vendors a chance to get back up and running.
- Accessibility. If you are using such remote storage or providers and they are not in the affected area or can implement access to backups quickly, having the capability of connecting to them becomes your responsibility. You can tether your laptop to your cell phone to reach your service or data in an emergency, as long as you have prepared in advance.
Madeline Hyden of the Medical Group Management Association (MGMA) suggests a slightly different but very practical list of steps.
- Secure your electronic information.
- Get the support of your professional colleagues.
- Immediately start securing new office space.
- Establish authority: Make sure someone in your organization is responsible to and has the authority to activate your contingency plan.
- Communicate with your vendors (hardware, software, backup services, electrical company, landlord, billing service, answering service).
- Develop a notification protocol: decide who to contact and how and who does the contacting. Determine just what they will be told.
- Communicate honestly with your patients.
- Protect your records so you are sure you can have access even if your main system is not accessible.
- Practice your emergency plan. If you have not done so, it is possible you will be too traumatized to carry it out.
If you are not sure how to go about establishing a contingency plan, AHIMA has some suggestions for you. This does not need to be a complicated process, but it is a process you need to address if you have not already done so. After all, the U.S. northeast coast did not think they were susceptible to a hurricane-like storm that could cause such disruption.
Whether it is hurricanes, snowstorms, tornadoes, earthquakes, or fires, our electrical systems and business facilities are not impervious to disasters. We must be prepared so our patients can rely upon continued care. Behavioral health clients are especially susceptible to negative consequences from disruptive events. After all, they are likely to have just experienced the same trauma you did.
We hope all our SOS customers and their patients are safe and recovering in the aftermath of Sandy. We hope any of you, our readers will share your experiences and how you have assured the security of your data.