Practices Must Implement Contingency Plans
By Edward Keiper, President and CEO of Velocity
Not only are electronic health records an essential part of new government regulations concerning health care reform, but a disaster recovery plan is also mandated. According to the law, a HIPAA covered practice must implement a contingency plan to guarantee nonstop access to electronic protected health information (ePHI) in the case of a system failure.
HIPAA disaster recovery laws also include the implementation of an ePHI data backup plan, in addition to disaster recovery and emergency mode operation plans. If your practice group is in the process of developing a HIPAA disaster recovery plan, you are tasked with explaining to patients how health care data will be moved without violating HIPAA privacy and security requirements. These regulations point to the enduring need for a solid disaster recovery plan.
Patients’ health – and even their very lives – can be dependent upon on systems always being up and running. A few minutes of downtime can become a major impediment to proper care. Take the example of Missouri hospitals hit by tornadoes in 2011. It was a powerful lesson in the need for disaster preparedness and infrastructure resiliency that impacts clinical workflow. Additionally, when natural disaster strikes, it’s quite likely that medical practices will experience a surge in the patient population.
The problem many practices have is that disaster recovery was not in the initial IT budget. In day to day planning of normal operations, disaster scenarios can be overlooked. However, with healthcare reform, it is no longer an option to put off disaster planning indefinitely.
Your practice’s first step in disaster recovery planning is a business impact analysis that looks at all systems and applications, and determines impact to the practice and to patients in the event of failure. Next, practice groups should identify potential weak spots in order to create a plan that tackles susceptibilities. This strategy should include use of a cloud backup at a remote data center, working in tandem with a cloud service provider who understands the specific requirements of a medical practice. They’ll have built-in layers of redundancy and back up data at the remote server.
Disaster recovery planning isn’t just a great idea for HIPAA compliant physician practices. It’s the law. So it isn’t something you can kick down the road any longer.
This article was originally published in the Velocity blog and is republished here with permission.