Healthcare Practice Strategies – Spring 2013 - Disaster Preparedness: Take a Hint from HIPAA
The disasters that actually wind up devastating a practice usually aren’t what we think of as “typical” disasters — the hurricanes, tornadoes and floods that make headlines. Rather, it’s the small but unexpected events that can shut down unsuspecting practices — everything from server crashes to sewer backups and burst pipes.
Here, providers can take a cue from HIPAA security regulations to create a workable disaster recovery plan. The goal: to ensure that the practice survives any type of interruption and is able to get its doors open and patients in with minimal disruption and cost.
HIPAA rules state that physicians must have a written analysis of the “risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information.” Practices also need written plans for creating and maintaining copies of electronic data, a recovery plan to restore lost data, a plan for data protection during “emergency mode,” and procedures for periodic testing to make sure data is protected.
Experts say these requirements provide an excellent blueprint for de-signing a solid disaster preparedness plan. Consider these key steps for formulating an effective recovery plan:
GIVE EVERYONE A JOB. Just as you would include each member of your practice in designing a HIPAA compliance plan, get input from each department in your practice as you design your disaster preparedness plan. For example, ask how your billing and collections staff is backing up financial and claims data, and how they would recover it after a disaster has passed.
As you involve your staff, don’t forget to designate a trusted individual (and a back-up) to implement the plan in case you are unavailable.
ESTABLISH A CHAIN OF COMMAND. In the confusion following a disaster, it’s important that your staff know who key leaders are and what the chain of command is. Designate a central point of contact for employees to call — preferably someone who is located out of the area and won’t be impacted by any disaster that hits your practice. (One enterprising physician provided the phone number of his out-of-state in-laws for staffers to call in the wake of a disaster.)
Ensure that an up-to-date call list is readily accessible and contains contact information for all staff, clients and key vendors. Consider having employees provide e-mail addresses and phone numbers of their closest relatives in addition to their personal contact info. Add some redundancy by making the list accessible through multiple channels — e.g., a hard copy as well as a copy on your smart phone, website or other media.
CREATE A “GRAB LIST.” Authorities may seal off the impacted area after the danger has passed and allow only limited access. Think through the key items you would want to retrieve if you were granted just 15 minutes to enter your office — laptops, computer disks, ledgers and checkbooks, for example. Make a “grab list” that includes the following information:
- Names of the items
- Locations of the items
- Rankings in order of each item’s priority/importance
KEEP YOUR VENDORS CLOSE. Maintaining good working relationships with your vendors can pay off in the event of a disaster. For example, the vendor of your practice management and electronic medical records software can be a critical ally in restoring your systems and resuming operations. The key here is to keep an accurate inventory of your equipment, software and software licenses and document the configuration of your computer network.
BE READY WITH NEW SPACE. Deter-mine an alternate site where you can quickly set up and run your practice following a disaster. One option is to negotiate alternate office space in the lease agreement with your current landlord.
Or have your office manager maintain a list of available commercial office space for a quick move (area real estate professionals and even your local business development authority should be able to help). Make sure your plan also covers how you would notify vendors (including labs) of your temporary location and how you would coordinate delivery to this new address.
SOCK AWAY SOME RESERVES. Business interruption can be expensive, and you certainly should have adequate business interruption insurance. But also make sure you have a handle on any credit sources — such as a line of credit — that will be available to you, and have all of your banking and financial information readily accessible. Likewise, consider budgeting for a practice operating reserve — a nest egg that will see you through a really “rainy day.”
Healthcare Practice Strategies – Spring 2013 Issue