September is Disaster Recovery Month, which makes it a perfect time to think about disaster-proofing your practice. If you’re ready to skip this blog because you don’t think a disaster will impact your practice, consider the following factors:

  1. Not all disasters are city-wide events, and a disaster of any scale could destroy your practice. These events come in all shapes and sizes, from the sprinklers going off in your clinic and destroying your equipment, to snow storms rendering streets impassable for hours, to a gas leak permeating your clinic with a foul-smelling odor. A disaster could even be as simple as your Internet going down for the entire day, making electronic documentation, record review, and patient scheduling impossible.
  2. As a healthcare provider, you have a duty to protect your patients in the event of a disaster. Our country recently observed the tenth anniversary of Hurricane Katrina, and as such, we certainly cannot forget about all the patients trapped in humid hospital buildings after the storm—or the images of tiny babies transported to helicopters during Superstorm Sandy in 2012.

On a community and regional level, disasters are devastating. But they can also devastate individual business owners as well. Why? Because they can stall business, impact your bottom line, place your patients in harm’s way, or even expose you to compliance violations. That’s why you absolutely can’t afford to bury your head in the sand or procrastinate on disaster planning. Depending on the size of your business, disaster and business continuity (DR/BCM) planning might not take much time, but it will be your practice’s life-preserver if you ever need one. Here are some strategies and resources for building your DR/BCM plan:

Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans - Regular BannerSuppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans - Small Banner

Crowdsource Your Brain Power

Even if you have a small practice, you don’t have to construct your DR/BCM plan alone. Build a small coalition of colleagues who can assist with brainstorming ideas, developing strategies, planning, road-mapping, and writing it all down. Your team members will hold each other accountable for completing this task. Schedule weekly DR/BCM planning sessions in which you spend about an hour tackling this massive project one small piece at a time. Set goals for completion and roadmap your project.

If you’re a sole proprietor, join a local chapter of the Association of Contingency Planners (ACP). Membership is very affordable, the monthly meetings are highly informative, business continuity planners are really nice people, and you will meet mentors who can help you with your plan.

Listen to HIPAA

The HIPAA Security Rule requires you, as a covered entity, to:

  1. have a contingency plan to protect the availability, integrity, and confidentiality of your electronic protected health information (ePHI) in the event of a natural, human, or environmental disaster;
  2. back up your ePHI;
  3. have a disaster recovery plan in place to restore lost ePHI;
  4. have an emergency-mode operation plan to safeguard the security of PHI in the event of an emergency;
  5. identify your practice’s critical applications and hardware and determine what data must be backed up; and
  6. test all you plans.

HIPAA’s requirements are vague and will not fully protect your business and your patients in the event of a disaster. Therefore, while it’s important to implement policies and procedures to satisfy HIPAA’s requirements, you’ll have to go above and beyond these standards to ensure your practice survives an emergency.

Back Up Critical Data

Make sure you back up all of your critical data, including ePHI, employee records, and your financial information. If your electronic medical record software (EMR) is web-based, talk to your vendor about how they back up your data. Here are some questions to ask:

  • how often the system performs backups (e.g., hourly, daily, or weekly);
  • how the company backs up your data (i.e., do they store hard copies in a vault or do they send electronic data to a second data center located far away from the primary one); and
  • how often does the vendor test its process to determine whether it’s backing up the correct data and can retrieve the correct information.

Your vendor should be backing up your data at least daily, storing the backups far away from the active data and testing the backups yearly. If you’re using downloadable electronic medical record software (meaning the software is located on your hardware versus in the cloud), you may have to perform your own backups. Each software system is different, so talk with your vendor to determine the best way to back up your data.

If you use a cloud-based EMR, don’t hand off all the responsibility of data backups to your vendor. Schedule regular backups of your data in a format you can store in a location near your clinic. If you can, set up an automated process for backing up your data, and try to have more than one form of backup. Then, store one backup set off site or in a remote location. Also, make sure you store your data in format that will be readable in the future. For example, PDFs are a good method, but floppy disks are a bad idea.

Finally, develop a contingency plan for restoring your data, including your ePHI, in the event of a disaster. If applicable, talk with your software vendor about its contingency plans. Then, implement your own contingency plan for your ePHI. This may involve storing your data backups in a secure location that is cool and dry (i.e., not your mother’s basement). If you decide to house your backups in the cloud (a process otherwise known as a secure file transfer protocol), remember that you’ll need a HIPAA business associate agreement with your cloud vendor. Be forewarned that this solution won’t be free and not all cloud solutions are HIPAA-compliant. Do your research and conduct a risk analysis before you hand over your ePHI. Some covered entities have violated HIPAA by using free cloud solutions to store ePHI. Also, if you’re storing your ePHI on mobile media (e.g., thumb drives), make sure they are encrypted, and store your encryption keys in a separate, secure location.

Create a Solid Disaster Plan

HIPAA’s requirements for disaster recovery planning  and emergency-mode operations planning involve more than just backing up data. You also have to establish the framework for preserving your business operations. This is where you and your team spin up a bunch of disaster scenarios and come up with solutions.  Although this task seems enormous, these tips will keep it manageable:

1. Perform a business impact assessment of your operations.

The business impact assessment (BIA) is similar to a clinical initial evaluation. You will list all of the different departments in your practice, from the front desk, to facilities, to clinical operations. Schedule times to meet with all department leaders and collect the following data:

  • Number of employees in the department
  • Department processes
  • Processes that are critical to the life of the business (e.g., front office staff who schedule patients are most likely mission-critical)
  • The recovery time objective for each department (i.e., the time frame within which the department must be operational)
  • The recovery point objective (i.e., the amount of time you can tolerate not having access to your data; think beyond ePHI to consider financial systems and other tools)
  • The financial impact of losing that department or its processes

Keep in mind that this is not an exhaustive list, and you should customize the BIA to suit the needs of your business. If you’re a sole proprietor and your practice consists of you, your car, and the open road, your BIA will look different than that of a brick-and-mortar clinic, which will look different than that of a telehealth practice that delivers all of its services remotely. The most important objective of your BIA is to identify the different processes in your practice, rank them according to priority, and start formulating your plan.

If you’re thinking, “Holy cow, I am not a disaster recovery expert! How am I going to muddle through a BIA? Where would I even start?”—don’t panic. There are tons of free help resources online, including this article that includes a handy BIA template.

2. Identify your mission-critical operations

Once you’ve completed your BIA, start ranking your mission-critical operations. These are the operations you will focus on and plan for in the event of an emergency. Obviously, your most critical operation will be patient care. It’s hard to run a practice if you don’t have patients coming in the door. But also consider the front office staff who schedule patients and the billers who submit claims. If you’re a telehealth provider, consider your Internet and software vendors. If you’re a traveling therapist, be sure to include your transportation as a mission-critical operation.

3. Identify the likely disaster scenarios.

The key word here is “likely.”  List only the natural, human, or environmental disasters that realistically could impact your practice, and avoid spinning up outlandish events. Godzilla is never going to crush your building. If you live in Phoenix, you probably won’t have to deal with any blinding snowstorms, and unless your practice is located in the Midwest, you probably will not face a tornado.

As you come up with your list, think both large and small. Consider the small-scale disasters that may only affect your business. For example: city workers drilling near your clinic in the middle of the day and disrupting your Internet connection. If you have web-based medical records software, you will have no access to your scheduler, your patient information, and your documentation. To make that scenario even worse, let’s say the workers hit some pipes, and now a foul gas is leaking into your clinic and you have to evacuate your patients. Or, if you’re a home health therapist, you could walk out your front door at 6:00 AM, only to find four flat tires and oil leaking from your vehicle. These scenarios also will impact your business, so be sure to include them on your list. Identifying the likely disaster scenarios will guide your planning.

4. Develop and write your plan.

You’re in the home stretch of your disaster planning. Gather your team, your BIA, and your list of scenarios, and draft written plans for the most critical of business functions. If you need guidance, take advantage of the numerous free resources available online (like this guide and template from TechTarget). Some items to take into consideration:

  • How will you communicate with your staff and your patients in the event of an emergency?
  • How will you get your practice operational if you cannot access your clinic?
  • How will you evacuate your patients and protect them from harm?
  • How will you access your ePHI in the event of a disaster? (This is a HIPAA requirement.)

Train your staff on your DR/BCM plans and store your plans in a location you can readily access during an emergency or disaster. In other words, don’t print them and put them in a binder in your office, because if your clinic burns to the ground, you are sunk. Instead, consider storing them in a secure FTP so that your staff can access them in an emergency.

Test it Out

HIPAA requires you to test the disaster plans involving ePHI, but in the interest of preserving your business and protecting your employees, it’s a good idea to test your entire DR/BCM plan. How? An easy testing method is performing table-top testing, where you and some of your staff talk through different scenarios using your plan. If you have the time and resources, you can even act out some scenarios. This may be especially helpful when it comes to testing your evacuations plans. No matter how you test, your testing should identify the gaps in your plan. That way, you can fix those issues before you need the plan in real life. Be sure to include test scenarios for restoring and accessing your ePHI. Best practices dictate that you should test annually or whenever there is a change in your business (e.g., moving to a new location).


Disaster planning can seem like a daunting project, especially when you may never have to use your plans. However, it’s required, and it will protect your practice and your patients if you are ever faced with an emergency or disaster. Now get out there and get to planning! Have questions? Leave ’em in the comment section below.


  • Digital Critical: Data Protection, Password Security, and Computer Safeguards Image

    articleDec 9, 2015 | 10 min. read

    Digital Critical: Data Protection, Password Security, and Computer Safeguards

    In the past five years, the way rehab therapists perceive—and use—information technology in their clinics has changed dramatically. We used to manage our files with stationary computers and back-room servers we could only access within the office. Now, our teams are mobile, and we use tablets, laptops, and phones to access the powerful cloud applications—including the WebPT EMR —that help us do our jobs. Essentially, the servers of yesteryear have migrated to the cloud.  With this new …

  • What Happens if Your Physical Therapy Software Goes Out of Business? Image

    articleJul 15, 2016 | 7 min. read

    What Happens if Your Physical Therapy Software Goes Out of Business?

    You’ve most likely heard the news: PTOS is going out of business. That means that in a few short months, PTOS customers will be left without a physical therapy practice management and billing software solution, so they’ve got to find new systems—stat . After all, no one wants to lose all of their valuable patient and business data—nor do they want to wait until the last minute to find a replacement. Shopping for a PTOS alternative, partnering with …

  • articleJun 15, 2011 | 4 min. read

    WebPT TOP 10 Benefits for Multi-Clinic Practices

    Working together just got easier Practices with multiple clinics are realizing the benefits of WebPT in a big way.  WebPT's focus on simplicity, compliance, and ease of use make it truly unique. But the biggest headaches for multiple clinics vanish when clinics take advantage of the elegant built-in features that save time and money while enhancing standardization across clinics.   TOP 10 Benefits to Multi-Clinic Practices Implement in one hour not weeks - Implementing an EMR across …

  • 6 Common HIPAA Compliance Issues to Avoid Image

    articleNov 12, 2015 | 3 min. read

    6 Common HIPAA Compliance Issues to Avoid

    I’m going to turn the lights down low, burn a few candles, play some Norah Jones, and slip into something a little less comfortable: Health Insurance Portability and Accountability Act compliance ( yeah, baby ). Okay, so maybe it’s not the sexiest of topics, but familiarizing yourself with the most common HIPAA compliance issues helps keep your practice in the know—and out of the jailhouse. So, let’s strip it down, shall we? First Things First If you …

  • 10 Tips for Social Media Compliance Image

    articleDec 29, 2015 | 3 min. read

    10 Tips for Social Media Compliance

    Your patients are using social media to inform decisions about their own health care, so as a smart healthcare provider, you should be using social media, too. But because of non-compliance concerns, you also must be judicious with its use. Social media is anything but private —and it's practically permanent. Once you put something on the Internet, chances are really, really good it will exist there forever. You may think you deleted that tweet or picture, but …

  • The Ultimate ICD-10 FAQ: Part Deux Image

    articleSep 24, 2015 | 16 min. read

    The Ultimate ICD-10 FAQ: Part Deux

    Just when we thought we’d gotten every ICD-10 question under the sun, we got, well, more questions. Like, a lot more. But, we take that as a good sign, because like a scrappy reporter trying to get to the bottom of a big story, our audience of blog readers and webinar attendees aren’t afraid to ask the tough questions—which means they’re serious about preparing themselves for the changes ahead. And we’re equally serious about providing them with …

  • articleJul 12, 2011 | 5 min. read

    5 Cloud Fears Explained

    Technology has become a crucial component to healthcare documentation and management. Many benefits come from Electronic Record keeping including productivity increases, greater security measures as the burden of IT being lifted off of the shoulders of clinic staff. One of the most beneficial technology innovations in healthcare is the development of cloud-based technology. With new “cloud” technology, comes a lot of questions and concerns. Is it proven?  Is it safe?  We see a lot of misinformation around …

  • Last Legs: The Compliance Vulnerabilities of Dead or Dying Software Image

    articleOct 24, 2016 | 5 min. read

    Last Legs: The Compliance Vulnerabilities of Dead or Dying Software

    Rusty mechanical equipment. Creaky carnival rides. Wobbly chairs. People are naturally skeptical of things that are dilapidated, rundown, or slipshod—and with good reason. After all, that which is ramshackle usually isn’t reliable. Now, imagine it’s the physical therapy software you use everyday to run your rehab therapy practice that’s gone derelict. Take PTOS EMR, for example , because if you didn’t know, this therapy office software is going out of business, and it has ceased all updates …

  • HIPAA Breach Survival Guide Image

    articleNov 9, 2015 | 5 min. read

    HIPAA Breach Survival Guide

    Whether it occurs as the result of a lost work laptop or stolen patient files, a data breach of the Health Insurance Portability and Accountability Act (HIPAA) is a worst-case scenario for healthcare providers (and patients). If you’re a healthcare provider, the minutes, hours, and days following a breach are nearly as important as the steps you take to prevent those breaches in the first place. If you experience a HIPAA breach, here’s what you can do …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.