September is Disaster Recovery Month, which makes it a perfect time to think about disaster-proofing your practice. If you’re ready to skip this blog because you don’t think a disaster will impact your practice, consider the following factors:

  1. Not all disasters are city-wide events, and a disaster of any scale could destroy your practice. These events come in all shapes and sizes, from the sprinklers going off in your clinic and destroying your equipment, to snow storms rendering streets impassable for hours, to a gas leak permeating your clinic with a foul-smelling odor. A disaster could even be as simple as your Internet going down for the entire day, making electronic documentation, record review, and patient scheduling impossible.
  2. As a healthcare provider, you have a duty to protect your patients in the event of a disaster. Our country recently observed the tenth anniversary of Hurricane Katrina, and as such, we certainly cannot forget about all the patients trapped in humid hospital buildings after the storm—or the images of tiny babies transported to helicopters during Superstorm Sandy in 2012.

On a community and regional level, disasters are devastating. But they can also devastate individual business owners as well. Why? Because they can stall business, impact your bottom line, place your patients in harm’s way, or even expose you to compliance violations. That’s why you absolutely can’t afford to bury your head in the sand or procrastinate on disaster planning. Depending on the size of your business, disaster and business continuity (DR/BCM) planning might not take much time, but it will be your practice’s life-preserver if you ever need one. Here are some strategies and resources for building your DR/BCM plan:

Crowdsource Your Brain Power

Even if you have a small practice, you don’t have to construct your DR/BCM plan alone. Build a small coalition of colleagues who can assist with brainstorming ideas, developing strategies, planning, road-mapping, and writing it all down. Your team members will hold each other accountable for completing this task. Schedule weekly DR/BCM planning sessions in which you spend about an hour tackling this massive project one small piece at a time. Set goals for completion and roadmap your project.

If you’re a sole proprietor, join a local chapter of the Association of Contingency Planners (ACP). Membership is very affordable, the monthly meetings are highly informative, business continuity planners are really nice people, and you will meet mentors who can help you with your plan.

Listen to HIPAA

The HIPAA Security Rule requires you, as a covered entity, to:

  1. have a contingency plan to protect the availability, integrity, and confidentiality of your electronic protected health information (ePHI) in the event of a natural, human, or environmental disaster;
  2. back up your ePHI;
  3. have a disaster recovery plan in place to restore lost ePHI;
  4. have an emergency-mode operation plan to safeguard the security of PHI in the event of an emergency;
  5. identify your practice’s critical applications and hardware and determine what data must be backed up; and
  6. test all you plans.

HIPAA’s requirements are vague and will not fully protect your business and your patients in the event of a disaster. Therefore, while it’s important to implement policies and procedures to satisfy HIPAA’s requirements, you’ll have to go above and beyond these standards to ensure your practice survives an emergency.

Back Up Critical Data

Make sure you back up all of your critical data, including ePHI, employee records, and your financial information. If your electronic medical record software (EMR) is web-based, talk to your vendor about how they back up your data. Here are some questions to ask:

  • how often the system performs backups (e.g., hourly, daily, or weekly);
  • how the company backs up your data (i.e., do they store hard copies in a vault or do they send electronic data to a second data center located far away from the primary one); and
  • how often does the vendor test its process to determine whether it’s backing up the correct data and can retrieve the correct information.

Your vendor should be backing up your data at least daily, storing the backups far away from the active data and testing the backups yearly. If you’re using downloadable electronic medical record software (meaning the software is located on your hardware versus in the cloud), you may have to perform your own backups. Each software system is different, so talk with your vendor to determine the best way to back up your data.

If you use a cloud-based EMR, don’t hand off all the responsibility of data backups to your vendor. Schedule regular backups of your data in a format you can store in a location near your clinic. If you can, set up an automated process for backing up your data, and try to have more than one form of backup. Then, store one backup set off site or in a remote location. Also, make sure you store your data in format that will be readable in the future. For example, PDFs are a good method, but floppy disks are a bad idea.

Finally, develop a contingency plan for restoring your data, including your ePHI, in the event of a disaster. If applicable, talk with your software vendor about its contingency plans. Then, implement your own contingency plan for your ePHI. This may involve storing your data backups in a secure location that is cool and dry (i.e., not your mother’s basement). If you decide to house your backups in the cloud (a process otherwise known as a secure file transfer protocol), remember that you’ll need a HIPAA business associate agreement with your cloud vendor. Be forewarned that this solution won’t be free and not all cloud solutions are HIPAA-compliant. Do your research and conduct a risk analysis before you hand over your ePHI. Some covered entities have violated HIPAA by using free cloud solutions to store ePHI. Also, if you’re storing your ePHI on mobile media (e.g., thumb drives), make sure they are encrypted, and store your encryption keys in a separate, secure location.

Create a Solid Disaster Plan

HIPAA’s requirements for disaster recovery planning  and emergency-mode operations planning involve more than just backing up data. You also have to establish the framework for preserving your business operations. This is where you and your team spin up a bunch of disaster scenarios and come up with solutions.  Although this task seems enormous, these tips will keep it manageable:

1. Perform a business impact assessment of your operations.

The business impact assessment (BIA) is similar to a clinical initial evaluation. You will list all of the different departments in your practice, from the front desk, to facilities, to clinical operations. Schedule times to meet with all department leaders and collect the following data:

  • Number of employees in the department
  • Department processes
  • Processes that are critical to the life of the business (e.g., front office staff who schedule patients are most likely mission-critical)
  • The recovery time objective for each department (i.e., the time frame within which the department must be operational)
  • The recovery point objective (i.e., the amount of time you can tolerate not having access to your data; think beyond ePHI to consider financial systems and other tools)
  • The financial impact of losing that department or its processes

Keep in mind that this is not an exhaustive list, and you should customize the BIA to suit the needs of your business. If you’re a sole proprietor and your practice consists of you, your car, and the open road, your BIA will look different than that of a brick-and-mortar clinic, which will look different than that of a telehealth practice that delivers all of its services remotely. The most important objective of your BIA is to identify the different processes in your practice, rank them according to priority, and start formulating your plan.

If you’re thinking, “Holy cow, I am not a disaster recovery expert! How am I going to muddle through a BIA? Where would I even start?”—don’t panic. There are tons of free help resources online, including this article that includes a handy BIA template.

2. Identify your mission-critical operations

Once you’ve completed your BIA, start ranking your mission-critical operations. These are the operations you will focus on and plan for in the event of an emergency. Obviously, your most critical operation will be patient care. It’s hard to run a practice if you don’t have patients coming in the door. But also consider the front office staff who schedule patients and the billers who submit claims. If you’re a telehealth provider, consider your Internet and software vendors. If you’re a traveling therapist, be sure to include your transportation as a mission-critical operation.

3. Identify the likely disaster scenarios.

The key word here is “likely.”  List only the natural, human, or environmental disasters that realistically could impact your practice, and avoid spinning up outlandish events. Godzilla is never going to crush your building. If you live in Phoenix, you probably won’t have to deal with any blinding snowstorms, and unless your practice is located in the Midwest, you probably will not face a tornado.

As you come up with your list, think both large and small. Consider the small-scale disasters that may only affect your business. For example: city workers drilling near your clinic in the middle of the day and disrupting your Internet connection. If you have web-based medical records software, you will have no access to your scheduler, your patient information, and your documentation. To make that scenario even worse, let’s say the workers hit some pipes, and now a foul gas is leaking into your clinic and you have to evacuate your patients. Or, if you’re a home health therapist, you could walk out your front door at 6:00 AM, only to find four flat tires and oil leaking from your vehicle. These scenarios also will impact your business, so be sure to include them on your list. Identifying the likely disaster scenarios will guide your planning.

4. Develop and write your plan.

You’re in the home stretch of your disaster planning. Gather your team, your BIA, and your list of scenarios, and draft written plans for the most critical of business functions. If you need guidance, take advantage of the numerous free resources available online (like this guide and template from TechTarget). Some items to take into consideration:

  • How will you communicate with your staff and your patients in the event of an emergency?
  • How will you get your practice operational if you cannot access your clinic?
  • How will you evacuate your patients and protect them from harm?
  • How will you access your ePHI in the event of a disaster? (This is a HIPAA requirement.)

Train your staff on your DR/BCM plans and store your plans in a location you can readily access during an emergency or disaster. In other words, don’t print them and put them in a binder in your office, because if your clinic burns to the ground, you are sunk. Instead, consider storing them in a secure FTP so that your staff can access them in an emergency.

Test it Out

HIPAA requires you to test the disaster plans involving ePHI, but in the interest of preserving your business and protecting your employees, it’s a good idea to test your entire DR/BCM plan. How? An easy testing method is performing table-top testing, where you and some of your staff talk through different scenarios using your plan. If you have the time and resources, you can even act out some scenarios. This may be especially helpful when it comes to testing your evacuations plans. No matter how you test, your testing should identify the gaps in your plan. That way, you can fix those issues before you need the plan in real life. Be sure to include test scenarios for restoring and accessing your ePHI. Best practices dictate that you should test annually or whenever there is a change in your business (e.g., moving to a new location).

Disaster planning can seem like a daunting project, especially when you may never have to use your plans. However, it’s required, and it will protect your practice and your patients if you are ever faced with an emergency or disaster. Now get out there and get to planning! Have questions? Leave ’em in the comment section below.