Superstorm Sandy has had major impact on the lives of large numbers of our fellow Americans and colleagues who live in the Northeast U.S. The loss of life, property, and access to conveniences like electricity, warm showers, and transportation has made clear how vulnerable we are to the impacts of catastrophic events.
Sandy has also given us the unfortunate opportunity to evaluate the policies and procedures we have in place for dealing with physical catastrophes.
The Health Insurance Portability and Accountability Act (HIPAA) requires that organizations have in place a Contingency Plan (STANDARD § 164.308(a)(7) Contingency Plan, see page 19):
The Contingency Plan standard requires that covered entities:
“Establish (and implement as needed) policies and procedures for
responding to an emergency or other occurrence (for example, fire,
vandalism, system failure, and natural disaster) that damages systems that
contain electronic protected health information.”
This requirement is not aimed at giving you one more thing to do. The purpose is to protect the health information of your patients and to make sure that they have access to continuing care. Hurricane Andrew in 1992 and Hurricane Katrina in 2005 demonstrated how poorly prepared we have been to maintain continuity of care for our patients. The requirements of HIPAA are designed to prevent such huge failures as happened previously.
FiercePracticeManagement newsletter suggests three key steps.
- Know how your remote data is stored and can be accessed. This assumes that you have your data stored offsite, as it should be. Knowing just where it is and how to access it so you can get your system back up and running without delay is crucial.
- Duplicate needed paper and have it with you. Make sure you have a copy of your schedule with you. Assure that you have with you ways to contact your patients so you can let them know your alternative arrangements for meeting with them.
- Plan where you will relocate physical data. Know where that alternative location will be so you can get access to your data again quickly.
In HealthCare IT News, Benjamin Harris covers some of the same ground. He also suggests three basic processes, but starts at a more basic level.
- On-site safety. How is your hardware and software and record systems protected at your site? Is your server located in the building basement along with the generator? As demonstrated by Sandy, the basement is not the best location for such equipment or records in the case of flooding . . . something that had previously been an issue in hurricanes Andrew and Katrina.
- Off-site data. If you are relying on a remote (cloud) storage facility or you need to access your data by means of the Internet, what do you do if your ISP (internet service provider) is down? And if your EHR is an online product, what do you do if those remote computers are underwater and without electricity? Having your schedules for the next week and treatment summaries for each of those patients printed out gives you a week of buffer time to give your vendors a chance to get back up and running.
- Accessibility. If you are using such remote storage or providers and they are not in the affected area or can implement access to backups quickly, having the capability of connecting to them becomes your responsibility. You can tether your laptop to your cell phone to reach your service or data in an emergency, as long as you have prepared in advance.
Madeline Hyden of the Medical Group Management Association (MGMA) suggests a slightly different but very practical list of steps.
- Secure your electronic information.
- Get the support of your professional colleagues.
- Immediately start securing new office space.
- Establish authority: Make sure someone in your organization is responsible to and has the authority to activate your contingency plan.
- Communicate with your vendors (hardware, software, backup services, electrical company, landlord, billing service, answering service).
- Develop a notification protocol: decide who to contact and how and who does the contacting. Determine just what they will be told.
- Communicate honestly with your patients.
- Protect your records so you are sure you can have access even if your main system is not accessible.
- Practice your emergency plan. If you have not done so, it is possible you will be too traumatized to carry it out.
If you are not sure how to go about establishing a contingency plan, AHIMA has some suggestions for you. This does not need to be a complicated process, but it is a process you need to address if you have not already done so. After all, the U.S. northeast coast did not think they were susceptible to a hurricane-like storm that could cause such disruption.
Whether it is hurricanes, snowstorms, tornadoes, earthquakes, or fires, our electrical systems and business facilities are not impervious to disasters. We must be prepared so our patients can rely upon continued care. Behavioral health clients are especially susceptible to negative consequences from disruptive events. After all, they are likely to have just experienced the same trauma you did.
We hope all our SOS customers and their patients are safe and recovering in the aftermath of Sandy. We hope any of you, our readers will share your experiences and how you have assured the security of your data.
Kathy says:
There was active discussion on our user group yesterday about CPT Code changes. The National Council has created a web page to gather together all this information. If you have questions, check it out.
http://www.thenationalcouncil.org/cs/cpt_codes
Nancy @ Advanced Psychotherapy says:
We learned first hand when Hurricane Katrina wiped out our office. Half our files ended up in the Gulf of Mexico and the rest were water damaged and had to be shredded. Luckily, I had taken home the computer towers, appt schedules and paperwork so I worked from home til we found a new place to practice. We were unable to see patients for 3 weeks. We have a disaster plan now and had a threat this summer with Issac. We also moved our office away from the beach! Best of luck to those going thru this process with Sandy. I hope we never have the experience again.
Kathy says:
Thanks for sharing your experience, Nancy. You were one of the folks I was thinking of when I wrote this article! When Andrew and Katrina struck, no one had a plan. Would you mind sharing some of what is in your plan just to give concrete examples to everyone?
Seth Krieger says:
While printouts might be the most practical way to be sure you have access to critical patient information, it could also end up being a disaster within a disaster if you lose those paper records during what could be a rather chaotic time. Misplacing that stack of printout would be a data breach, requiring you to file a report with HHS, potentially subject you to significant expense, damage your professional reputation, and, of course, expose your patients to identity theft or other problems.
Instead of printouts, you might want to consider exporting the critical records, perhaps in PDF form, to an encrypted flash drive. Assuming you relocate to somewhere with electricity, or you have access to a charged laptop, you could refer to the records without the risk of a data breach.
Another option would be saving a copy of those records on your cellphone or tablet computer if you have sufficient storage space — BUT ONLY IF THE DEVICE IS ENCRYPTED!
Kathy says:
Thanks for these reminders, Seth. Just because it is an emergency does not mean you are excused from the need to protect the privacy of the data. Remember everyone, encrypt, Encrypt, ENCRYPT! This is the only way to guarantee safe harbor in case of loss of the data or breach of your systems.
I just got a newsletter that contained an article about EHRs being very helpful during Sandy. Of course, it also talks about hosts that were knocked out by the storm. Nothing is totally safe!