Will Your Organization Weather a Storm…or Other Catastrophe?

Superstorm Sandy has had major impact on the lives of large numbers of our fellow Americans and colleagues who live in the Northeast U.S. The loss of life, property, and access to conveniences like electricity, warm showers, and transportation has made clear how vulnerable we are to the impacts of catastrophic events.

Sandy has also given us the unfortunate opportunity to evaluate the policies and procedures we have in place for dealing with physical catastrophes.

The Health Insurance Portability and Accountability Act (HIPAA) requires that organizations have in place a Contingency Plan (STANDARD § 164.308(a)(7) Contingency Plan, see page 19):

The Contingency Plan standard requires that covered entities:

“Establish (and implement as needed) policies and procedures for
responding to an emergency or other occurrence (for example, fire,
vandalism, system failure, and natural disaster) that damages systems that
contain electronic protected health information.”

This requirement is not aimed at giving you one more thing to do. The purpose is to protect the health information of your patients and to make sure that they have access to continuing care. Hurricane Andrew in 1992 and Hurricane Katrina in 2005 demonstrated how poorly prepared we have been to maintain continuity of care for our patients. The requirements of HIPAA are designed to prevent such huge failures as happened previously.

FiercePracticeManagement newsletter suggests three key steps.

  1. Know how your remote data is stored and can be accessed. This assumes that you have your data stored offsite, as it should be. Knowing just where it is and how to access it so you can get your system back up and running without delay is crucial. 
  2. Duplicate needed paper and have it with you. Make sure you have a copy of your schedule with you. Assure that you have with you ways to contact your patients so you can let them know your alternative arrangements for meeting with them.
  3. Plan where you will relocate physical data. Know where that alternative location will be so you can get access to your data again quickly.


In HealthCare IT News, Benjamin Harris covers some of the same ground. He also suggests three basic processes, but starts at a more basic level.

  1. On-site safety. How is your hardware and software and record systems protected at your site? Is your server located in the building basement along with the generator? As demonstrated by Sandy, the basement is not the best location for such equipment or records in the case of flooding . . . something that had previously been an issue in hurricanes Andrew and Katrina.
  2. Off-site data. If you are relying on a remote (cloud) storage facility or you need to access your data by means of the Internet, what do you do if your ISP (internet service provider) is down? And if your EHR is an online product, what do you do if those remote computers are underwater and without electricity? Having your schedules for the next week and treatment summaries for each of those patients printed out gives you a week of buffer time to give your vendors a chance to get back up and running.
  3. Accessibility. If you are using such remote storage or providers and they are not in the affected area or can implement access to backups quickly, having the capability of connecting to them becomes your responsibility. You can tether your laptop to your cell phone to reach your service or data in an emergency, as long as you have prepared in advance.


Madeline Hyden of the Medical Group Management Association (MGMA) suggests a slightly different but very practical list of steps.

  1. Secure your electronic information.
  2. Get the support of your professional colleagues.
  3. Immediately start securing new office space.
  4. Establish authority: Make sure someone in your organization is responsible to and has the authority to activate your contingency plan.
  5. Communicate with your vendors (hardware, software, backup services, electrical company, landlord, billing service, answering service).
  6. Develop a notification protocol: decide who to contact and how and who does the contacting. Determine just what they will be told.
  7. Communicate honestly with your patients.
  8. Protect your records so you are sure you can have access even if your main system is not accessible.
  9. Practice your emergency plan. If you have not done so, it is possible you will be too traumatized to carry it out.

If you are not sure how to go about establishing a contingency plan, AHIMA has some suggestions for you. This does not need to be a complicated process, but it is a process you need to address if you have not already done so. After all, the U.S. northeast coast did not think they were susceptible to a hurricane-like storm that could cause such disruption.

Whether it is hurricanes, snowstorms, tornadoes, earthquakes, or fires, our electrical systems and business facilities are not impervious to disasters. We must be prepared so our patients can rely upon continued care.  Behavioral health clients are especially susceptible to negative consequences from disruptive events. After all, they are likely to have just experienced the same trauma you did.

We hope all our SOS customers and their patients are safe and recovering in the aftermath of Sandy. We hope any of you, our readers will share your experiences and how you have assured the security of your data.


Ongoing HIPAA Care: What is your plan?

Here at SOS Software, we have been in an ongoing process to develop, maintain, and implement detailed policies and procedures to assure that we are doing everything possible to act as responsible Business Associates to our Covered Entity customers. We have been holding monthly training for our staff in which we all take a pre-test, watch an instructional video together, discuss what we have learned, take a post-test to measure how much we have learned, then discuss the results of our testing to be sure we all understand these important concepts.

HIPAA (Health Insurance Portability and Accountability Act of 1996) mandated that electronically stored protected health information (PHI) be handled in such a fashion as to assure the privacy of the patients to whom it belongs. The HITECH (Health Information Technology for Economic and Clinical Health) sections of ARRA (the American Recovery and Reinvestment Act of 2009) also required additional security measures be utilized for all PHI. HITECH extended the same privacy and security requirements to Business Associates of Covered Entities as to the entities themselves.

We have been distressed to find that many of our customers have no idea what HIPAA actually requires. While it is true that the requirements are scalable (small organizations like solo psychiatric or psychological practices do not need to do as much as large ones), some customers seem to think that scalability means they need to do nothing since they are not a community mental health center or a hospital. This is far from accurate.

Every organization that handles PHI is responsible to assure that the privacy and security of that information is guaranteed. Not doing a security risk assessment, not having an incident response plan, not having a disaster plan, not having usable backups of your patient information off site . . . all of these things could easily be considered “willful neglect” by the Office of Civil Rights (OCR), the agency responsible for enforcing HIPAA. If an unhappy patient reports you to OCR as ignoring the requirements of HIPAA and you are found to be guilty of “willful neglect”, OCR must penalize you. Are you prepared to pay at least a $10,000 to $50,000 fine . . . or worse?

If the items I just mentioned above are not very familiar to you, that means you and your organization may not have done your HIPAA homework. You may not need to start at the beginning, but reviewing some of our old posts and links might help you get started. We have found that there are many resources available on the Internet free or at low cost. You might consider some of those. Seth plans to attend a free webinar he got notice of last week. He has started a workgroup of some of our customers who are trying to help themselves and one another move their security and privacy programs forward.

What do you need to do to become HIPAA compliant?

What do you or your organization already do to assure your compliance?

Do you know who your Privacy Officer is?

Please share some of the steps you and your organization have taken to assure that your organization is HIPAA compliant. Let us know what you do on an ongoing basis to be sure new employees are educated to the requirements. Just enter your comments below.


Emailing Reports From First Contact

While secure email systems are available to send documents containing Protected Health Information (PHI), most regular email transmissions can be intercepted and viewed by parties other than the intended recipient. For this reason, it is a best practice to send such documents as encrypted, password-protected, PDF files.

When viewing an intake form in First Contact, you will notice that there is an icon in the toolbar with the caption “Email Provider”.

7-21-2011 3-26-27 PM

Clicking that icon generates a report in the same format as the screen display, which displays in a report preview window. Either click File > Export Document > PDF

7-21-2011 3-35-38 PM

… or click the Export Document icon on the toolbar.

7-21-2011 3-32-51 PM

In the Export Options window, click the field next to Password Security. Another window will open. Check the first box to Require a password to open the document and type the desired password in the indicated field. When you click OK at the bottom of that window, a confirmation box will appear. Re-type the password and click OK. That window will close and you will be back at the Export Options. Click OK there, then enter the desired location and name for the protected PDF file. Take note of this information. You will need it in order to attach the file to your email.

7-21-2011 3-42-03 PM

You will find yourself back at the report preview window. Just close that window with the X icon.

Open your email application, create your message and attach the document you just created. If you have not pre-shared the document password with the recipient, then you should send it separately via fax or phone. Do not include it in the body of email, as that would defeat the whole purpose of encrypting the document. Sending the password in a second email is almost as insecure. If you will be sending documents to this recipient on a regular basis, it is probably best to establish a standard password that you will use for that purpose and share it with the recipient beforehand.

UCLA and WellPoint Fined for Data Breaches

I am sure many of you remember the reports dating back to 2005 that celebrity patient files were being viewed by casual lookers…employees who had access to the University of California at Los Angeles (UCLA) Health System electronic medical record (EMR) but who had no legitimate reason to view those records. Well, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has entered into an agreement with UCLAHS to settle potential HIPAA violations for $865,500. Additionally, UCLA has made a commitment to correct gaps in their security, to improve their policies and procedures to better safeguard patient information, and to adequately educate their employees.

In a separate case, FierceHealthPayer reported that WellPoint will pay $100,000 to the state of Indiana because they waited several months before notifying Indiana officials of a security breach that could have exposed the data of 32,000 members.

It also will reimburse each affected member up to $50,000 for any breach-related losses as part of the settlement reached with the Indiana Attorney General.                                                                  [Read more; Subscribe]

For me, the important issues here are the following:

  • OCR is serious about data breaches and safeguarding patient protected health information (PHI).
  • State laws are just as important as Federal law. You must know and follow those local regulations as well as HIPAA and HITECH.
  • The cost of a data breach is significant and would put many small provider organizations out of business.

Have you reviewed your security and privacy practices and policies this year? Are you confident that your PHI practices are solid and that your employees are using the procedures as written? How do you review these and how do you educate your employees?

Please share your experiences and concerns about data privacy and security with us below.

Social Media, Data Breaches and Behavioral Health PHI

I am not sure why I continue to attend free webinars about data breaches. They mostly serve to make me extremely anxious for our customers. . . especially for those who have not created a data security plan or have thought minimally about their responsibilities for protecting the privacy of their patients’ Protected Health Information (PHI).

You all certainly know about the requirements that HIPAA and the HITECH portion of ARRA placed upon healthcare providers. You must protect the privacy and security of PHI. You must have assessed the risks to the security of your data and have a plan in place for mitigating any potential consequences of security breach.

The problem is that new potential complications arise all the time. This morning’s webinar was about social media and the potential security risks added by use of those media. It was presented by ID Experts, a company that specializes in an online tool that guides you through handling a data breach when it occurs. They believe that one must assume that such breaches will occur. . . and be ready to react at a moment’s notice.

Do you have a social media policy at work? Are you allowed to use Facebook or Twitter from your work computer? What about from your smart phone paid for by your employer? Are you allowed to access your personal email account from the same computer on which PHI are stored? Today’s presenters talked about all the potential downfalls of such capabilities since most social media sites are not encrypted and have marginally protected security.

I left the webinar feeling anxious for our customers who do not pay attention to these matters. What will they do when they have a data breach? What will you do?

Please share your comments…