I just got back from four days of presenting HIPAA after the HITECH Act seminars in Kansas and Missouri, and as usual, I met a lot of great people. But as I blogged on July 24, 2011, about why more covered entities have not performed risk analysis, a similar question came up this past week as to why more covered entities have not adopted disaster plans. The events of the last week or so on the East Coast fairly dramatically demonstrate the necessity for such plans (my attorney editor’s 11-year-old granddaughter who lives in Maryland said on facebook after Hurricane Irene had passed through over the weekend that she liked the earthquake better a few days earlier). A while back, one of my HIPAA seminar attendees came up to me after the seminar and said, “I wish I had come to your seminar years ago. I could have saved all the paper records that we lost in Katrina.” I wish that she had, too.
Section 164.308(a) of the Security Rule requires that covered entities have in place contingency plans to respond to emergencies. This standard requires a data backup plan, a disaster recovery plan, and an emergency mode operation plan and requires you to address whether you need testing and revision procedures and application and data criticality analysis (basically a risk analysis).
Almost every covered entity backs up its electronic protected health information (“EPHI”) and other critical data. But HIPAA requires a written backup plan. Remember, for HIPAA, if it’s not written, it’s not.
Most hospitals and other large covered entities have some form of disaster plan. But the disaster plan that HIPAA’s Security Rule requires is the health information disaster plan, not how to evacuate patients, such as would be in an overall disaster plan. The Security Rule disaster plan covers how to restore lost data resulting from an emergency, and the related emergency mode operation plan specifies how to continue operations and protect the security of EPHI during the emergency.
In my opinion, testing and revision should be required, not addressable. So I have all of my consulting clients address the issue and find it to be reasonable and appropriate. I wouldn’t want to find out during a power outage, for example, that the gas in the emergency back-up generator had degraded to the point that it wouldn’t fire up. I’d want to have drafted and adopted a policy as to who periodically tests it and/or drains the gas and uses it in the lawn mower and replaces it with fresh gas.
The Security Rule also requires, under the Physical Safeguards category, a contingency operation procedure that allows access to the facility to support the restoration of lost data under the disaster recovery and emergency mode operations plans.
And even if HIPAA did not require these emergency preparedness measures, good common sense would.
The Privacy Rule, which applies to all protected health information (“PHI”), including paper records, does not say that you must have these measures in place but strongly implies it in its requirement to have “appropriate safeguards” to protect PHI. See my August 19, 2011, blog entry. After all, how is the harm any different if a paper record burns up in a fire or turns into a sodden, unreadable mass from the fireman’s hoses or you cannot access the electronic health record in a power outage?
Disaster planning is not difficult. It is mostly common sense. Many resources exist for disaster planning, such as the discussion in my Compliance Guide to HIPAA and the DHHS Regulations, 4th edition, and the policies on my HIPAA Documents Resource Center CD, 4th edition. And as always, you can ask me a question about disaster preparation via this blog.
