Despite an ongoing emergency, HIPAA-regulated organizations must still appropriately secure client information. This prevents some unique challenges, but these unique challenges can be overcome, with proper planning.
What Is a HIPAA Contingency Plan?
The U.S. Department of Health and Human Services also outlines HIPAA contingency plans for medical and clinical settings, should a disaster occur. HIPAA outlines the baseline of security standards for patient privacy, privacy that must be in place even though a disaster has just occurred.
Just like a business contingency plan, the goal is to maintain operations and minimize financial loss, plus continuing to keep patient/client data secure. However, in the initial planning stages, consideration must be put into how many bases are being covered – weather, service outages, complete network failure, human error or misdeeds?
What is the Coronavirus?
The coronavirus 2019 (COVID-19), also known as “SARS-CoV-2,” is a person-to-person spread respiratory illness, like the general flu. The novel (“novel” meaning new) coronavirus that causes the illness was discovered when an outbreak occurred in Wuhan City, Hubei Province, China.
It is believed that the coronavirus 2019 (COVID-19) is spread through person-to-person contact. It is considered a global health risk, with the highest infection risk being person-to-person exposure.
Right now, as cases of the coronavirus are limited in the United States, it is considered low risk. A few “imported” cases though travelers to the Wuhan City region in Hubei Province, China have been reported but contained and the individual properly treated. This prevention has ensured that the coronavirus has not spread within the U.S.
The disease has been located in 37 international locations in total and growing.
What is Being Done to Stop the Coronavirus?
The CDC has succeeded in growing the coronavirus (COVID-19) in a clinical environment and been provided to other scientific agencies for study, as well as uploading the entire genome sequence of the virus strain to GenBank, the international scientific database of genome sequences used for research. The CDC has been able to receive the genetic material required through coronavirus cases being treated within the U.S.
The disease has been located in 37 international locations in total and growing.
Pandemic?
Despite an ongoing emergency, HIPAA-regulated organizations must still appropriately secure client information.
The words “pandemic” and “epidemic” are largely semantics, according to Dr. Anthony Fauci, director of the US National Institute of Allergy and Infectious Diseases.
- “Pandemic” broken down from the root words in Greek, “pan”, meaning “everyone” and “demos,” meaning “public.” “Pandemic” is generally used when a massive population is infected with the disease, posing a worldwide risk.
- “Epidemic” broken down from the root words in Greek, “epi” meaning “above” and “demos,” meaning “public.” “Epidemic” is generally used when a massive population is infected with a disease during a short time.
How Do I Stay Safe?
- As it is currently flu season (October – March), get your flu vaccine and stay vigilant on taking flu antivirals if they have been prescribed to you.
- Look after your own health by maintaining a healthy lifestyle, practicing proper handwashing, and keeping an eye on your health physically, mentally and emotionally.
If You Work in the Healthcare Environment:
- Monitor your interactions with anyone presenting coronavirus symptoms or have recently traveled to China, particularly the Hubei Province.
- Follow proper infection prevention procedures.
- Look after your own health by maintaining a healthy lifestyle, practicing proper handwashing, and keeping an eye on your health physically, mentally and emotionally.
What Is Required?
Disaster Recovery Plan
Disaster recovery plans are focused on restoring an organization’s data post-disaster.
Emergency Mode Operation Plan (Continuity of Operations)
Emergency mode operation plans are focused on maintaining the safety and security of client and patient data during a disaster situation – ensuring that HIPAA is not violated even under extreme circumstances.
1.Develop Roles and Policies
Well-developed roles within your organization ensure all employees understand their individual parts in the HIPAA contingency plan, preventing downtime or confusion when the contingency plan has to be put into place. Well-developed policies go together with well-developed roles, providing the framework to put the contingency plan in action. Ensure that all employees understand their roles and how organizational policies affect them.
Defined Roles
- Are the specific duties of each role outlined in the HIPAA contingency plans?
- Do the staff involved understand their specific duties, should the HIPAA contingency plan be activated?
Communication
- Is the flow of communication fully outlined?
- Should decisions need to be escalated, does the HIPAA contingency plan direct to who will need to make them?
- Should the disaster conditions worsen or improve, does the communication plan change? If so, is the new flow of communication documented? Are pieces of backup equipment such as power generators or emergency water pumping equipment necessary?
Contacting Outside Service Providers
- Are services such as power, water, and IT on call in the case a piece of equipment needs to be repaired, or service restored? If they will not be available, who should be contacted?
Maintaining Documentation
- Does the HIPAA contingency plan identify what needs to be documented, and by what staff member? Do appropriate members of staff know where to find the appropriate documentation to fill out?
2. Identify Priorities and Create a Timeline
The next step is to identify your organization’s priorities. For example, a hospital will want to ensure power is maintained in all buildings to run essential equipment. A cloud data storage center would want to ensure their servers stay online. With priorities defined, determine a contingency plan timeline. How quickly should each priority item be restored, should they go down?
3. Identify Risks
Is your organization reliant on a core group of employees? Prone to flooding during heavy rain? In a remote area that could be cut off during a disaster scenario? Are there stipulations in the HIPAA contingency plan to account for the severity of the disaster changing for the worse? This is the time to identify key challenges that could prevent the success of a HIPAA contingency plan.
4. Create Your Business Contingency Plan
Once all stakeholders, issues, and problems to overcome have been identified, it is time to create the HIPAA contingency plan. While the actions written into it are incredibly important, identifying activation and deactivation stages of the HIPAA contingency plan is important as well.
Activation
- What determining factors activate the contingency plan?
- Who has the authority to activate the HIPAA contingency plan?
- How are staff notified that the HIPAA contingency plan has been activated?
- Have the staff been educated on where to find out more about the HIPAA contingency plan in the event it is activated?
Deactivation
- What are the parameters that dictate when the HIPAA contingency plan should be deactivated and normal activity to resume?
- Which roles are responsible for reporting to the appropriate authorities regarding HIPAA compliance after an incident?
5. Ongoing Maintenance
An outdated contingency plan is as good as not having one at all. Here are some tips to ensure that your contingency plan never goes out of date:
- Regularly re-examine what applications, data, hardware, and personnel are key to operations. Ensure these items stay a high priority in the contingency plan.
- Test the contingency plan periodically to judge response time, required materials, staff load, and other factors. Should flaws be found, troubleshoot them immediately and change the contingency plan accordingly.
- Integrate portions of the plan into normal business operations – should the contingency plan be needed; it will not be a shock to all employees and some of the preparation will have already been completed.
Emergency mode operation plans are focused on maintaining the safety and security of client and patient data during a disaster situation – ensuring that HIPAA is not violated even under extreme circumstances.
Data Back-Up Plan
Much like paper, in the event of a disaster, it is easy for files to be lost to the abyss during an incident if they aren’t properly backed up and stored away. To quote, “-establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”
Backups of Backups
- Has your organization considered other methods of backup outside of in-house servers, CDs, or storage devices?
- If your organization is utilizing cloud storage, will the cloud storage provider be affected by the same disaster as well?
- Will data created during the use of the business continuity plan be successfully saved?
Data Restoration Plan
- Does the business continuity plan indicate what data will need to be restored if lost?
- If security measures such as two-factor authentication have been enabled, have all staff involved in the restoration effort been given appropriate access?
- Are manual restoration procedures included?
- Are procedures for reloading lost data documented?
After the Disaster
Once the dust has settled, it is time to recover in full.
Here are a few of the most common pains when recovering from a disaster:
Lost Data
Lost data can be difficult to recover, as files can become corrupted or simply did not save when they should have. There are multiple software solutions available on the market that are able to reclaim lost data, however, it is best to leave this to a certified IT service provider or IT firm who have experience in retrieving deleted or lost data.
Equipment Damage
In the event of an interruption such as a hurricane, fire, or tornado, equipment can become damaged. Backups of any essential equipment are essential. It is best for a business to operate on the principal that losing a piece of an equipment is an annoyance rather than a catastrophic event. For example, files should be backed up with a storage solution in the cloud to prevent
Long-Term Service Disruption
Should outside services such as power, water, or internet go down there will be an intermediary time until service can be restored. During this time, it is essential that business activities continue unhindered. This could mean utilizing offline print documentation that will be manually scanned in or entered later before being shredded, for example.
Understaffing or Loss of Key Staff
After an event, it can be a challenge for staff to reliably report in to work due to road closures, loss of personal property, internet service going down, or a variety of other causes. Should your business be extremely reliant on certain key individuals, this problem can be compounded.
Want to join in the conversation? Talk with us on social media!
Facebook: https://www.facebook.com/secfirstit/
LinkedIn: https://www.linkedin.com/company/securityfirstit
Hashtags: #healthcare #HIPAA #HIPAA compliance #health #healthcare IT #healthcare tech #healthcare compliance #healthcare management
Disasters Don’t Have to be Disasters
Your business doesn’t have to be set back or closed when outside conditions go south. By following a few standard procedures that require a little work, you can save your business both time and resources, and take a significant load off of the shoulders of your stakeholders and employees.
Enjoyed this article? Take it with you as a .PDF!
Having trouble finding trustworthy IT support?
Please contact us to schedule a consultation.