Hurricanes and HIPAA

Hurricane Irene was not as severe in many northern states as she was expected to be. But Irene reminds us about the importance of having a contingency and disaster recovery plans in place for our protected health information (PHI) and electronic PHI (ePHI). A colleague reported to me that several of his lower New England clients lost “everything.” They had not yet transitioned to an EHR, and had lost all of their patient’s paper records.  Others lost access to their EHRs with their power outage.  What to do?

No one likes to think about these things. Like buying life or homeowners insurance – who wants to consider the worst? But this is exactly what the law requires you to do: Consider the worst and prepare for it, especially when it comes to safeguarding your patient's PHI and ePHI.

Bottom line: HIPAA Security Standard § 164.308(a)(7) requires contingency planning. That means having a plan to protect the patient data in your possession. You are required to establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems containing ePHI. And although HIPAA Security Standards focus on electronic records, HIPAA Privacy standards and both state and federal (HITECH) breach notification requirements compel us to make reasonable efforts to protect data in any form.

The HIPAA Security Rule/Contingency Plan standard includes five implementation specifications:

1. Data Backup Plan (Required)

2. Disaster Recovery Plan (Required)

3. Emergency Mode Operation Plan (Required)

4. Testing and Revision Procedures (Addressable)

5. Applications and Data Criticality Analysis (Addressable)

Remember that “addressable” does not mean optional. It means conducting an analysis and determining whether your practice will implement this specification, or another type of protection. You need to document your thinking and determinations.

All of this goes hand-in-hand with a formal analysis of the risks to your patient data, including an assessment of the likely threats and vulnerabilities.  Your contingency/disaster recovery plan should include adminstrative, technical and physical safeguards that adequately and reasonably addresses the risks identified in your analysis, and include a policy and process that includes backup, storage, and recovery of your ePHI.  From a breach prevention perspective, it should also include the physical safeguards for your paper records and your portable media. 

When evaluating a disaster recovery plan for HIPAA compliance, consider the ability to properly move data to the disaster recovery site without violating standards for privacy and security. (One of the biggest breaches on record in the U.S. was by a business associate of the New York City Health and Hospitals Corporation, which left back-up tapes unattended at a stop en route to storage. The back-ups disappeared, impacting upwards of 1.7 million individuals.  Consider the costs of the notices in multiple languages and the free consumer reporting for those affected, as a start.)

You must also understand your vendor's ability to restore operations and safeguards at another site, if that is your contingency plan. Your vendor must ensure and explain the safety of back-up systems, including the mechanics of restoration and required security protections. 

So remember to keep contingency planning high on your list, especially as the OCR audits begin.