Health Information Compliance Alert

SECURITY STRATEGIES:

DON'T LET AN EMERGENCY WIPE OUT YOUR SECURITY RULE COMPLIANCE

Create a contingency plan that will prepare your staff members to handle any disaster

Don't wait for a worst-case scenario to rip through your facility to think about disaster planning. Give your staff the tools to function during any emergency and teach them to recover from a crisis without losing their cool--or your patients' PHI.

Rank Potential Emergencies

You don't want to bog your staff members down with a separate action plan for each disaster that might come your way, notes Stephen King, an information security specialist with Community Health Network in Wallingford, CT.

"You can rate disasters from full-fledged crises to small-scale events," King says. Then simply educate your team on how to handle each disaster level, he advises. That could cut your training and response times in half, he offers.

Examples: The aftermath of Hurricane Katrina can be considered a disaster; however, a pipe bursting in a waiting room is a smaller-scale emergency.

Important: There are some things you simply cannot plan for, points out Tom Williams, president of Stony Hill Management in Fredonia, WI. Do this: Develop a disaster plan based on the resources you'll need to recover.

For instance, if a pipe burst in your waiting room, you might have to cancel or reschedule patients' appointments. That cost, along with any other financial investments (including repair and refurbishing expenses), would correlate with one emergency category. The resources required to recover from a catastrophe like Hurricane Katrina would correlate with a different emergency category.

Work As A Team

Dealing with disasters isn't the job for a "one-stop-shop superman," King declares. "Everyone has to work together, or your disaster recovery plan will fail," he contends.

Good idea: Help your staffers see how interdependent they are by asking each one to list his duties within your facility. Next to his duties, ask him to explain how he'd do his job without any outside help. "Explain how each employee's role fits into a larger chain," King suggests. That will help your staff see the importance of working as a unit rather than by themselves, he says.

Back Up All Important Data

"Your information is your most valuable resource; you just can't recover without it," Williams says. You must back up your data--and test those backups--regularly.

Try this: Coach your disaster recovery or technology team to recover three or four random patients' data each month. That way, if there's a problem with your backups, you'll discover it in time to remedy the issue before a disaster strikes.

Next step: You must store your backup files in a secure location. The worst place to store your backed up information? Your office. Better: Keep your files in a place that's not subject to the same emergencies as your facility.

"You have to consider geographic disasters as well as the random things that everyone experiences," Williams counsels. For a facility in California, earthquakes could affect structures within a large radius, so backups should be sent  to an area less prone to that type of disaster.

Opportunity: Many vendors offer secure, remote hosting for your backup files. That way, you save the files electronically and the vendor maintains them in a data center thousands of miles away. Good news: Web-based solutions allow you to access your files from any location with an Internet connection.

Teach Your Team

Teach--don't just tell--your staff members what they should do if disaster strikes. "You have to coach them on how to do their specific part of the plan," says Stephen Priest, a consultant with Professor Steve & Associates in New Bedford, NH. And practice will make perfect. "When there's a disaster, you want your staff to act on instinct rather than just read from a paper," he affirms.

Get your employees ready by simulating a disaster and watching how they respond to it, experts advise. Example: Ask the medical records director to call her key person in the middle of the night. Then ask the key person to produce a telephone list of key people who must show up to handle a disaster, Priest notes.

The Bottom Line

Disasters will strike, but you can mitigate any privacy or security breaches by producing documentation that shows you coached your employees on how to respond in a crisis.

Tip: After your staff members go over and agree on a disaster recovery plan, ask them to sign the plan and keep that signature for your records, Priest recommends.

Editor's note: To request several tools to assist you in planning for an emergency, contact Tom Williams at
info@stony-hill.com.

Other Articles in this issue of

Health Information Compliance Alert

View All