Medicare Compliance & Reimbursement

OIG looks for five practice policies when reviewing for compliance after a natural disaster or cyber attack.

A catastrophe is defined as an event causing great and often sudden damage. In the wake of such natural and manmade disasters, health care providers are usually the first on the scene, helping others, assessing the medical toil, and offering their crucial, timely care.

When chaos reigns during these tumultuous times, patients’ safety and security are at their most vulnerable. Due to the indispensable and important role that the healthcare industry plays when the stakes are so high, it is essential that practices and hospitals alike put patients first when outlining a HIPAA-friendly, contingency plan.

Background. The Office of Civil Rights (OCR) requires that all covered entities have HIPAA-secure, contingency plans in place should calamities occur that may disrupt the integrity of EHRs. This HIPAA security rule specifies how the plan should be laid out to prepare for a variety of scenarios from natural disasters like flood or fire to disturbances caused by digital piracy.

After EHR issues accumulated with Superstorm Sandy and cyberattacks in a Boston hospital in 2014, the OIG felt more research needed to be done on the subject of HIPAA and contingency planning. The study looked at a variety of factors concerned with the planning that took place before the disasters struck and how the EHRs and the contingency plans were implemented during the outages. Take a look at the report here, https://oig.hhs.gov/oei/reports/oei-01-14-00570.pdf.

The OIG studied these problems, “to gain a deeper knowledge of hospital EHR contingency plans and experiences, we also conducted site visits at six hospitals, where we interviewed hospital staff and reviewed EHR contingency plans and related documents,” a 2016 OIG report states.

Results. Extensive data garnered from the surveys sent out to 400 hospitals showed that about 95 percent had EHR contingency plans in place, the OIG report suggested. The questions dealt with how the hospitals integrated the five required HIPAA rules into their planning, whether or not they employed recommendations from the National Institute for Standards and Technology (NIST) and the ONC, and how staff members handled EHR disruptions.

What The Report Uncovered

The majority of those surveyed were addressing EHR issues with security and safety under duress, but many groups’ contingency plans lacked the five necessary HIPAA requirements to make them complete. Unfortunately, the findings showed that because of the lack of some of these requirements, EHRs were disrupted and patient care was affected.

Five important rules. The OIG report maintains that every contingency plan must include five policies to make them HIPAA-compliant. All covered entities must include the following HIPAA fundamentals:

• A data backup plan
• A disaster strategy for recovering lost data
• An operations plan that allows for business to continue during a state of practice or hospital emergency
• Audit and revision of plan to ensure that it works under pressure
• Critical assessment of all applications to address working order

Final thought. As healthcare relies more heavily on technology, there really is no excuse for the lack of an EHR-contingency plan. With new EHRs from ONC-sponsored vendors on the horizon as MACRA approaches, now is the time to look for an easy-to-use program that can easily adopt a HIPAA-compliant, contingency plan.