Prepare Your Practice for Disaster
When there’s crisis, have a plan to ensure a swift return to normal operations.
By Debra Cascardo, MA, MPA, CFP
Being prepared for a disaster can save lives, information, and your practice. A disaster preparedness plan (also called a business continuity plan) should be part of your practice’s written policies and procedures. The goals of the disaster preparedness plan is to assure staff and patients are safely evacuated and/or treated, and to restore business operations as quickly as possible. As a healthcare business professional, you play a critical role in planning how your practice can safeguard its records and restore business functions in the event of a disaster.
Open Up Communication Lines
During and after a disaster, communication is vital. Be sure several key personnel have the phone numbers, email addresses, and home addresses of all employees. They should also have names and phone numbers of each employee’s family (emergency contacts), and contact information and account numbers for insurance agents, vendors, hospitals, colleagues, etc. This information should be easily accessible outside of the office.
Establishing a phone tree allows you to disseminate information about the disaster, quickly. Appoint one person to organize the phone tree. This person will collect contact information for all of the individuals who should be included on the list. When necessary, the organizer starts the phone tree by calling two people at the top of the list; those two people each call two people, and so on.
You also should be able to remotely access the practice’s appointment schedule in case the office is damaged to the point where patients cannot be seen, and must be alerted and rescheduled or, ideally, directed to a temporary office.
To cut down on the calls you have to make, forward the office’s phone number to an answering service or other working number, with a message informing callers of why the office is closed and how they can reach their physician and/or medical record. If there is an email list of patients, you can also send a mass notification (be sure to blind copy the names, so they are not revealed to everyone receiving the email).
If the practice has a website, promptly display a message on the site providing options for patients to access a healthcare provider or their medical record.
Tip: Experience is the best teacher. Speak to your vendors, phone systems, billing services, labs, electronic health record (EHR) providers, accountants, and others about their own disaster preparedness policies, and how they have responded to previous events.
and Secure Records
As a coder, biller, or compliance office, you’re probably most concerned with how a loss of documents will affect your work in the practice. Patient records must be accessible and secure. Documents, both paper and electronic, can be lost due to fire, flood, computer malfunction, etc. It’s critical for you to have a checklist on hand, so panic doesn’t set in.
On your checklist, have the answer to these questions:
- Are there computer drives, cash boxes, or other easily removed items that should be taken with you in case of a fire during office hours?
- Is there a designated person (and back up) responsible for that?
- Are your patient records, accounting information, contacts, and other data backed up and accessible off-site?
- Has someone been designated to communicate with the insurance carriers, vendors, and other business associates?
Recovering Data and Avoiding HIPAA Violations
Data recovery is the most important thing you can do to ensure business continuity following a disaster. Backing up patient and financial data is critical and should be done automatically. EHRs and virtual private networks can eliminate worries about the loss of patient records and other important practice data.
For “small” disasters, such as losing a laptop, thumb drive, or smartphone, it’s vital that your patients’ protected health information (PHI) is not accessible to anyone else. Be sure to have passwords, thumbprints, encryption, or other security measures in place to ensure no unauthorized person can access PHI.
Work with your information technology systems management team to be sure data is not lost or vulnerable in a disaster and that disrupted systems are quickly restored. All critical files should be secure, backed up, and accessible from anywhere. Assess your current network structure, systems, and backup plans to make sure there’s a contingency plan if Internet service and/or power outages affect the entire area. Check to see if there are redundant power supplies on more critical equipment, such as firewalls/routers, switches, and file servers.
After a disaster has been met and resolved, it’s time to get the practice back on track. This will happen more quickly if you have already determined who will contact staff, patients, vendors, insurance agents, etc., about your office’s status. All personnel must know and support the key people in your facility and community who are responsible for managing recovery efforts. Name these people in your plan and the tasks for which they are responsible.
Tip: You might want to name and train backup recovery personnel for specific tasks in case someone cannot fulfill his or her duties.
Whether you can return to your office or need to set up a satellite office is irrelevant if you have arranged to have your patient records, accounting records, vendor contact information, and other data stored electronically off-site and remotely accessible. Have an “emergency kit” to keep the practice running if unable to return to the office. Keep basic forms, such as insurance and lab request forms, prescription pads, and staff and patient lists in the kit, stored electronically and offsite. Ideally, you should prearrange with a colleague to temporarily share office space in the event of a disaster that precludes a return to your office.
Be Flexible, and Update Often
A good disaster recovery plan includes contingency plans for multiple scenarios:
- What needs to be done immediately?
- What needs to be done within 24 hours?
- What needs to be done if the disaster will affect your business for several days, a week, a month, or longer?
If your organization has multiple offices, you may need to make more specific plans for individual locations.
A disaster resulting in a temporary cessation of practice operations does not mean a permanent shut down — if you are prepared. With a plan in place for data storage and retrieval and proper insurance coverage, you can meet and overcome a disaster. Patients can be seen and payers can be billed.
Debra Cascardo, MA, MPA, CFP, is the owner of The Cascardo Consulting Group, a Fellow of the New York Academy of Medicine, and a healthcare journalist.