Building a HIPAA Toolbox: Part 8
Part 8: Ensure medical record availability and integrity with a contingency plan.
By Stacy Harper, JD, MHSA, CPC
Consider this: The hard drive containing your electronic health record (EHR) crashes, resulting in loss or corruption of all data. You contact your vendor to pull the backup data so it can be loaded as soon as the server is up and running. The vendor informs you that the last several full backups failed, and the most recent comprehensive backup is one month old. You thought your organization had a robust contingency plan in place. What should you do now?
There may not be a way to recover the lost data, but there are steps you can take to prevent this sort of thing from happening again.
Compliance Implications of Missing Records
Aside from the inevitable operational interruption, the loss of electronic data can have significant compliance implications for your practice. Health records provide evidence of medical necessity for services performed or ordered by the provider. Medicare and other payers not only require this information to be available, but require providers to be able to demonstrate the integrity of data in electronic form. A compromise or loss of data does not have to be complete to have compliance implications. Failure to maintain audit capabilities or user authentication may invalidate key components of the documentation necessary to support third-party billing.
The majority of safeguards under the HIPAA regulations found at 45 CFR 164 Subpart C focus on the security of electronic protected health information (ePHI) and prevention of unauthorized access, use, or disclosure of such information. Most compliance efforts under the Security Rule focus on encryption, segregation, user controls, and other safeguards that prevent unauthorized activity. Contingency planning efforts also can have a significant impact on an organization’s overall compliance, and should not be overlooked.
To minimize the risk of data loss or compromise, your organization should implement a robust contingency plan. The Security Rule specifies five components to consider when developing a contingency plan:
1.) Criticality analysis;
2.) Data backup;
3.) Disaster recovery;
4.) Contingency operations; and
5.) Testing and revision.
Although criticality analysis, testing, and revision are considered addressable components — as opposed to required components —their inclusion in the process significantly affects the required components, and should not be omitted.
1. Criticality Analysis
The performance of a criticality analysis is key in effective utilization of contingency planning resources. To perform a criticality analysis, you must assess the relative criticality of specific applications and data (45 CFR 164.308(a)(7)(ii)(E)).
Criticality analysis begins with identifying applications containing ePHI. The criticality or importance of data contained in each of these systems is then prioritized. This prioritization can be used by your organization to determine where resources available for contingency planning should be used. For instance, an application that interfaces with the EHR system for transmission purposes may contain only a copy of data from the EHR. As such, the resources needed to perform backups of the data within this application may be significantly less than the resources allotted to the EHR application itself.
2. Data Backup Plan
Unlike paper records, electronic systems provide the opportunity to maintain copies of data for restoration in the event of a disaster. Each organization should develop a plan to describe how these backup files are created and maintained (45 CFR 164.308(a)(7)(ii)(A)). This plan should identify included applications, the performance frequency, and the extent of copied data.
For example, many backup plans will involve only a partial backup of changes to data daily, with a comprehensive backup on a weekly or monthly basis.
The backup plan also should consider the manner in which the data is backed up (e.g., tape, external hard drive, off-site cloud storage, etc.). When possible, the backup plan should ensure storage of backup data in a location physically separate from the primary system.
3. Disaster Recovery
Most disaster recovery plans begin with contacting the organization’s information technology (IT) department or IT vendor. Know who will coordinate the restoration process and be sure the plan includes contact information for key individuals, location of necessary data, and a process to notify other affected staff. Give thought to the manner in which data is restored (45 CFR 164.308(a)(7)(ii)(B)). Expected response times may be described in the disaster recovery policy or a vendor agreement. These response times are frequently based on prioritization of data, which should be consistent with your organization’s criticality analysis.
The data restoration process should consider specific systems and IT structure of your organization. Disaster recovery documentation should include instructions on how to grant access to individuals as needed to perform restoration services. The restoration process should include some form of validation or confirmation that all data has been accurately restored. If data is missing, provide guidelines as to how to manage the gap.
4. Emergency Operations
In the event of a data loss or compromise, focus your activities on getting the system restored; however, consider also how the organization will operate, in the meantime (45 CFR 164.308(a)(7)(ii)(C)).
For most healthcare providers, simply closing the doors until systems are restored is not an option. Emergency mode operations should describe how workforce members can access information, how records should be maintained, and how the interim operations will be incorporated into the IT system once functionality is restored. For larger organizations, the emergency operation policies may be customized at the department level to address variations in storage and use of data across the organization.
5. Testing and Revision
Just as healthcare providers engage in natural disaster drills, your organization should test its contingency plan and make modifications as necessary (45 CFR 164.308(a)(7)(ii)(D)). Testing may be in the form of verifying completion of each backup process and testing backup files to ensure data can be recovered. Testing should also include workforce education and drills. It’s only through testing that an organization can determine the effectiveness of its contingency plan.
With an effective contingency plan, your organization can improve the likelihood that data is maintained consistent with its record retention policies and compliance obligations. If you are affected by data loss or interruption, the plan can minimize down time and data loss, and streamline the process for workforce members.
Now, think back to the initial scenario:
- A contingency plan with testing of the backup process would’ve ensured more recent backup data would be available for restoration.
- Performing a criticality analysis would’ve prioritized the sensitivity of your EHR data, and a comprehensive backup of this component would’ve been performed weekly instead of monthly.
- A thorough disaster recovery policy would’ve provided you with a process to verify the restored data and resolve any missing information due to the time lag between backing up files and disk failure.
Your department-specific emergency operation plan provides your staff with the necessary resources to continue providing healthcare services while you manage the recovery and restoration process.
Stacy Harper, JD, MHSA, CPC, is healthcare attorney with Lathrop & Gage LLP, serves on AAPC’s Legal Advisory Board, and is a previous member of AAPC’s National Advisory Board. She consults with healthcare providers around the country on matters of regulatory requirements such as HIPAA, data privacy and security, Stark Law, Anti-kickback Statute, state licensure, and Medicare conditions of payment and participation. Harper is a member of the Kansas City, Mo., local chapter.