Health Information Compliance Alert

Published on Wed Apr 19, 2017 PDF

Tip: Run drills to see if you are up for the challenge a catastrophe brings.

When chaos reigns whether by natural disaster or an online cyber attack, patients’ privacy, safety, and security are at their most vulnerable. Due to the indispensable and important role that the healthcare industry plays, it is essential that practices and hospitals alike put patients first when outlining a HIPAA-friendly contingency plan.

Nuts and bolts: The OCR requires that all covered entities have HIPAA-secure contingency plans in place should calamities occur that may disrupt the integrity of your CEHRT. In light of past natural disasters like Hurricane Sandy as well as the onslaught of cyber attacks, the Office of Inspector General (OIG) put out a report last year highlighting the losses and impact of these events and offered guidance on how to prepare for the future. See the OIG report at: https://oig.hhs.gov/oei/reports/oei-01-14-00570.pdf.

Include These Five Requirements

The OIG report maintains that every contingency outline must include five policies to make them HIPAA-compliant. Your disaster plan must include the following:

1. A data backup plan
2. A disaster strategy for recovering lost data
3. An operations plan that allows for business to continue during a state of practice or hospital emergency
4. Audit and revision of plan to ensure that it works under pressure
5. Critical assessment of all applications to address working order

Planning Is Not Just for Hospitals Anymore

Remember that there’s more to HIPAA-contingency planning than checking the OIG’s five requirements off your checklist. And remember hospitals aren’t the only covered entities that can be impacted by an EHR outage.

The federal government’s Contingency Planning SAFER Guide warns that, “EHR unavailability, which will occur in every EHR-enabled healthcare environment, represents a significant potential patient safety hazard that directly affects patient care.” Patients could suffer from medication errors, the unavailability of radiological tests, canceled procedures, and other care issues if EHRs fail to work properly. Look at the SAFER guidelines at: https://www.healthit.gov/safer/safer-guides.

Practice Makes Perfect

It’s a good idea to implement strategies to prepare for disaster before it strikes. “Each department should have a downtime policy in place, but those will differ based on the sector’s workflow, operations, etc.,” says Bob Steele, executive vice president of clinical services with the HCI Group in Jacksonville, Fla. Steele, who has managed EHR outages during three different hurricanes. Once you establish your protocols, ensure that all staff members are aware of them and fully understand the plan — then perform annual drills to confirm that everyone can put the plan into action.

Plan ahead: Most practices have annual meetings where they discuss changes to the EHR or new policies. During these meetings, perform a “mock downtime” practice run during which your staff members demonstrate what they would do in the event of an EHR outage. These practice sessions are of the utmost importance. “Don’t wait until an outage happens, as patient lives are at stake,” Steele cautions.

Consider these things as you write-up your disaster protocols:

• Put the patient’s safety first. One of your focus areas when creating your offline EHR strategy should inevitably be patient safety, since it’s critically important, and it could suffer in the absence of electronic records. Medication adminis­tration and allergy identification should be at the top of your list, advises Steele.
• Establish a code status system. The patient’s code status should be readily available and obtainable in emergency situations. “Do not rely on the EHR — ensure an alternative form of code status identification is in place, i.e., a colored armband, etc.” Steele says.
• Keep test results flowing: Create a process for receiving test results in lieu of the electronic fashion, particularly in fast-paced and critical care areas such as the emergency department, labor and delivery floor, and critical care unit, Steel advises.
• Maintain your daily schedule. Ensure you have a way to keep track of appointments, admissions, therapy sessions, lab visits, and other important sessions.
• Revert to paper. Have systems and products in place to convert to paper charting when your EHR goes down. This includes having the materials at hand, training staff on how to use them, and maintaining policies on when to use paper.
• Utilize practice flowcharts. Your paper supply won’t be limited to encounter notes — you’ll also need ample up-to-date copies of forms and flow sheets for other departments, such as requisitions for ordering lab tests, x-rays, consultations, and other information, Steele says.

Backup: You can put systems into place that may help you get EHR access even in the event of a storm, but those aren’t foolproof, Steele says. “While generators are good and a must to have, events such as hurricanes, earthquakes, and fire can knock them out as well,” he advises. “A backup, emergency supply of all paper forms should be maintained and in current form should the occasion arise to need them.”

Resource: To read more about the HCI Group’s EHR capabilities, visit www.thehcigroup.com.