Articles, Blog

Security 101: Contingency Planning

November 25, 2019


You trust a bank to protect your money against theft and loss. You install a security system to protect your home from intruders. You have insurance on your car in case there’s an accident. And you have health insurance to help cover your medical bills if you get sick. During this video, we’ll take a closer look at something called Contingency Planning – why it’s important and how it will help you protect your small to medium-sized health care practice by safeguarding your Electronic Protected Health Information, or ePHI, in case of emergency. Life is un- predictable. You may assume that your practice and ePHI is safe, but it only takes a minute to lose everything. That’s why you must have a Contingency Plan. In fact, it’s not just one of those things your boss mandates to make more busy-work. It’s actually required as part of the HIPAA Security Rule. More on that later. For now, let’s start with the basics. A Contingency Plan in its simplest form is a safety net. It’s a way to establish strategies for making sure you don’t lose your ePHI should your organization experience an emergency or other system failure. A Contingency Plan also outlines how you can restore your data if you do suffer a data loss. Your patients are counting on you and your office. You need to take careful measures in order to protect them. We mentioned the HIPAA Security Rule a moment ago. And that plays a big part, too. To help make sure your organizations take steps to protect ePHI, the U.S. Department of Health and Human Services, HHS, issued the HIPAA Security Rule. This Rule helps covered entities and their service providers, including small and medium-sized providers like you, to guard against and react to security incidents. These measures, which you should have in place, are called safeguards. Your Contingency Plan is one of these safeguards. Now that you see why having a Contingency Plan is important, let’s walk through how to set one up. When you’re developing a Contingency Plan, there are five core elements that you’ll need to address. They are: Data Backup, Disaster Recovery, Emergency Mode Operation, Testing and Revision Procedures, Applications and Data Criticality Analysis. You’ll likely realize you are already doing many of these things in order to protect yourself against outside threats. The first core element is Data Backup. You should be backing up your ePHI regardless of whether you are using a cloud-based service on a regular basis. SImply put, this means making copies of the information on your servers to another drive or disc, and storing them in a different location. Unpredictable things like flooding, earthquakes, power outages, or computer failures happen all the time and can threaten the security of your patient information. Once you put a Data Back-up plan into effect, you’ll have exact copies of all your ePHI should you lose it. Think about things like – what ePHI must be backed up? Will the backup be stored in a secure location? Are you backing up your ePHI often enough? Disaster Recovery will arm you with a solid game plan to restore any lost data. You’ll want to have certain things on hand, such as hard copies of forms and documents, that you could use to interact with patients if systems were down, and a list identifying the emergency response team who would help restore any lost data. The next core element is Emergency Mode Operation. If you lose power in the event of an emergency, it is critical that you have work-arounds set up, so that the processes that protect your ePHI will still function. You can do this by making sure you have the right hardware and software capability and backup locations, by providing backup power, and by training your team members. Doublecheck yourself by asking – what manual measures can be used if systems are down? Is contact information included for everyone who should be notified in the event of a crisis situation? While the prior three elements of a Contingency Plan are required of all HIPAA-covered health care providers, the next two – Testing and Revision of the plan and Application of Data Criticality Analysis – are what is called addressable. This means that you should take these actions if it would be reasonable and appropriate to do so. If you don’t think that is the case, you need to document why not and take other action that better fits the needs of your organization. The first addressable core element is Testing and Revision of your Contingency Plan. If it is reasonable and appropriate for your organization, you should perform occasional testing to assess potential areas of weakness in your plan. You’ll want to be sure that even new staff members can follow the instructions laid out in your plan. Assess whether revising the document is necessary. The final element to factor in creating your Contingency Plan is Application and Data Criticality Analysis. Give some thought to all of the information systems and devices, including your mobile devices, and how they are used to perform the critical business processes within your office. Which would need to be recovered first in the event of an emergency? Which are most important to business operations? This will help you determine how to prioritize your recovery steps. This might seem like a lot of work, but once you have your Contingency Plan in place, you’re not only adhering to the HIPAA Security Rule, you’re doing your patients and your practice a huge service. The ePHI that your practice receives, stores, and transmits is vital to patient care. And implementing a Contingency Plan is one of the many critical safeguards that will protect it. We hope this video has opened your eyes to the importance of putting a Contingency Plan in place. For more information on the topics that we covered in this video, or to learn more about Contingency Planning, please visit the references outline on your screen.

You Might Also Like

No Comments

Leave a Reply