Not only are healthcare system providers expected to serve the growing demands of its patients, they are expected to do this on an uninterrupted basis in a cost-contained environment. In addition, the role of healthcare providers and their business associates have increasingly been the subject of recent privacy, IT security, Emergency Management and Business Continuity regulations. Failure to comply with these new standards may not only result in decertification, loss of government payments and increased litigation, but also the long term effects of loss of reputation.
Add to this the array threats from nature, man-made (accidental and intentional) and normal wear and tear on infrastructure causing utility failures and the dimension of the impacts from lack of preparedness assumes an imposing presence. It is little wonder that more and more organizations have dedicated substantial resources to mitigating the cause of disasters and creating incident/crisis management, emergency response and business continuity/disaster recovery plans.
- Patient safety and quality of care
- Department of Health & Human Services grant of $448 million for bioterrorism preparedness and response training for hospitals and health care institutions
- The Health Insurance Portability and Accountability Act (HIPAA) mandates compliance in the following areas:
- Applications and data criticality requirements
- Data back-up plan
- Disaster recovery plan
- Emergency response plan
- Emergency mode operation plan
- Recovery of applications and data in a reasonable amount of time
- Privacy and security of patient information
- Plan testing and revision program
- Joint Commission on Accreditation of Healthcare Organizations (JCAHO) requirements
- Government Initiatives:
- Healthcare infrastructure initiatives
- Patient Safety Initiatives
- Homeland Security Initiatives
- Hospital Preparedness Grants 2003, 2004, 2005
- Move towards electronic medical records
- 24/7 access to information is mission critical
- Intra- and inter-health system communications
- High need for sharing of information
- Productivity of physicians and staff dependant upon technology
- Need to be able to prepare for disasters and spikes in demand
- Have you satisfied the regulatory requirements of HIPAA and JCAHO?
- Do you have a comprehensive risk transfer strategy combining crisis management, business continuity, emergency management, and insurance?
- Are you able to safeguard your patients, employees, critical data, and facilities?
- Have you identified the gaps between our current recovery capabilities and our recovery needs?
- Have you required your suppliers/vendors to implement a strong and viable business continuity program?
- Are you comfortable with your level of privacy and security for personally identifiable information?
- Have you created strategies that will allow for the transfer of patient and patient records in the event that a facility becomes uninhabitable or inaccessible?
A major HMO in the Northeast had been receiving internal and external audit comments regarding their lack of BCP, both from an IT, as well as a business perspective. The board of directors realized that they needed outside help. We responded with a program to help them resolve the audit comments. Step one was to analyze their needs; this was done with a Business Impact Analysis. Once the analysis was completed we determined that there was a need to relocate staff and telephones to another facility in the event that their primary facility was inaccessible or destroyed. We built a relocation plan that allowed the HMO to relocate to another one of its facilities, located 30 miles away, and we worked with their local telephone carrier to be able to reroute the phone lines within two minutes of an incident.
We helped negotiate a contract with a commercial vendor to allow for IT recovery within 48 hours. This was the cornerstone of the IT and telecom plan we created. We helped construct data backup plans as well to minimize data loss. A manual processing plan allowed the HMO to operate without IT for the first two days.
We added a full testing, maintenance and awareness program to ensure that plans and plan participants were prepared to handle any interruption in business and/or IT processing. All of this was integrated with the HMO’s existing emergency response plan go create a holistic solution.
The end result was a complete recovery plan that was regularly tested and maintained. Not only was the audit issue addressed, but the program was built to comply with the federal HIPAA regulations thus saving the HMO the expense of another major effort.
For additional information on Risk Solutions International’s capabilities within the Healthcare sector, please contact Duane A. Lohn at DLohn@rsi-llc.com.