The Quality-Cost Connection: Health information disaster planning 101
The Quality-Cost Connection: Health information disaster planning 101
By Patrice Spath, RHIT
Brown-Spath Associates
Forest Grove, OR
Many health care facilities have an emergency disaster plan for dealing with patient care priorities, but the plan for handling information technology disasters may be vague or nonexistent. Although patients’ well-being is very important during a disaster, institutions also need to protect the technology supporting patient care. Anticipating and preparing for management of and recovery from information system disasters is just as important as preparing for continuation of patient care in the event a disaster occurs. It is not enough to have an emergency plan that only deals with maintaining patient care functions. Health care institutions also must have an information disaster recovery plan.
The Joint Commission on Accreditation of Healthcare Organizations standards for information management require evidence of planning for and assurance of data and information security, broadly defined as protection "against loss, destruction, tampering, and unauthorized access or use." This requirement encompasses issues of confidentiality, or protection of a patient’s privacy rights concerning health information, and security, which address the operational requirements of maintaining an information system. The Joint Commission’s information management standards cover both patient care and business data systems.
The accreditation standards of other organizations have requirements similar to those of the Joint Commission. For example, the Accreditation Association for Ambulatory Health Care requires organizations to have a comprehensive emergency plan that addresses internal and external emergencies and the necessary personnel, equipment, procedures, and training to carry out the plan. The Tucson, AZ-based CARF, The Rehabilitation Commission, standards for rehabilitation facilities require disaster planning, including a plan for providing critical patient care information during service disruptions.
The provisions of the 1996 Health Insurance Portability and Accountability Act (HIPAA) include many requirements directed at the information resources of health care organizations. The HIPAA regulations include a requirement that institutions have a formalized disaster recovery plan for information systems that has been tested. It is not clear at this time what type of testing is acceptable for compliance.
Development of an emergency preparedness plan for information system disasters involves:
- information gathering;
- formulation and testing of the plan;
- plan maintenance.
Information gathering
In a hospital setting, the chief information officer or health information management department director probably will take the lead in mobilizing an information management disaster team. People directly involved in patient care and business processes should be represented on the work group charged with plan development and maintenance. Once the team is formed, conduct an impact assessment. Have the team members answer questions such as:
- What are the most critical information functions or systems in my unit/department?
- Are these paper-based or electronic systems?
- Which of these systems are most critical to patient care? To business processes?
- What would be the impact if these systems were severely interrupted?
Documenting information management technology, systems, and processes already in place is a crucial starting point in the disaster recovery planning process.
Next, conduct a disaster risk assessment. The risk will vary by type and cause of the disaster. Determine what types of disasters might compromise your organization’s health information system and the relative risk of an occurrence. Whenever possible, risk assessments should be based on historical trend data and input from knowledgeable people in the community. The information-gathering phase should include meetings with steering and work teams, a tour of the facility, collection of current documentation, and question-and-answer sessions.
Now it’s time to develop your recovery strategy. Determine how you will operate during a severe disruption of services to ensure that all critical information management functions can be performed. How will you get the health information management department back up and running? Review your on-site and off-site backup and recovery procedures. For example, are you backing up critical patient information that is stored electronically? What provisions do you have for backing up critical information that is stored in paper-based information systems? Will backup information be affected if a fire or flood occurs in your building? How will electricity outages affect access to primary and backup information sources?
What if you can no longer perform work in your facility — do you have an alternative location where information management functions can be performed? Explosion, earthquake, fire, tornado, hurricane — these phenomena can damage or destroy your facility. Getting patients and medical professionals out of the building and into another is one problem; getting patient records transferred is another. If a hospital has a computerized charting system, the information can be downloaded onto a disk, while hard copies of charts must be gathered and carried out.
Formulating and testing
Once the disaster risks and possible recovery plans have been identified and thoroughly discussed, it’s time to write the emergency preparedness plan. The plan should document all components and steps from recognizing a disaster, what to do during recovery, and how information services will be restored.
The information systems disaster plan should be contained in a notebook that is kept at the institution, at employees’ homes, and at any off-site data-storage facilities. The notebook should include sections on the current environment as well as the recovery environment and action plans to follow at the time of a disaster or severe disruption, specifically describing how recovery (as defined in the strategies) for each system, process, and application is accomplished. If technology plays a key role in managing patient care information, the disaster plan also should include information about network configuration, communications closet layouts, cable diagrams, port connections, server configuration, and backup schedules.
Be sure to test the plan before an actual disaster. This will allow everyone in the organization to practice his or her responsibilities and also help to reveal any shortcomings. Testing can be done through the creation of sample scenarios that simulate likely problems. Once people have reacted to these scenarios, detailed scripts can be written up describing the steps to take in case of such an event. These scenarios and scripts should be added to the disaster plan notebook to serve as learning resources for everyone in the organization. The better prepared the organization is, the faster the recovery will be if a disaster actually occurs.
Plan maintenance
Although the disaster recovery process may never be put into action, the plan should not get obsolete. When changes occur in the work force, system, equipment, or process, the plan needs to be updated to reflect these changes. The information management disaster team should hold regular meetings (ideally quarterly) to discuss any new technologies or processes that may have been added. The team also should test disaster scenarios and develop new action plans if necessary to maintain and refine the plan. The information systems disaster plan notebook should be updated appropriately and the changes communicated throughout the organization.
As organizations become more dependent on data communications networks and telecommunications, it is critical to be able to recover quickly from a disaster. A professional audit, at least biennially, of all systems and vendors involved may be necessary to maintain the proper links of communication and to ensure the integrity of the disaster recovery plan.
Health care organizations must practice preventive medicine within their information infrastructures. Information technology is becoming the backbone of hospitals, clinics, and physicians’ offices. More providers are implementing electronic patient record systems, and network configurations between hospitals and remote clinics now allow for instantaneous transfer of patient data. If these technologies are disrupted during a disaster, then patient services are threatened.
While disasters are, by nature, sudden and destructive, they should not be unexpected, and they don’t have to destroy caregivers’ ability to access critical patient information. A well-executed and maintained recovery plan that specifically addresses information management problems is the best prescription for continuity of patient care during the worst of disasters.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.