Disaster Recovery Plan: Are You Prepared?

Considering the increase in extreme weather events over the past decade – and continued natural disaster increases projected for the future – what’s your data backup plan? The HIPAA Security Rule requires all Covered Entities (CEs) to draft a disaster recovery plan, by service definition, that includes what measures your agency will take in the event of a natural disaster. Are you prepared?

Contingency Plan

Federal law requires that CEs must implement protocols to safeguard – and ensure access – to electronic Protected Health Information (ePHI), including a contingency plan to secure continued availability to ePHI during emergencies or disasters.

However, ePHI isn’t accessible without use of a data processing application, such as Electronic Health Records (EHR) or Practice Management System software – which means that the data can only be recovered with those systems, and their utilization needs to be included in the contingency plan.

Data Backup Plan, Methods

Most data recovery centers recapture ePHI by using either data backups or replication:

• Data backups are to removable media such as CDs, flash drives, etc – or to storage systems such as dedicated backup appliances. Data backups are typically: taken regularly, duplicated, and stored both on and off site to maintain multiple versions of the data.

• Data replication copies ePHI to another site, which might be a host, network, or storage system facility. Data replication can be booked to happen on a certain schedule; or copies of the data can be made while the information is being modified (synchronous mirroring).

Data Backup Plan, Site Types

To be successful, disaster recovery depends on utilization of an alternate or secondary site. There are typically three options available:

• Cold Site: provides only power, cooling, and networking. Servers, switches and storage hardware must be supplied. If choosing a cold site, you will need to ship any necessary hardware to the site, as well as all backup data.

• Warm Site: adds enough servers, switches and storage hardware to support ePHI operations during a disaster. If choosing a warm site, backup data must be transported to the site.

• Hot Site: offers warm site hardware, plus continuous mirroring of ePHI to make disaster recovery faster and more efficient.

For all three site types, servers, networking and software systems will need to be reconfigured onsite to support emergency operations.

Disaster Recovery Plan (DRP)

In addition to the Data Backup Plan (securing ePHI backup and an alternate site arrangement), you must also implement a disaster recovery and emergency mode operations plan. The data backup plan creates systems to allow for the recovery of all ePHI. The disaster recovery plan establishes protocols needed to make sure ePHI can be restored in case of loss. The emergency mode operation plan provides a method for operations to continue to safeguard ePHI during an emergency.

While HIPAA disaster recovery requirements break these into two separate policies, many HIPAA compliance consultants cover both mandates with an integrated Disaster Recovery Plan (DRP). Any DRP should encompass the following:

• Disaster Declaration – ePHI might be comprised by a significant disaster, such as a hurricane, that requires a practice to work in an alternate location (which can be costly) – or a smaller threat, such as a power fluctuation. Whether the data threat is large or small, the disaster declaration identifies the decision process to address and the key players involved.

• Disaster List – Classifying high-probability and high-impact events (such as natural disasters) can support justifying investment in expensive backup systems, alternative site(s) and recovery procedures.

• Data Backup – The DRP should detail the data backup procedures, including the type of backup system; location(s) of any offsite repositories; and the frequency at which the data is copied. In the case of removable device backups, how the data is shipped to the alternate site (including activation protocols, vendor contact details and instructions on how practice staff would access and/or travel to the alternate site) should be documented.

It should also be demonstrated that any offsite repositories are far enough away from the practice location (and any other backup locations) to ensure safety in the event of a natural disaster impacting the primary site.

• ePHI Recovery – Ultimately, the whole point of a DRP is to restore ePHI in a safe environment so that a practice can continue treating clients. DRPs should identify all ePHI systems – including your EHR – and all data requirements. It should also identify the procedures to restore these systems, including a recovery priority list and the contact information for staff members familiar with these emergency operations.

In addition to all of these requirements, don’t forget that changes to ePHI applications (such as EHR) can change the DRP! Regular modification and testing are necessary to ensure that you’re current and up to date. You should also periodically check for updates to DRP requirements, to ensure that you’re following the most current rules.

“Periodic plan tests and resultant corrections are vital to the continuing success of any disaster recovery. With natural disasters and security breaches occurring more frequently, the need for a practicable DRP is more essential than ever.”

See our HIPAA / 42 CFR Part 2 Resource Center for more complimentary tools.

PIMSY Specifics

Every EHR is different, and you should be sure to check with your vendor to get detailed specifics about how it might be able to help with organization’s disaster recovery plan. With PIMSY, your agency data is stored in the Microsoft Azure Cloud, automatically backed up, and encrypted at multiple locations. Microsoft Azure (a “hot site”) adheres to HIPAA protocols, adding another layer of compliance and security.

While every clinician is individually responsible for HIPAA compliance – and no EHR is technically HIPAA compliant – using PIMSY for your mental health software greatly increases compliance and data security, both for HIPAA and 42 CFR Part 2. While you still have to establish a DRP, the mechanics of it are taken care of simply by using PIMSY, and most of the steps listed above are fulfilled.

For details about PIMSY’s affordable, flexible, and comprehensive EHR solutions can help you meet compliance regulations, contact us: 877.334.8512, ext 1 – hello@pimsyehr.com