Skip to main content

Disaster Recovery Plan: Are You Prepared?

PUBLISHED ON: 09.12.2016
Go Back To

Disasters, whether originating from natural causes, system failures, or human errors, can occur unexpectedly and result in significant damage. Having a comprehensive disaster recovery plan, complete with a thorough data backup strategy, is crucial to mitigate these unpredictable events’ impact. The HIPAA Security Rule requires that all Covered Entities (CEs) must develop a disaster recovery plan detailing the actions their agency will take in the event of a natural disaster or other potential risks that could disrupt normal operations. Are you adequately prepared?

Contingency Plan

Federal law requires that Covered Entities (CEs) and healthcare providers implement protocols to safeguard and ensure access to electronic Protected Health Information (ePHI). This includes a contingency plan to maintain access to ePHI during emergencies or disasters.

However, ePHI can only be accessed through data processing applications like Electronic Health Records (EHR) or Practice Management System software. Therefore, the utilization of these systems must be considered during the contingency planning and recovery process.

Data Backup Plan Methods

Most data recovery centers recapture ePHI following system failures through either data backups or replication:

  • Data backups are to removable media such as CDs, flash drives, etc – or to storage systems such as dedicated backup appliances. Data backups are typically taken regularly, duplicated, and stored both on and off-site to maintain multiple versions of the data.
  • Data replication copies ePHI to another site, which could be a host, network, or storage system facility. Replication can be scheduled or done in real-time while the information is being modified (synchronous mirroring).

Data Backup Plan: Site Types

For a successful recovery plan that complies with HIPAA regulations, utilizing an alternate or secondary site is crucial. Typically, there are three options available:

  • Cold Site: provides power, cooling, and networking only. Servers, switches, and storage hardware must be provided separately. If opting for a cold site, necessary hardware and backup data must be shipped to the site.
  • Warm Site: includes enough servers, switches, and storage hardware to support ePHI operations during a disaster. If choosing a warm site, backup data needs to be transported to the site.
  • Hot Site: offers warm site hardware, along with continuous mirroring of ePHI to expedite disaster recovery.

For all three site types, servers, networking, and software systems will require onsite reconfiguration to support emergency operations. Additionally, periodic testing should be conducted to ensure proper functionality.

Disaster Recovery Plan (DRP)

In addition to the Data Backup Plan (securing ePHI backup and an alternate site arrangement), you must also implement a disaster recovery and emergency mode operations plan. The data backup plan establishes systems for the recovery of all ePHI.

Disaster recovery planning establishes protocols necessary to ensure the restoration of ePHI in case of loss. The emergency mode operation plan provides a method for business operations to continue, safeguarding ePHI during an emergency.

While HIPAA disaster recovery requirements break these into two separate policies, many HIPAA compliance consultants integrate both mandates with an integrated Disaster Recovery Plan (DRP). Any DRP should encompass the following:

  • Disaster Declaration – ePHI might be comprised of a significant disaster, such as a hurricane, that requires a practice to work in an alternate location (which can be costly) – or a smaller threat, such as a power fluctuation. Whether the data threat is large or small, the disaster declaration identifies the decision process to address and the key players involved.
  • Disaster List – Classifying high-probability and high-impact events (such as natural disasters) can support justifying investment in expensive backup systems, alternative site(s), and revision procedures.
  • Data Backup – The DRP should detail the data backup procedures, including the type of backup system; location(s) of any offsite repositories; and the frequency at which the data is copied. In the case of removable device backups, how the data is shipped to the alternate site (including activation protocols, vendor contact details, and instructions on how practice staff would access and/or travel to the alternate site) should be documented.

It should also be demonstrated that any offsite repositories are far enough away from the practice location (and any other backup locations) to ensure safety in the event of a natural disaster impacting the primary site.

  • ePHI Recovery – Ultimately, the whole point of a DRP is to restore ePHI in a safe environment so that healthcare organizations can continue their practice of treating clients. DRPs should identify all ePHI systems – including your EHR – and all sensitive data requirements. They should also outline the procedures to restore these systems, including a recovery priority list and the contact information for staff members familiar with these emergency operations.

In addition to all of these requirements, don’t forget that changes to ePHI applications (such as an EHR) can change the DRP. Regular modification and testing is necessary to ensure that you’re current and up to date. You should also periodically check for updates to DRP requirements, to ensure that you’re following the most current rules.

“Periodic plan tests and resultant corrections are vital to the continuing success of any disaster recovery. With natural disasters and security breaches occurring more frequently, the need for a practicable DRP is more essential than ever.”

See our Compliance Resource Center for more complimentary tools.

PIMSY Specifics

Every EHR is different, and you should check with your vendor to get detailed specifics about how it might help with your organization’s HIPAA disaster recovery plan. With PIMSY, your agency data is stored in the Microsoft Azure Cloud, automatically backed up, and encrypted at multiple locations. Microsoft Azure (a “hot site”) adheres to HIPAA protocols, adding another layer of compliance and security.

While every agency is individually responsible for a HIPAA contingency plan using PIMSY for your mental health software greatly increases compliance and data security for HIPAA. While you still have to establish a DRP, the mechanics of it are taken care of simply by using PIMSY EHR.

For details about PIMSY’s affordable, flexible, and comprehensive EHR solutions can help you meet compliance regulations, contact us: 877.334.8512, ext 1 –

Leigh-Ann Renz

Leigh-Ann Renz

Leigh-Ann Renz is the Marketing & Business Development Director of PIMSY EHR. For more information about electronic solutions for your practice, check out Mental Health EHR.

Author: pehradmin

Feeling forced into a new EHR and the deadline is looming?

All EHRs are not the same. It’s critical to find the one that fits the unique needs of your organization. Find out why people choose PIMSY.