HIPAA Mandate: Maintaining Business Continuity During Downtime

By Arthur Young
HIPAA’s “Security Guidelines” mandate that all healthcare organizations using healthcare data comply with its data security and business continuity standards, and the penalties and fines for noncompliance are substantial. A contingency plan for disaster recovery and business continuity is a key standard stipulated in the HIPAA Security Rules under the Administrative Safeguards Section, so you clearly need to have such a plan in place.
The contingency plan should address data availability and the risks a business disruption poses to that availability. The goal is to ensure that staff can still access vital systems and data in spite of the disruption. The contingency plan should also outline strategies for implementing various technical measures, procedures and plans to ensure the recovery of networking systems, data and operations in the event of a disruption and to ensure the hospital is able to resume to its normal functions in the event of a crisis, disaster or disruption.
Why Do Hospitals Need to Ensure Downtime Business Continuity?
Take the case of Sutter Health System. In August 2013, the 24-hospital Sutter Health System in Northern California reported that a software glitch with its $1 billion electronic health record system made it inaccessible to clinical staff. According to reports, the system outages across the hospitals lasted a full day.
Mike Hill, an RN at Sutter’s Alta Bates Summit Medical Center and a California Nurses Association representative for the hospital explained the situation: “Many of the families became concerned because they noticed the patients were not getting their medications throughout the day,” he said. “Meds were not given for the entire day for many of the patients.”
There’s also the case of Fiona Stanley Hospital. In February 2015, doctors, nurses and administrators at Fiona Stanley Hospital, Australia’s most technologically advanced hospital, had to revert to “downtime procedures” when WA Health’s computer systems crashed for more than 14 hours during an outage caused by lightning storms.
According to the local health department, the crash resulted in the loss of clinical and non-clinical computer applications and the IT network, including email, forcing the staff to use pens and paper and then enter patient data once the system came back online.
While the hospital had downtime procedures and business continuity plans in place to ensure patient safety was never compromised, the staff still had to resort to manual processes, and later, take the time to enter patient updates to the system, significantly reducing their productivity and responsiveness to patients.
How Are Your Clinicians Accessing Data During a Downtime?
Typically, when technology is not working, we have to revert to traditional means for getting tasks done. It’s the same whenever a healthcare information system goes down — clinicians have to record patient information on paper and periodically print out reams of critical patient records that they will need during a downtime. Both tasks are time consuming. Printing records in particular can take a couple hours per day.

However, even if patient records have been printed out, getting access to the most up-to-date patient information, such as medication administration records and physicians’ orders, can still be a challenge. The paper may have been printed in the computer room and be inaccessible to many of the users. A major issue is how unwieldy paper copies are to find the information that’s needed from them, as there are typically multiple reams of paper printed.

Most importantly, even organizations that have backed up power, parallel systems and redundant solutions to provide data from their healthcare information system cannot know and ensure 100% that it is the most recent data.
Steps to Ensure Uninterrupted Data Access and Business Continuity
Given all the possible issues and challenges presented above, one can see that business continuity planning is a good practice for healthcare organizations. Hospitals are a cornerstone of a community, so it is incumbent that they remain open and fully operational through any disaster, outage, etc.
To prepare for any downtime, you need to determine your Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO refers to how long your organization can survive without this critical business function. Is it just the current day, until tomorrow or until next week? Also, what resources are needed to ensure the restoration of the function within the RTO?

RPO refers to data-reliant processes and how current your data needs to be once systems are restored. Is it last night’s backup, or the last action taken? And, if you have a manual backup system, how long is it feasible to run the manual backup before restoration is impossible?

Are You Ready for The Next Downtime?
You may have complete downtime policies and procedures in place, but do you have a system that can automatically respond to an unexpected downtime and keep your organization fully functional until normal operations resume? Do you have a system that can provide your staff with access to the most up-to-date patient information plus meet requirements for patient data security and the need to ensure patient safety?

To learn more about how you can ready for your next downtime, check out our whitepaper, “Healthcare Business Continuance: Implementing Procedures to Address Critical System Downtimes.”

Add new comment