Disaster Planning and HIPAA

When talk turns to HIPAA, most of us are focused on privacy compliance.  After all, privacy is a complex, expensive nightmare, and few hospitals or medical practices feel up to the task, so talking through those issues makes sense.

But as blogger Art Gross points out, the HIPAA Security General Rules require more than protecting a patient’s privacy. They also require that ePHI remains available even in the face of disaster. From the rules (courtesy of Gross, emphasis his):

§ 164.306 Security standards: General rules.
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.

Apparently, far too few healthcare providers are paying enough attention to this part of the rules. Gross, who is a HIPAA security consultant, says that when he audits organizations, few have disaster recovery or emergency operations procedures in place.

Now, big enterprise IT departments aren’t going to leave disaster recovery out of their planning; it’s simplly part of the drill for any large installation. But the smaller the provider group gets — particularly when you zoom down to one to three-doctor practices — the story changes.

As people who read blogs like this one know, smaller practices aren’t likely to have so much as a single IT staffer on board. Keeping their EMR up and running is enough of a burden. I’m not at all surprised to hear that they aren’t prepared for disasters like Hurricane Sandy, which brought down even large medical centers.

But with HIPAA demanding immediate access to ePHI, doctors won’t have a choice much longer. And hospitals will want to make sure independent doctors aren’t the weak link in the availability chain.

Yes, it’s asking a lot of small practices to make intellligent disaster recovery plans for their EMR, and even more of their hospital partners if they want to keep access to disparate EMRs out there.  But there’s just no getting around the problem.

About the author

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

1 Comment

  • This post tries to put forward an expectancy of Confidentiality, Integrity, and Availability (CIA) never intended suggesting HIPAA requires all covered entities information systems and their ePHI be available 24/7 in any event including natural disaster.
    Wow! The price of healthcare just exponentially increased and with more time the lie of EHR reducing the cost of healthcare is exposed. Screwed we patients are…

    Availability:
    “For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks.”
    http://en.wikipedia.org/wiki/Information_security

Click here to post a comment
   

Categories