When you collect, use, or disclose personal health information, healthcare providers have a duty to protect records, even during an emergency. A disaster response plan includes protecting personal information against threats and a plan to quickly resume access to patient’s health information.
We can expect disruption to our business and be prepared to
- Preserve the safety of our employees, our patients, and our community, and
- Ensure the continuity of health services to our patients, and
- Mitigate the financial risks to the business.
Business continuity planning and disaster response planning are key steps in preparing for an emergency. These activities often overlap, but their focus is different.
Business continuity focuses on keeping the lights on and the business open in some capacity during an emergency, while disaster response planning focuses on getting operations back to normal. (See “Business Continuity vs Disaster Recovery: 5 Key Differences” from the University of Florida for more information.)
No matter how large or small your health care practice legislation, regulation, and business common sense tells us that we need a disasterresponse plan to protect the safety and well-being of your patients and your employees. You can re-purpose the emergency response plan to develop a business continuity plan. Just make sure you focus on the people, process, facilities, and technology assets your organization needs to function normally.
Prepare your business continuity plan before you open your health care practice. It would be bad luck to have an emergency right away but, if you are prepared, it doesn’t have to be a disaster.
Start Your Business Continuity Plan
Your owner and the management team of your healthcare practice should be the champions of developing a business continuity plan in your practice. You might also include information technology support, human resources, building maintenance, media spokesperson, and risk management advisor. It’s a good idea to set up a project plan, identify project objectives, and set target dates for completion of the assessment.
Risk Assessment – Assess Your Office’s Critical Functions and Assets
Conduct an initial assessment of your practices’ critical activities and systems. The assessment sets a baseline that will help identify what is needed to move your organization to a place where everyone on staff is prepared to respond quickly and efficiently to a potentially disruptive event.
Then, identify potential threats to your critical functions and assets. Determine which events are most likely to happen. Use these events as your starting point to create a detailed written plan. You will have greater success in preparing to lessen the harm of an event if your team can envision that it might happen to you in the next five years.
Your list of critical activities helps you identify the mission-critical functions of your practice that must be protected and recovered and the employee positions that must be maintained. Knowing this helps you determine your priorities for your next steps.
Resources to Help You
There are many resources available to you to help you with your plan. Check with your local municipality for emergency preparedness response plans, checklists, and contact information. Print hard copies of the documents and keep in an easily accessible location in your office. Your professional associations and insurance companies are also great resources. For example, Alberta Netcare provides a ‘Clinic Business Continuity Plan Guidelines’ (January 2015).
What Can You Do Now To Prevent an Emergency
Build redundancy into your daily operations. Consider your key activities and ensure that you have an alternate plan. Name each key function and determine an alternate equipment or service provider.
For example, if your electronic medical record (EMR) or practice management software is ‘in the cloud’, you will need to use an internet connection to access your data. If your internet service provider (ISP) is down, do you have a fail-over solution so that you can smoothly switch to an alternate ISP? You might be able to use your cell phone and cell phone connection to your EMR for a little while, but could you run your busy practice from your cell phone for long?
Many of us have a list of phone numbers and contact information on our phones for people that we might need to call in case of emergency. But, if you lost your phone or your computer network, do you have a paper list of your contacts? These simple steps can help you to resume business operations as quickly as possible.
A good computer backup will help to prevent loss of data and help you to recover access to your data quickly. For more information, see Can You Restore Your Business Using Your Computer Backup?
Develop the Disaster Response Plan
The Disaster Response Plan is a step-by-step plan for responding to the emergency event. Include how you are going to make decisions and who has the authority to make decisions. For example, who will decide to open (or close) your practice? Who will authorize overtime and immediate expenses? Do you have an alternate person who can authorize decisions and expenses, too?
Make sure the plan is fully documented, both in hard copy and electronic formats.
Identify the strategies you’ll take to protect your patient/clients, employees, and mission-critical resources. This might include backing up or moving to another location followed by recovering the equipment and information and returning them to normal operations. Include a detailed evacuation plan that each of your employees can access both at work and from their home.
Include detailed phone and contact lists. Make sure the plan is fully documented, both in hard copy and electronic formats.
Locate and have on hand some ‘old school’ technology like land-line telephones, battery operated radios and flashlights.
Practice the Plan
Effective disaster response and business continuity plans requires practical training. Exercise the plans periodically to ensure they work as designed and you can recover critical systems and return operations to normal. Conduct a business continuity and technology disaster scenario at least quarterly. When you vary your scenarios, you will reinforce key core emergency recover plan principles with each scenario and test a variety of plans.
Include emergency communications, awareness and training and coordination with public authorities.
A business continuity plan in your practice is critical to protect your employees, patients, and your business to be prepared for a crisis. Your goal is to recover your health care practice to where it can provide patient care and support its clinical and administrative teams in a “business as usual” manner.
What Will You Do to Improve Your Disaster Response Plan?
Do you want more tips and resources like these – for FREE?
Join Anne Genge and I for the “Ask Me Anything” style webinar for healthcare professionals, practice managers, privacy officers, and owners on Friday, February 17, 2023 at 1pm EST.
Anne is the founder of Myla Training Co., and a multi-certified cybersecurity expert with global awards for her work in cyber risk management, ransomware prevention, as well as cybersecurity education for healthcare providers.
This month, we will be sharing disaster recovery tips for your practice.
It’s free to attend.
Once you register, you’ll have access to the Zoom link on the day of the event.