Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

In Case Of Emergency, Is Your Healthcare Practice Prepared?

Posted on February 14, 2023 by Jean Eaton in Blog

When you collect, use, or disclose personal health information, healthcare providers have a duty to protect records, even during an emergency. A disaster response plan includes protecting personal information against threats and a plan to quickly resume access to patient’s health information.

We can expect disruption to our business and be prepared to

  • Preserve the safety of our employees, our patients, and our community, and
  • Ensure the continuity of health services to our patients, and
  • Mitigate the financial risks to the business.

Business continuity planning and disaster response planning are key steps in preparing for an emergency. These activities often overlap, but their focus is different.

Business continuity focuses on keeping the lights on and the business open in some capacity during an emergency, while disaster response planning focuses on getting operations back to normal. (See “Business Continuity vs Disaster Recovery: 5 Key Differences” from the University of Florida for more information.)

No matter how large or small your health care practice legislation, regulation, and business common sense tells us that we need a disasterresponse plan to protect the safety and well-being of your patients and your employees. You can re-purpose the emergency response plan to develop a business continuity plan. Just make sure you focus on the people, process, facilities, and technology assets your organization needs to function normally.

Prepare your business continuity plan before you open your health care practice. It would be bad luck to have an emergency right away but, if you are prepared, it doesn’t have to be a disaster.

Start Your Business Continuity Plan

Your owner and the management team of your healthcare practice should be the champions of developing a business continuity plan in your practice. You might also include information technology support, human resources, building maintenance, media spokesperson, and risk management advisor. It’s a good idea to set up a project plan, identify project objectives, and set target dates for completion of the assessment.

Risk Assessment – Assess Your Office’s Critical Functions and Assets

Conduct an initial assessment of your practices’ critical activities and systems. The assessment sets a baseline that will help identify what is needed to move your organization to a place where everyone on staff is prepared to respond quickly and efficiently to a potentially disruptive event.

Then, identify potential threats to your critical functions and assets. Determine which events are most likely to happen. Use these events as your starting point to create a detailed written plan. You will have greater success in preparing to lessen the harm of an event if your team can envision that it might happen to you in the next five years.

Disaster response plan Potential threats to business continuityYour list of critical activities helps you identify the mission-critical functions of your practice that must be protected and recovered and the employee positions that must be maintained. Knowing this helps you determine your priorities for your next steps.

Resources to Help You

There are many resources available to you to help you with your plan. Check with your local municipality for emergency preparedness response plans, checklists, and contact information. Print hard copies of the documents and keep in an easily accessible location in your office. Your professional associations and insurance companies are also great resources. For example, Alberta Netcare provides a ‘Clinic Business Continuity Plan Guidelines’ (January 2015).

What Can You Do Now To Prevent an Emergency

Build redundancy into your daily operations. Consider your key activities and ensure that you have an alternate plan. Name each key function and determine an alternate equipment or service provider.

For example, if your electronic medical record (EMR) or practice management software is ‘in the cloud’, you will need to use an internet connection to access your data. If your internet service provider (ISP) is down, do you have a fail-over solution so that you can smoothly switch to an alternate ISP? You might be able to use your cell phone and cell phone connection to your EMR for a little while, but could you run your busy practice from your cell phone for long?

Many of us have a list of phone numbers and contact information on our phones for people that we might need to call in case of emergency. But, if you lost your phone or your computer network, do you have a paper list of your contacts? These simple steps can help you to resume business operations as quickly as possible.

A good computer backup will help to prevent loss of data and help you to recover access to your data quickly. For more information, see Can You Restore Your Business Using Your Computer Backup?

Develop the Disaster Response Plan

The Disaster Response Plan is a step-by-step plan for responding to the emergency event. Include how you are going to make decisions and who has the authority to make decisions. For example, who will decide to open (or close) your practice? Who will authorize overtime and immediate expenses? Do you have an alternate person who can authorize decisions and expenses, too?

Make sure the plan is fully documented, both in hard copy and electronic formats.

Identify the strategies you’ll take to protect your patient/clients, employees, and mission-critical resources. This might include backing up or moving to another location followed by recovering the equipment and information and returning them to normal operations. Include a detailed evacuation plan that each of your employees can access both at work and from their home.

Include detailed phone and contact lists. Make sure the plan is fully documented, both in hard copy and electronic formats.

Locate and have on hand some ‘old school’ technology like land-line telephones, battery operated radios and flashlights.

Practice the Plan

Effective disaster response and business continuity plans requires practical training. Exercise the plans periodically to ensure they work as designed and you can recover critical systems and return operations to normal. Conduct a business continuity and technology disaster scenario at least quarterly. When you vary your scenarios, you will reinforce key core emergency recover plan principles with each scenario and test a variety of plans.

Include emergency communications, awareness and training and coordination with public authorities.

A business continuity plan in your practice is critical to protect your employees, patients, and your business to be prepared for a crisis. Your goal is to recover your health care practice to where it can provide patient care and support its clinical and administrative teams in a “business as usual” manner.

What Will You Do to Improve Your Disaster Response Plan?

Do you want more tips and resources like these – for FREE?

Join Anne Genge and I for the “Ask Me Anything” style webinar for healthcare professionals, practice managers, privacy officers, and owners on Friday, February 17, 2023 at 1pm EST.

Anne is the founder of Myla Training Co., and a multi-certified cybersecurity expert with global awards for her work in cyber risk management, ransomware prevention, as well as cybersecurity education for healthcare providers.

This month, we will be sharing disaster recovery tips for your practice.

It’s free to attend.

Once you register, you’ll have access to the Zoom link on the day of the event.

business continuity plan, disaster plan, emergency preparedness, incident response plan

What Does a Ransomware Attack Look Like to Patients?

Posted on June 14, 2021 by Meghan in Blog

What Does a Ransomware Attack Look Like To Patients?

One of my favourite podcasts is Help Me with HIPAA. This weekend I listened to Episode 304 Ransomware Creates a Social Media Privacy Violation Storm while I was spring-cleaning my yard.

Donna and David discuss in (almost) real time a ransomware attack that was currently occurring at the San Diego California’s main health systems, Scripps Health. The attack resulted in practically all of its technology being taken down. The EHR went down, patient portals were down, appointments had to be rescheduled, patients had to be diverted to other hospitals… even their website was down.

This podcast episode isn’t about the technology about ransomware. Donna and David walk you through the impact on patients – from the inconvenience and frustration to the disastrous consequences of not having health information available when it is most needed.

This gripping story reveals how communication failures, systems failures and a lack of information snowballed to negatively affect patients when they needed help the most.

My Takeaways From This Help Me With HIPAA Episode

Ransomware is nefarious and its impact is far-reaching.

  • Patient care is compromised – patient information is not accessible, and it is unknown what information can be retrieved and, if it is retrieved, if it is complete and accurate.
  • Privacy breach – obviously! The hackers have patient, employee and business information and have threatened to release it publicly.
  • BUT – employees are also continuously breaching privacy while they are responding to patient concerns on social media DURING the ransomware attack.
  • Employees cannot access their information to do their jobs – work schedules, payroll, portals to perform their jobs. So, alternate, unauthorized workflows are implemented to get the job done which subsequently results in more breaches.
  • While the press release from Scripps Health indicates that they have trained and prepared personnel, the communication from Scripps to patients, employees, and the public has been disorganized, conflicting, and continuously breaching privacy and confidentiality.

I urge you to listen to this episode (about 30 minutes).

Listen to the Help Me With HIPAA Podcast HERE!

[Start at 18:19 minutes]

What Would You Do?

How would you and your team respond to this type of privacy breach?

Share this episode with the members of your incident response plan. Then, use the scenario to conduct a table-top privacy breach fire drill using your privacy breach management plan.

These table-top privacy breach fire drills are a great demonstration of your commitment as an organization to ensure that you are protecting the privacy confidentiality and security of health information.

Now hop over and listen to the Help Me With HIPAA episode to better understand what a ransomware attack looks like to a patient.

https://helpmewithhipaa.com/privacy-questions-everywhere-ep-304/ [Start at 18:19 minutes]

Communication, healthcare, incident response plan, Patients, privacy, ransomware, ransomware attack

Pandemic Incident Response Review

Posted on May 15, 2020 by Meghan in Blog

Each healthcare practice has been impacted by the COVID-19 pandemic.

This is certainly a disruption to our business continuity and a risk to privacy and security of patient, employee, and business information.​

 

In this podcast on Practice Management Nuggets For Your Healthcare Practice, Jean L. Eaton shares a strategy to help you with your pandemic incident response review so that you can respond to a similar incident with confidence.

 

Jean Eaton's #1 Tip to Healthcare Providers and Vendors

Update your Pandemic Incident Response Plan! Click to Tweet

Each healthcare practice has been impacted by the COVID-19 pandemic.

This is certainly a disruption to our business continuity and a risk to privacy and security of patient, employee, and business information.

Each custodian and healthcare provider must maintain a written record of safeguards that have been implemented during the pandemic, ensure that these are communicated to their affiliates, and monitor to ensure they are followed.

  • What can we learn about the pandemic incident response so far?
  • As we prepare to re-open our practices, what can we anticipate?
  • If we experience a second wave and have to lock down again, are you prepared?

Jean L. Eaton

Jean EatonInformation Managers Ltd.

I am constructively obsessive about privacy and confidentiality in the healthcare sector–and I think you should be, too!

I offer tips, templates, and training to assist healthcare providers, clinic managers, practice managers, privacy officers and independent healthcare practice owners on practice management and privacy legislation that are actually fun and practical.

Your Practice Management Mentor and Your Practical Privacy Coach

 

Be sure to tune in to my podcast for tips on your pandemic incident response,

Pandemic Incident Response Review | Episode #088

 

Listen To The Podcast Here
#PracticeManagementNugget, COVID-19, healthcare, incident response plan, pandemic, podcast

What is the elephant in the room?

The Elephant in the Room Find out here...

 

Privacy Policy

 

"I did think that the info session was interesting on how many tools can be created and intertwined for the use of the patient. I do find the sessions good."

--Practice Management Nugget event, 'Engage your patients using automated tools' with Karol Clark

- Debra from Spruce Grove

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2023 Information Managers Ltd.

2 shares
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}