Business continuity and disaster recovery planning is a process that helps organizations prepare for disruptive events. A business continuity plan assesses all aspects of an organization’s operation for critical activities that need to be restored quickly and the steps to achieve this. A disaster recovery plan focuses on the IT operations of the organization. A disaster recovery plan will identify proactive steps an organization should undertake to prevent, or to be prepared for, in the event of a disruption event.
Planning in advance will allow medical practices to respond quickly in an emergency to facilitate the return to delivering patient care with minimal loss of time and patient information whether the event is a power outage or a pandemic.
For a breach that involves the inability to access personal health information use the Breach Management guidelines in conjunction with the disaster recovery plan.
Business Continuity Plan
A business continuity plan for a medical practice should address the threats specific to that practice and provide practical strategies for business survival and resumption. To continue operations in the loss of access to the physical location of the medical practice, for example, one practice might need only employee and patient contact information and the name and location of an alternate location to see patients. Under the same circumstances another medical practice might plan to refer patients to another physician while continuing to handle phone calls at an alternate site. What really drives the form and content of a plan are the functions the medical practice needs to recover for minimum operations and how soon they need to be available.
Disaster Recovery Plan (important notes for physicians with EMRs)
IT disaster recovery plans provide step-by-step procedures for recovering disrupted systems and networks to help restore normal operations. The process of developing a disaster recovery plan will examine all IT systems including the EMR, Internet, LAN, access to other health information systems, telephone, fax, photocopier, and even electricity. Some or all of these systems might require outside expertise to restore operations. Work closely with the EMR vendor or IT support in designing the disaster recovery plan.
Determining What Is Critical
Begin with identifying what aspects of a practice are critical to survival. What employees, equipment, facilities, records, and other assets and the processes they support are essential to the operation of the medical practice? At the most basic level a medical practice will need employees, a place to see patients,
possibly some diagnostic equipment, and a list of patients with contact information.
The next step is to determine the maximum impairment the practice can withstand and still make alternative arrangements to see patients. For example, would the medical practice still see patients if there was no access to the EMR?
The final step in developing a plan is to determine how the practice will survive if an adverse event has a negative impact on a critical process or asset. How can the practice re-establish full patient care? Alternatives might include setting up a mutual employee back-up arrangement with another physician in the area, reducing office hours, documenting office procedures so that they can be done by any available employee, contracting with a temporary agency, or sending patients to the local hospital for a service that the medical practice temporarily cannot provide.
Elements of a Disaster Recovery Plan
There are several things a physician-trustee should ensure are in place and activities that should be performed regularly to minimize the risk due to a disruptive event.
• Regular backup and/or protection of EMR records and other vital information.
Encrypt and store backups off-site, ideally not in a location close to the medical practice. A power outage, flood, and other disasters can affect a large geographic area.
• Keep information system versions up-to-date. Have automatic updating of anti-virus software, malware, and other security features for information systems.
• Have IT support develop a checklist of things to monitor on your system to reduce the possibility of downtime.
• Have IT support develop a checklist as part of the disaster recovery plan to reduce the time it takes to become fully operational again.
Elements of a Business Continuity Plan
Medical practice physicians and a senior administrative employee should form a crisis management team responsible for declaring a disaster, activating the plan, and directing and managing the office recovery operations, including:
• Setting priorities and objectives,
• Overseeing, directing, and managing all team members and the entire recovery process in all alternate locations,
• Directing, controlling, and ordering resources, and maintaining a manageable span of control,
• Approving expenses,
• Resolving conflict and making and implementing strategic and policy decisions,
• Designating a spokesperson for any inquiries from patients, the media or the OIPC.
Having this plan in place ahead of a disaster will assist in quick recovery.
• Financing is a key component of business continuity. Cost will be a factor in how quickly the medical practice is operational again and if only part of the practice will resume operations. Determine who or how these decisions will be made. Ensure that ability to do banking, including paying employees, is maintained.
• A list of key contacts should be easily retrievable. For a medical practice this might be employee phone numbers, third party IT support, EMR and other vendors, the landlord, local media contacts for public service announcements to notify patients that the medical practice is closed, suppliers, hospitals or other organizations to which the medical practice frequently refer patients, and insurers.
• Consider how patients can be contacted. Will someone keep a list of patients off site? Can the EMR backup serve this purpose? Will radio stations be used?
• Consider alternative locations for the practice if access to the clinic will not be possible for some time. Make arrangements with other medical practitioners in the area.
Notes for Physicians Enrolled in the Saskatchewan EMR Program
As part of participating in the Saskatchewan EMR Program, physician-trustees are required to develop a disaster recovery plan. This plan should be broad enough to cover reasonably anticipated events such as EMR downtown, power failures, system crashes, Internet failures, fires, and floods, to highly unlikely events such as an earthquake or all employees resign on the same day because they won the lottery.
References
Wisconsin Medical Society Risk Management Manual, 1997