How HIPAA Compliance Can Help Your Organization Prepare for a Disaster

Updated 10/20/2020

What do a ransomware attack, a hurricane, earthquake, flood, massive wildfire and a pandemic have in common?

• They all disrupt the vital operations of a healthcare organizations.
  
  HIPAA covered entities and healthcare providers should always have Emergency Preparedness Plans in place for natural disasters (now including pandemics, such as COVID-19) as well as man-made catastrophes like cyberattacks. In fact, the HIPAA Security Rule requires that covered entities have a contingency plan that can be implemented the moment it is needed.
  
  

COVID-19 and HIPAA

During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, the HHS Office for Civil Rights (OCR) has provided guidance that helps explain how the HIPAA Privacy Rule allows patient information to be shared in the outbreak of infectious disease and to assist patients in receiving the care they need.

The HHS Office for Civil Rights (OCR) has provided Bulletins, Notifications of Enforcement Discretion, Guidance, and Resources that help explain how patient health information may be used and disclosed in response to the COVID-19 nationwide public health emergency.

Click Here to access the HIPAA and COVID-19 Page to download OCR HIPAA Announcements Related to COVID-19.

Emergency Preparedness Requirements

Under HIPAA - Have a Contingency Plan!

According to the HIPAA Security Rule, a contingency plan should establish strategies for recovering access to electronic protected health information (ePHI) should a healthcare organization experience an emergency or problem, such as a power outage or other disruption of critical business operations.

Contingency plans aren’t just a good idea; regulations for certain industries require contingency planning. For example, the HIPAA Security Rule requires that HIPAA covered entities and business associates establish and implement a contingency plan.  Contingency plans are critical to protecting the availability, integrity, and security of data during unexpected adverse events. Contingency plans should consider not only how to respond to disasters such as fires and floods, but also how to respond to cyberattacks. Cyberattacks using malicious software such as ransomware may render an organization's data unreadable or unusable. In the event data is compromised due to a cyberattack, restoring the data from backups may be the only option to recover the data and restore normal business operations.

The Contingency Plan Standard of the Security Rule requires that covered entities establish policies and procedures for responding to an emergency that damages a system containing ePHI. 

What Does a Contingency Plan Do?

A Contingency Plan should focus on steps required to respond and recover operations in the event of an emergency or other disruption to normal operations. Its major objectives are to ensure:

1. the containment of damage or injury to, or loss of, property, personnel, and data; and 
2. the continuity of the key operations of the organization.

What's Required for a HIPAA Contingency Plan?

• Disaster Recovery Plan:
  • Focused on restoring an organization's protected health data.
• Emergency Mode Operation Plan (or Continuity of Operations):
  • Focused on maintaining and protecting critical functions that protect the security of protected health data.
• Data Backup Plan:
  • Focused on regularly copying protected health data to ensure it can be restored in the event of a loss or disruption. 

Two additional specifications for implementing a contingency plan that are considered “addressable” are:

• Applications and Data Critically Analysis:
  • Focused on identifying what applications and data are critical for the contingency plan.
• Testing and Revisions
  • Focused on testing your contingency plan and revisiting  any identified deficiencies. 

The Office for Civil Rights (OCR) – the government enforcement agency over HIPAA, suggests these key steps to lead your organization to effective Contingency Planning:

Make it Policy

A formal policy provides the authority and guidance necessary to develop an effective contingency plan.

Identify what is Critical

Knowing what systems and data are critical to operations will help prioritize contingency planning and minimize losses.

Identify Risks, Threats and Preventative Controls 

Perform a risk analysis to identify the various risks that your business may face. What has the potential to significantly disrupt or harm your operations and data?

Link Contingency Plans to Risk Analysis

The need for contingency plans appears as a result of a thorough and accurate analysis of the risks that your organization faces. The end result of a risk analysis can provide a list of potential threats, risks, and preventative controls. Prioritization of critical systems and information will help identify where to focus planning efforts.

Create Contingency Procedures

Establish the specific guidelines, parameters, and procedures when enacting the contingency plan and for the recovery of systems and data. Here’s where the Disaster Recovery Plan, Emergency Mode Operation Plan and Data Backup Plan will fill in the overarching contingency plan. Keep in mind:

• The goal is to maintain critical operations and minimize loss.
• Define time periods – What must be done during the first hour, day, or week?
• Establish Plan Activation – What event(s) will cause the activation of the contingency plan? Who has the authority to activate the contingency plan?
• Use plain language – the plan should be understandable to all types of employees.

Operationalize & Maintain the Plan

Integrate the plan into normal business operations. Communicate and share the plan and roles and responsibilities with the organization.  Establish a testing (exercise) schedule for the plan, to identify gaps and ensure updates for plan effectiveness and increase organizational awareness. Review the plan on a regular basis and situationally when there are technical, operational, environmental, or personnel changes in the organization.

Under the CMS Emergency Preparedness Rule

Medicare and Medicaid providers are also subject to an additional Emergency Preparedness Rule from the Centers for Medicare and Medicaid Services (CMS). This rule was published September 16, 2016 and implemented November 15, 2017 and is updated periodically. The rule sets emergency preparedness requirements apply to all 17 provider and supplier types who participate in Medicare and Medicaid.

The CMS website provides resources for this emergency preparedness rule, and Medicaid-only facilities should contact their State Medicaid Agency for guidance regarding their emergency preparedness. There are four core elements of the Emergency Preparedness Program and element of the plan must be reviewed and updated annually.

Risk Assessment & Planning - all providers must develop an emergency plan using all hazards approach, plan and identify in advance essential functions and who is responsible in a crisis.

Policies & Procedures – developed based on the plan (e.g. medical documentation, evacuation or shelter and place)

Communication Plan - alternate means of communication, provide info to local authorities sharing medical info, and providing occupancy information and ability to provide assistance to other facilities in the community.

Training & Testing Program - train staff and test the plan through drills

Plan must be based on a document risk assessment using an "all hazards approach and must also meet the following criteria:

• Include strategies to address events identified in the risk assessment, plans for evacuating or sheltering in place, working with other providers in the area.
• Address patient population; continuity of operations; succession planning.
• A process for cooperation/collaboration with local, tribual, regional, state or Federal EP officials to ensure an integrated response.

The rule allows a provider that is part of a healthcare system consisting of multiple separately certified healthcare facilities to have one unified and integrated emergency preparedness program.  The integrated emergency plan and policies and procedures must be developed in a manner that takes into account each separately certified facility's unique circumstances, patient populations, services offered.  In addition, a risk assessment must be conducted for each separately certified facility within the system.

CMS provides a PowerPoint presentation you can download and customize from the national CMS webpage Click Here. Scroll down on this page and choose “General Presentation – Overview of EP”.  This page also includes other valuable downloads.

Conclusion

Hurricanes seem to be occurring more frequently and more fierce lately.  Wildfires have been ranging and to top it off, we have a Coronavirus Pandemic.  Cybercriminals take advantage during these times of crisis, so we must be prepared to protect and recover information so we can continue caring for our patients.

Healthcare organizations should use any information collected from a risk assessment to identify what data needs to be backed up, if data should be encrypted, how to authenticate data in certain situations to protect its integrity, and how to protect health information transmission.

The Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) have developed a Security Risk Assessment Tool to guide healthcare professionals through the process of conducting a risk assessment at their organization. Other helpful resources are the ONC Safety Assurance Factors for Electronic Health Record Resilience (SAFER) guides. These guides are designed to help healthcare organizations conduct self-assessments and optimize the safe use of electronic health records.

We recommend creating a Contingency Plan which satisfies HIPAA, CMS and other applicable regulatory requirements and gaining as much training as possible.  Check our Certification and Short Course Stores today!