Disaster Planning and HIPAA

Written by:

When talk turns to HIPAA, most of us are focused on privacy compliance.  After all, privacy is a complex, expensive nightmare, and few hospitals or medical practices feel up to the task, so talking through those issues makes sense.

But as blogger Art Gross points out, the HIPAA Security General Rules require more than protecting a patient’s privacy. They also require that ePHI remains available even in the face of disaster. From the rules (courtesy of Gross, emphasis his):

§ 164.306 Security standards: General rules.
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.

Apparently, far too few healthcare providers are paying enough attention to this part of the rules. Gross, who is a HIPAA security consultant, says that when he audits organizations, few have disaster recovery or emergency operations procedures in place.

Now, big enterprise IT departments aren’t going to leave disaster recovery out of their planning; it’s simplly part of the drill for any large installation. But the smaller the provider group gets — particularly when you zoom down to one to three-doctor practices — the story changes.

As people who read blogs like this one know, smaller practices aren’t likely to have so much as a single IT staffer on board. Keeping their EMR up and running is enough of a burden. I’m not at all surprised to hear that they aren’t prepared for disasters like Hurricane Sandy, which brought down even large medical centers.

But with HIPAA demanding immediate access to ePHI, doctors won’t have a choice much longer. And hospitals will want to make sure independent doctors aren’t the weak link in the availability chain.

Yes, it’s asking a lot of small practices to make intellligent disaster recovery plans for their EMR, and even more of their hospital partners if they want to keep access to disparate EMRs out there.  But there’s just no getting around the problem.