Healthcare News & Insights

Is your EHR contingency plan complete? Feds weigh in

For many hospitals, it’s essential to have an effective electronic health records (EHR) system. And it’s equally as important to have a plan in place if something happens to disrupt an EHR’s operations, whether it’s a natural disaster or a cyberattack. 

509232593In its recent mid-year update to the Work Plan, the Office of Inspector General (OIG) said it would be reviewing hospitals’ contingency plans in case their EHRs weren’t able to function.

The agency has just released a new report outlining the results of its review, including how hospitals are performing in meeting objectives required by HIPAA.

Required components

As part of the HIPAA security rule, a hospital’s EHR contingency plan should include the following elements:

  • a data backup plan for creating and storing copies of electronic health information
  • a recovery plan to restore lost data
  • an emergency mode operations plan so facilities can continue performing required operations
  • an assessment of all applications that would be affected (including the impact of a widespread outage), and
  • protocol for testing and revising the contingency plan.

The OIG looked at federal data from hospitals that have received EHR incentive payments to determine how effective facilities are with creating contingency plans.

Almost every hospital (95%) said it had written procedures in place to specify how it’d handle EHR disruptions. Most of the remaining hospitals said they were either working on developing contingency plans or already had some of the procedures in place, but they weren’t a part of the facility’s written policy.

Out of the hospitals that did have a formal, written EHR contingency plan, most of them addressed at least three of the HIPAA-required elements: a data backup plan, a disaster recovery plan and an emergency mode operations plan. Around two-thirds of hospitals (68%) included these three elements, plus testing and revision procedures.

Implementing plans

When putting each HIPAA-required element into place, hospitals used a variety of methods.

For data backup, most facilities that maintained backup files updated them at least once a day. While some facilities saved data on a secondary server, others saved it on tapes or disks. Others used a combination of both approaches. Around half of the hospitals reported they had a “read only” EHR system that can be activated to display backup EHR data, if needed.

With disaster recovery, about 75% of facilities had duplicate EHR hardware running at an alternate site, and almost half of these hospitals said they could fully transfer EHR operations over to the alternate site within eight hours, the recommended time frame for this process. However, only about a quarter of facilities said they tested their alternate systems at least every three months.

Across the board, all hospitals’ emergency operations plans relied on the use of paper. In case of a total EHR shutdown, nearly every facility said it would provide staff with paper forms to perform important tasks like registering new patients and documenting vital signs, though slightly fewer hospitals (75%) said they had enough paper forms on hand to last eight hours.

Other common equipment hospitals had on hand for disasters included generators (98%) and uninterruptible power supplies (94%).

Additional steps

While these practices are essential for maintaining normal operations in cases of an EHR outage, the OIG recommended that hospitals expand on their contingency plans, following federally endorsed standards such as:

  • visually differentiating an EHR’s “read-only” system from its normal appearance
  • storing EHR hardware at an alternate site at least 50 miles from the primary site
  • testing the hardware at each alternate site at least once every quarter
  • testing generators and power supplies monthly (and keep at least two days’ worth of fuel onsite)
  • creating a communication structure that doesn’t rely on the hospital’s computing network, and
  • making sure there’s an adequate supply of paper forms.

The OIG also stressed the importance of regularly testing and revising EHR contingency plans. Staff should be trained on the plans through tests and exercises designed to simulate the actual experience of working without access to an EHR.

Contingency plans should be updated whenever there are any changes or enhancements to a hospital’s EHR system so they’ll continue to be applicable in case of an emergency.

With ransomware attacks and other threats becoming more common in health care, an up-to-date, tested EHR contingency plan is essential to keeping these situations from negatively affecting your facility’s operations.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.