| Grace University Hospital |
HIPAA Policy Contingency Plan |
| Effective Date: April 20, 2005 | Reviewed/Updated Date: February 03, 2018 |
| Policy Owner: HIPAA Compliance Officer |
Scope and Application
This contingency plan policy developed by Grace University Hospital's Compliance applies to Grace University Hospital systems that store and maintain ePHI. This policy applies to all hospital electronic systems with regard to storage and retrieval of the information.
Delegate your assignment to our experts and they will do the rest.
Policy Statement:
This policy will address response to downtime situations of the systems that Grace University Hospital uses for its daily operations regarding electronically protected hospital information ePHI. This contingency plan will be implemented in such times of emergency when caused by disasters like fire, vandalism or virus attack and also times of system failure when normal system procedures are unavailable. Data back up plans, emergency mode operations, data recovery and testing and revision are covered.
Applications and Data Criticality Analysis:
1. System IT manager with his team will determine the criticality of all applications and stored data to make decisions on the level of significance.
2. They will also assess the effect of inaccessibility or unavailability of the data to the hospital’s operations.
3. Then they will determine the readiness for disaster for all applications and systems to decide on the best components for disaster preparedness.
4. They will assess the importance of each group of data entered into the system.
Data Backup:
1. ePHI for Grace University Hospital is stored on local servers.
2. Information systems for electronic health records are stored in local server #1 and are backed up after every 24 hours to an unencrypted hard drive from a local service provider.
3. Lab information systems are stored in local server #1 and backed up daily into the same off-site hard drive.
4. Radiology information and file server are stored in local server #2 then backed up after every 24 hours in a different unencrypted hard drive stored in a local service provider.
5. Diction system stored in local server #2 and backed up in an off-site unencrypted hard drive.
6. Electronic collection systems are stored in a cloud-based system and back up in an off-site location.
7. Records of backed up data will be stored in an off-site location.
8. After every two weeks backed up data is copied to a flash drive by the IT manager and stored in a safe deposit both with the clear procedure of accessing.
9. Data backup procedures to be reviewed annually.
Data Recovery Plan:
1. Restoration will be done from local servers.
2. The IT manager and his team will be responsible for the recovery process. They will work in collaboration with the HIPAA security officer.
3. The IT manager will document the cause of system failure
4. The IT manager will provide the procedure for restoration.
5. However, most important files which are the health records will be restored first followed by file server than others.
6. Restored data will be analyzed for integrity.
7. Data recovery to take at most six hours.
8. A log of the recovery process should be kept including challenges of the process.
9. The recovery procedures will be reviewed annually to assess their effectiveness and make improvements.
Emergency Mode Operation Plan:
1. If downtime occurs, the HIPAA security officer will take over emergency mode operations and lead the process.
2. Proper communication to be done at this downtime by managers at all levels.
3. Necessary and accurate documentation will be done on paper in such a situation and will be monitored by managers.
4. The HIPAA security officer together with the IT team will work to protect ePHI during this time.
5. The IT manager will do documentation of the cause of the downtime together with action for recovery.
6. Patient appointments will only be done when their safety and care is assured.
Testing and Revision Procedure :
1. Contingency plans will be tested every 12 months determine their effectiveness.
2. Weaknesses in the plan should cause it to be revised.
3. Testing of the backup plan and components will be done every three months to assess their readability and inform decisions on whether to change them to protect the authenticity of restored data.
4. Personnel in assessed on their understanding of the contingency plan and trained appropriately.
5. Tests performed should be documented together with their results and measures that were taken to address them.
6. Testing and revision of the contingency plan after every three years.
Recommendations
1. Local servers at the hospital need to have an off-site backup location. such locations also need to be secure and the stored data inaccessible to procedurally unidentified people. An offsite backup location is advantageous because data will be safe and accessible in the event of a disaster like fire at Grace University hospital.
2. All ePHI systems at the hospital should have strong password encryption. All hospital personnel needs to be advised to choose strong passwords consisting of six or more characters to prevent unwarranted persons from accessing patient information. Such strong passwords also guard the system against hackers’ attacks.
3. Both servers at the hospital store critical information. Additionally, they host email communication in the organization. The servers, therefore, need to be protected both from online attacks and physical tampering. Extra layers of security should be provided for the servers. The physical location of the servers should also remain unknown.
4. The hospital management needs to explore the possibility of all the systems using a cloud-based storage system. This would protect provide a high level of protection against virus attacks that would cause downtime. Additionally, data recovery would be much easier and quicker with a cloud-based storage system. In addition to safety, such systems are cheaper than the outdated safe deposit boxes used by the hospital.
5. Emergency mode operations can be made smooth with a backup auxiliary system that is hosted on a different server from the main activities. This system can be helpful in situations where the main system fails. It will also eliminate the need for tedious and unreliable paperwork.
6. Improvements in the contingency plan may also be made in collaboration with other hospitals. The management of Grace University Hospital can benchmark at other facilities in order to eliminate weaknesses and improve their HIPAA policy contingency plan.
References
HIPAA. (2007). HIPAA Security series. Retrieved 3 February 2018, from https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf.
HIPAA. (2013). HIPAA Security Regulations. Retrieved 3 February 2018, from https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
HIPAA. (2016). HIPAA Audit Protocol. Retrieved 3 February 2018, from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html
