During these events, keeping both your primary location and your recovery location safe and secure is as important as the recovery effort itself. HIPAA requires that you set up procedures and plans to ensure that the staff in each location can do the work and are trained in the necessary security and safety procedures. It’s especially important that everyone engaged in this effort is authorized to do so.
It’s common for many people to come into regular contact with patient information. Under contingency conditions the personnel handling the situation often differs radically from the norm and may include people who would not normally see such sensitive information. The law regards this exposure as a breach of privacy, emergency conditions or not, and that’s bad for everyone.
Knowing in advance that this may be the case, it’s possible to make arrangements through confidentiality agreements and similar documents to address this and prevent the breach. This means that all of the contracts with contractors, team members, subscription recovery services, and all others involved in a recovery effort, great or small, must contain the necessary language and assurances that the confidentiality of patient information will be protected to the extent possible by all parties involved. It also means that patients must be informed that this set of conditions could occur but that all due care will be used to protect their privacy and prevent any improper exposure.
Again, you need advance preparation and specific steps outside of the recovery process to ensure things go smoothly. Even from a high-level perspective, preparing for disaster and executing a recovery plan seems enormously complex. There is often the added risk that those in charge of preparing for disasters may not be fully prepared for the challenge. This risk will exacerbate all the others, so it must be the first risk to be mitigated.
Preparedness is Not Just About Plans—It’s About People
It’s easy to see that putting together a working continuity of operations plan (COOP) to protect your business in emergencies is a complex and specialized project. Many organizations elect to bring in specialists to perform the task, but specialists won’t be with you forever. After they leave you’re still responsible for the work of maintaining and executing the plan and the accountability for its execution.
Nothing can replace a solid plan that does its job well, but that plan can’t work without the right people in the right places who are trained to do the right things. Acquiring the necessary knowledge and training can make your disaster planning preparations easier and more successful. The time to acquire those skills is before you need them. Be sure that when the moment comes, and it will, you and your team will be ready for it.
This post is excerpted and used with permission from Your Prescription for a Robust Healthcare IT Disaster Recovery Plan by Ross A. Leo