In a recent report released by the Department of Health and Human Services’ Office of Inspector General, a third of hospitals do not have sufficient HIPAA-compliant EHR contingency plans in place, although the majority are “largely addressing” HIPAA requirements for EHRs.
In September 2014, OIG issued a survey to 400 hospitals that had applied for Medicare EHR incentive payments and asked questions to discover whether HIPAA-compliant EHR contingency plans had been developed and put in place. Respondents were also asked about the extent to which EHR systems had been affected previously. In addition to the survey, six hospitals were also chosen for in-depth reviews involving site visits, interviews with hospital staff, documentation checks, and checks of EHR contingency plans.
The aim of the study was to look into the state of hospitals’ EHR contingency planning and to find whether patient health information could still be accessed during natural disasters and other emergency situations where EHR system downtime happens. In light of the recent ransomware cyber attacks on hospitals, the results of the survey are most relevant.
HIPAA-Compliant EHR Contingency Plans
The Security Rule of the Health Insurance Portability and Accountability Act requires covered bodies to put in place safeguards to ensure the confidentiality, integrity, and availability of electronic protected health data.
All hospitals (and other HIPAA-covered entities) must have a contingency plan established for responding to disruptions to electronic health record systems whether they are cyberattacks, natural disasters, power failures, hardware malfunctions, or Internet connectivity issues.
The HIPAA Security Rule states that five separate areas must be addressed in policies and procedures. A data backup plan must be in place to ensure that PHI can be recovered in the event of disaster. A disaster recovery plan must exist developed to ensure that PHI can be recovered. Covered bodies are required to have an emergency mode operations plan which can be put in action to ensure that critical business processes can persist during emergencies. Testing and revising of these contingency plans must also be addressed, and an applications and criticality review should be conducted. Fully HIPAA-compliant EHR contingency plans must address all five of these areas.
The Office of the National Coordinator for Health Information Technology (ONC) and the National Institute for Standards and Technology (NIST) have released advice on contingency planning for data systems to assist covered bodies.
OIG assessed hospitals on four out of the five areas outlined in the HIPAA regulations and found that most of hospitals had addressed three out of the four HIPAA requirements. Most had a data backup plan and were in a position to recover data in the event of an emergency. Most had a disaster recovery plan and also an emergency mode operations plan in place. However, only 73% of the hospitals reviewed had addressed testing and revision in their EHR contingency plans. In the OIG report, just 68% of hospitals had addressed all four requirements of HIPAA. Therefore, almost a 33% of hospitals did not have fully HIPAA-compliant EHR contingency plans.