The Challenge in the Healthcare Industry
Hospitals often become an epicenter for local response teams during catastrophes. Furthermore, since there's no such thing as a "classic" disaster, healthcare providers and facilities must prepare for a multitude of emergency situations.
According to a Medical Group Management Association (MGMA) poll, 78 percent of healthcare leaders revealed their emergency preparedness plans include emergencies such as natural disasters, computer system failure, workplace violence, and active shooters. Yet, many professionals may still feel overwhelmed during these moments of chaos. How can we bolster our defenses?
Let's identify critical vulnerabilities to healthcare providers and facilities, plans that address these risks, and discuss how your organization can meet compliance regulations. Enabling individuals to behave with clarity when facing a disaster is the result of validated and tested strategies designed for your facility, clinic, or hospital.
The High Stakes of Disasters & Emergency Situations
Disaster recovery and emergency preparedness is a team sport. Healthcare administrators are increasingly concerned for the safety and well-being of their colleagues, patients, and physicians from man-made and natural disasters.
Are Disasters on the Rise?
From unforgiving storms, hurricanes, wildfires, flooding, and other events of mass casualties, our interconnected technology and means of instant communication are increasing our awareness of how disasters affect people. The damage is hard to fathom in these large numbers:
- In 2021, the United States witnessed 20 unique billion-dollar weather and climate disasters.
- The year 2021 was ranked 2nd place for most disasters within a calendar year (following close to 2020's record number of 22 unique billion-dollar events).
- The NOAA National Centers for Environmental Information (NCEI) confirmed that those 20 disasters came with a price tag of $145 billion.
The toll on human life is difficult to ignore as well. Over the last five years, an average of 911 deaths per year is estimated by the NCEI's U.S. Billion-Dollar Weather and Climate Disasters 2022.
How is Business Continuity Tied to Information Technology Systems?
While a disaster recovery plan is critical for any business, the healthcare industry is more vulnerable to downtime and subject to targeted cyberattacks. Protected Health Information (PHI) and sensitive healthcare data offer a treasure trove to cybercriminals. Since health care stores and handles PHI, the results from data loss could damage other areas like public health, patient privacy, and the organization's success.
A disaster recovery plan should be clearly stated, unambiguous, and easily accessible. Focus on the most critical IT systems that would impact your organization to be included in your Disaster Recovery and Emergency Preparedness Plan. You will better protect your assets when you know what they are and where to access them. Backing up your organization's data is highly recommended and might be a requirement depending on your state and local laws.
Once developed, that list would become a guiding document for team members who are responsible for managing the restoration and/or maintenance of IT Systems, connectivity, and telecommunications during and after a disaster event. Examples of essential functions might include telephone operations, network or internet connectivity, PACS and EMR/HER systems management, and provider access to clinical systems.
4 Essential Considerations to Prepare, Plan, & Recover
All healthcare organizations must have an Emergency Action Plan (EAP) written, communicated, tested, and activated when necessary. Here are four essential considerations for preparing for these catastrophic incidents.
I. The Purpose:
To develop a plan that outlines the procedures for emergency preparedness, disaster recovery, business functionality, and recovery during and after a disaster. These guidelines will help administrators identify key emergency roles and responsibilities, plan ahead for safe building evacuations and effective emergency communications and develop strategies for resuming normal functions after emergency conditions subside.
In other words, an emergency plan is a guiding document that outlines in detail the systems and protocols which an organization has in place to:
- Ensure the safety of staff and patients.
- Operate within the larger emergency management system.
- Regaining and maintaining continuity of services during and after an emergency.
II. HIPAA (Health Insurance Portability and Accountability Act) Requirements:
From an organizational perspective, directors and managers understand that protecting their staff ensures that processes and technology maintain business continuity. From a compliance level, adopting a Disaster Recovery Plan and Emergency Mode Operation Plan is a compliance requirement from the HIPAA, HITECH, and HIPAA Omnibus Final Rule.
The Privacy Rule is designed for protected health information (PHI) to remain secure from unauthorized or impermissible uses and disclosures. In addition, you can view the OCR Civil Rights Emergency Preparedness resources website to understand how nondiscrimination laws apply during an emergency.
III. CMS (Centers for Medicare and Medicaid Services) Requirements:
CMS issued a final rule emergency preparedness requirements for quality, safety, and oversight. The primary purpose is "to establish national emergency preparedness requirements to ensure adequate planning for both natural and man-made disasters, and coordination with federal, state, tribal, regional and local emergency preparedness systems."
These regulations apply to covered healthcare providers and suppliers to remain in compliance. Although a majority of providers will meet these minimum requirements in theory, in practice, these emergency preparedness plans may be discovered as insufficient.
IV. OSHA (Occupational Safety and Health Administration) Requirements:
An Emergency Action Plan is typically a written document required under OSHA. The goal is to ensure that employers and workers are protected, support by the necessary equipment, clear on where to go, and understand how to keep themselves safe when an emergency occurs. For more information, check out the variety of crises, disasters, and other incidents listed by OSHA.
Our compliance recommendation is for all healthcare organizations to have a written EAP, regardless of size. Even though smaller organizations (10 or fewer employees) are not required to have a written plan, that plan must be communicated orally to their employees.
Encouraging a Culture of Compliance
The goal of an emergency preparedness plan is —perfection— to encourage a culture that learns from mistakes and seeks to continuously improve healthcare facilities and providers. To achieve this goal, a team of dedicated compliance advisors is a valuable partner, assisting healthcare practices to review plans ahead of time, identifying and mitigating risks, and suggesting improvements.
Not an HCP client yet?
Learn more about how HCP can assist your healthcare practice in reducing risks, including disasters and emergency procedures that meet HIPAA, OSHA, CMS, and other regulatory requirements. The fastest way to understand and meet your organization's specific compliance requirements is to schedule an online consultation.
Are you an HCP client?
Explore how to access or develop a HIPAA & HITECH Compliance Manual designed for your organization's unique needs. Log into the HCP portal and view the "Reference Guide" to explore your organization's policy and procedure manuals online. If you need to create or maintain your policies, save time searching through HIPAA and OSHA resources by instead contacting your HCP advisor to help guide the process, reviewing policies that relate to disasters, and getting confidence that your team can re-establish business continuity.