Preparation is Less Costly Than Learning Through Tragedy
Massive weather events like Hurricanes Ida, Sam, and Nicholas remind us of the importance of hoping for the best but planning and preparing for the worst. Before an emergency, having a plan in place will determine how well your organization can "survive the storm."
Organizations must have these plans in place in the event of natural disasters, unsafe conditions that may impact the area, or even when a global pandemic happens.
Organizations must be prepared to respond quickly when these types of events occur. All healthcare organizations must have an Emergency Action Plan (EAP) and a Disaster Recovery Plan (DRP) written, communicated, tested, and activated when necessary.
Emergency Action Plan
An Emergency Action Plan is typically a
written document required under OSHA. Even though smaller organizations (10 or
fewer employees) are not required to have a written plan, they must communicate
it orally to their employees. We highly recommend all healthcare organizations
have a written EAP, regardless of their size.
The purpose of the EAP is to facilitate and organize employer and employee actions during workplace emergencies. According to OSHA, a poorly prepared plan can lead to a disorganized evacuation or emergency response, resulting in confusion, injury, and property damage.
The elements of an Emergency Action Plan must include, but are not limited to:
- Means
of reporting fires and other emergencies
- Evacuation
procedures and emergency escape route assignments
- Procedures
to be followed by employees who remain to operate critical plant
operations before they evacuate
- Processes
to account for all employees after an emergency evacuation has been
completed
- Rescue
and medical duties for those employees who are to perform them
- Names
or job titles of persons who can be contacted for further information or
explanation of duties under the plan
At HCP, we also recommend training employees on the different alerts they will hear for various emergencies. You can broadcast such signals using sirens or even public address systems. It's also important to designate an alternative meeting place if the primary one is unable to be used or reached because of safety concerns such as fire or explosions.
Disaster Recovery Plan
In the event of a disaster, natural or
otherwise, covered entities and their business associates must create and
document their Disaster Recovery Plan to recover information systems. The
DRP is a HIPAA requirement and must be implemented as part of HIPAA policies
and procedures, reviewed regularly, and revised as necessary (when changes
occur to processes, etc.).
Your DRP must provide a straightforward and
structured approach to responding to an unforeseen event that could threaten
your organization's information technology (IT) infrastructure (i.e., hardware,
software, networks, etc.). Additionally, your DRP must clearly explain:
1. Who is responsible for activating the Disaster
Recovery Plan?
2. How will missing data be restored?
3. What is the process for repairing damaged
machines, systems, etc.?
4. Methods used for ePHI and programs to be
restored from the most recent backup (on or off-site)
5. The name and contact information for the
network administrator and instructions for reaching them, when applicable
6. How will copies of missing software licenses be
secured once the organization is up running again?
7. The plan will ensure all damaged equipment is disposed of properly (including a thorough purge of any ePHI, and then documenting its destruction)
In Summary
More than ever before, Emergency Action Plans and Disaster Recovery Plans are essential for businesses, including healthcare organizations. Being prepared for emergencies starts with being alert to any potential man-made threats or natural disasters and watching for updates to ensure there is adequate time to activate the plan(s). Having an Emergency Action Plan and Disaster Recovery Plan in place are two important requirements that will help protect your organization's essential operations and reduce the potential for mishandled or lost data.
Have questions about Emergency Action Plans or
Disaster Recovery Plans? We can help. Contact us by email: support@hcp.md or reach us by phone: 855-427-0427.