This is the third and final presentation on HIPAA Security Administrative Safeguards. This presentation focuses on the last 2 standards under the

Transcription

1 This is the third and final presentation on HIPAA Security Administrative Safeguards. This presentation focuses on the last 2 standards under the HIPAA Security rule: Contingency planning and evaluation.

2 Contingency planning is a large standard within the administrative safeguards. This standard focuses on covered entity establishing policies and procedures for responding to an emergency or other occurrence where there is damage to a system that contain ephi. This standard has 3 required standards and 2 addressable standards. The required standards are data back up plan, disaster recovery plan, and emergency mode operation plan. The two addressable standards are testing and revision procedures and application and data criticality analysis.

3 The first required specification is a data back up plan. The goal of this specification is to get covered entities to establish and implement procedures to create and maintain retrievable exact copies of ephi. The specification doesn t state the media to create the back up with, the frequency of the back up or any other specific details. It is recommended that policies and procedures address: Create policies and procedures that addresses: How/When/Where systems with ephi are being backed up (e.g. EHR, Accounting Systems, case management, digital images, etc.) The medium being used to store the back up Safeguards around the data back ups to protect information Frequency of back ups

4 The next required specification is disaster recovery plan. This specification is focused on having covered entities establish and implement as needed procedures to restore any loss of data. The goal of this requirement is to create a disaster recovery plan for the entire organization in the event of the unforeseen disasters. For this specification, organizations should establish Policies for when a disaster happens (data back up included) Processes for when a disaster happens (downtime and recovery, staffing) Technologies impacted and available during a disaster (critical applications, downtime technologies)

5 The last required specification under this standard is emergency mode operation plan. This specification is focused on a covered entity establishing and implementing procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. Implementation recommendations are: Create policies and procedures that address how the business will run and operate in an emergency Address how the data will be protected in emergency mode Address how security protections will be used in emergency mode Include telephone numbers and contact names for key people to notify in an emergency

6 Testing and revision is the first addressable specification under contingency planning. This specification is often overlook as it is found to be confusing. This specification focuses on covered entities implementing procedures for periodic testing and revision of contingency plans. Just as fire drills are practiced, a covered entity should test and revise their contingency plan on a regular basis to make sure employees are aware of the process and allow for the plan to be updated if appropriate. Here are some implementation recommendations: Create and address a plan to test the entire contingency plan on a regular basis through downtime practice and drills Address how documentation will be collected and maintained from the practice and drills Address where the information will go and who will own updating the plan as needed Drills should be done as often as the organization sees fit

7 The last addressable specification under contingency planning is application and data criticality analysis. For this specification, a covered entity needs to assess the relative criticality of specific applications and data in support of other contingency plan components. This allows for an organization to understand what systems and data are critical for business functions. Some implementation specifications are: Create a system inventory of all hardware, software, and other media at the organization that contains ephi Understand how each of the above is backed up, where it is backed up to, and the criticality to business operations Create a prioritized list for recovery from emergency mode or downtime mode

8 In 2013, the American Health Information Management Association published the Disaster Planning and Recovery Toolkit. This toolkit recommends three main areas in the contingency planning: Planning, Operations, and Recovery. Each of the main areas has steps that should be followed to create an effective and robust contingency plan for the organization. Under planning, a covered entity should Create the Business Continuity Plan (BCP) Create a plan for Education and Training Create a plan for Practicing and Drills of the BCP Create a plan for volunteers Create a plan for Patient Advocacy For operations, a covered entity should: Create a Communication Plan Create an Interim Management Plan Create a plan for maintaining the confidentiality of protected health information Create a plan for uses and disclosures of protected health information and release of information For the recovery phase, a covered entity should:

9 Create a plan for Evaluation, Inventory, and Technical Recovery Create a plan for debriefing Create a plan for counseling for staff, if needed Create a plan matching and tracking tests Create a plan for Record Preservation Create a plan audit, control, and maintenance

10 If a healthcare organization is using a cloud based vendor for their EHR or back up process, it is important not to rely 100% on the vendor. A few basic considerations for a covered entity to consider in order to effectively manage the contingency plan are: Understand the Contingency and Back Up Process Test it Out! Understand your responsibility in the process Assure you have direct contacts for when an emergency happens

11 The last required standard is evaluation. This required standard is intended for covered entities to perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ephi, that establishes the extent to which an entity s security policies and procedures meet the requirements of the Security Rule. The purpose of this standard is to: Review and maintain a reasonable level of security and security measures in order to comply as well as protect ephi. Reviews should be completed on a regularly, scheduled timeframe to assure compliance Reviews should also be completed when there is an environmental or operational change that may affect the security of ephi Reviews can be completed internally or externally

12