There are legal, security, process, technology and regulatory issues that are contained in each aspect of the Act. Significant resources, operational and procedural changes, technology additions and standardization will be necessary to meet the regulations on time and without penalties.
Healthcare organizations should work with an outside vendor to help meet the HIPAA regulations, but according to the Act, the parties must sign a confidentiality agreement before work begins.
Fines for non-compliance with HIPAA are fierce.
Civil penalties for failure to comply with the regulations are $100 per violation, with a maximum fine of $25,000 per year. In addition, there are penalties for those that 'knowingly' disclose individual identifiable health information. Individually identifiable health information is that information created or received by a healthcare provider from an individual and that relates to the past, present or future health of that individual. These penalties include a wrongful disclosure offense with fines of $50,000 or imprisonment of up to one year; offense under false pretenses with fines up to $100,000 and imprisonment of up to five years; and offense with intent to sell information, with fines up to $250,000 and imprisonment of up to ten years. All of these penalties may impose both fines and prison sentences on those organizations that do not comply with the regulations.
There are four key areas in which HIPAA standards and regulations focus: information security, privacy, electronic data interchange (EDI) and unique identifiers. Each area has numerous subsets of regulatory categories.
Within the security standards, the proposed HIPAA regulations require that healthcare organizations develop security programs based on an assessment of their risks. This assessment can be done through a business impact analysis or continuity assessment, and is usually done by a third party. The analysis should provide comprehensive documentation on the areas of risk with a scoring method. Often, scores are provided in the form of a gap analysis on a scale ranging from one to five, with one being the lowest and improvement necessary and five being a 'best practice' and no need for improvement.
HIPAA's security standards require that all healthcare organizations have a contingency plan. The guidelines for the contingency plan can be found in the Act's administrative procedures to guard data integrity, confidentiality and availability. Within these plans, auditors will look for critical components that are required for each business function, process and application. Healthcare organizations must make sure that their contingency plans include the following elements:
Purpose and scope: All contingency plans, as well as the disaster recovery and business continuity plans that may be a portion of a complete plan, must have a clearly defined purpose and scope. This part of the plan should state what the objective of the plan is, and outline how the process will take place.
Emergency recovery organization: Each plan should clearly identify the members of the emergency recovery organization. If the organization is broken into teams, the members of the teams also need to be defined. The list of emergency management personnel should also define each member's responsibilities and alternate contact information, such as home or mobile phone numbers.
Plan distribution list: Organizations must keep records of personnel that receive a copy of the plan. Most often, the plan is distributed to key members of the emergency management team listed in the plan, as well as the CEO, President, CIO and other upper-level management staff.
Data center, network and systems configuration: Healthcare organizations must document how their data centers, computer networks and application systems are configured. The documentation will help guide the process for re-establishing mission-critical systems and business operations affected by the disaster. The configurations are especially important for those organizations that exist in a campus situation. Each building must have their systems, networks and business function operations fully documented.
Business Unit Descriptions: Each plan must include a list that identifies all of the business units within the organization. The list should also document which business units perform mission-critical functions and identify their order of recovery, or priorities. Within this list, all responsibilities held by each business unit should be documented. Areas such as accounting, patient relations, and information technology must be included.
Data files and supplies availability: Contingency plans must identify the software and application data files that will be required to restore mission-critical systems and the business functions they support. Once identified, backup copies of these files must be created and stored in a safe location. This location is usually an offsite storage facility in a safe and accessible distance away from the primary building. In addition to the files, it is recommended that hardware and training manuals, recovery procedures documentation and critical supplies bet stored offsite as well.
Plan testing and recovery procedures: Contingency plans must be tested on an annual basis at minimum, but it is recommended that the plan be tested at least twice a year. Each time the plan is tested, a report should be generated identifying the objectives of the test, the test results and any problems that were encountered.
Phone list for emergency contacts and vendors: All contingency plans must contain contact information for all organizations that may need to be contacted in the event of an interruption. The list should include emergency management team members, members of the recovery teams, local fire and police departments, city power and water suppliers, communications companies, alternate facilities, storage vendors, computer hardware and software vendors, major equipment suppliers, pharmaceutical suppliers and outside emergency teams such as ambulatory services. This list should be clearly labeled and included in every copy of the plan.
Commercial company contacts: In the event of a disaster or interruption, healthcare organizations must contact insurance, payroll service, temporary office staff, and public relations companies. These companies often can assist the organization in the transition period during the restoration of operations and help respond to the needs of its customers.
Inventory list of plan materials: A list of materials necessary to complete the recovery after an interruption should be maintained in each contingency plan. The materials required will vary, dependent upon the organization's functions. For example, health insurance companies will not have to make preparations to recover x-ray and other diagnostic equipment, but a hospital network will.
Medical procedures and first aid: Many healthcare organizations have employees trained in medical and first aid procedures. However, it is necessary to document what kinds of medical procedures may be necessary in the event of a disaster, e.g. burn units in the case of fire and chemical spills, and the emergency management team or staff member responsible for the procedures. In addition, if any staff member is trained in specific emergency skills, such as firefighting or water rescue, document those employees and skills.
Alternate site description and contracts: The contingency plan must have documentation for activating the facility that the organization will use in the event of a disaster. This documentation should begin with the disaster declaration process. In addition to the declaration process, this section of the plan should also include the address of the facility, contact names, a list and description of all computer equipment and network architectures at the facility, contractual agreements and insurance forms.
Step-by-step recovery procedures: All organizations must have written procedures for the relocation and recovery of their mission-critical business and data processing functions. These steps should document procedures for making an assessment of the situation and declare it a disaster, relocating to an alternate facility, restoring communications networks, obtaining the backup files and recovering critical systems. If a travel agency is used or the organization has existing accounts with airlines, hotels or car rental agencies, the contact information for each vendor must be included in the plan.
Application and system restoration priorities: Each contingency plan must create a priority list that documents the order in which applications and systems are brought back to operation. In addition to the priority, the plan should state which person is responsible for the application or system, and what tests should be performed after it is restored to make sure it is running correctly. This list not only provides a guideline for restoration, it also allows the recovery process to work in an orderly and efficient manner.
Return home procedures: The plan must include documentation for returning to the primary facility after it has been declared safe for all personnel and operations. The documentation should include procedures on how to transport personnel, data files and communications networks to the original site. Key elements that should be included in this section are the system certification methods, parallel processing methods and alternate site shut down procedures.
Healthcare organizations must review HIPAA requirements and establish a timeline in which to complete their compliance. Contingency plans are just a portion of the regulation. Other areas such as security and EDI processes must also be reviewed and included in the timeline.
Because of the magnitude of HIPAAs requirements and the short timeframe in which healthcare companies must be compliant, many organizations are turning to professional services firms for help. There are a number of qualified companies that can perform the assessment, help to develop a contingency plan, and implement security and EDI standards that will move the organization toward compliance with HIPAA.
Ed Deveau is the Senior Vice President of Business Continuity for EverGreen Data Continuity, Inc. EverGreen provides innovative data continuity solutions that integrate best practices for enterprise storage management, data protection, and business continuity planning. Contact the author via email through firstname.lastname@example.org.