May 14, 2007
Ready for an Emergency? Don’t Wait to Find Out
By Patrice L. Spath, BA, RHIT
For The Record
Vol. 19 No. 10 P. 20
Does your facility have plans in place to cope with a disaster? What would happen to the HIM department in an all-hands-on-deck situation? This article offers pointers on how to keep patient care running as smoothly as possible during a crisis.
While the September 11 and Hurricane Katrina tragedies brought disaster planning to the forefront, destruction of patient records from man-made and natural disasters has always been a possibility. HIM departments cannot afford to adopt a wait-and-see attitude, nor is it enough to hope for the best. The best only happens when it has been thought about and carefully planned.
Healthcare organizations must plan for the multiple consequences of all disasters. These adverse events may be internal or external, natural, technical, or man-made. A disaster, such as an industrial accident, that requires the provision of emergency health services to large numbers of individuals may stretch a healthcare organization’s resources even when the facility is not physically affected. When the facility’s physical resources are compromised by environmental conditions, such as wind and water damage from a hurricane, delivery of care may become particularly challenging.
Whatever the cause, healthcare organizations must be prepared to respond to the disaster so patient care and the business processes essential to patient care are not interrupted. Health services are information-intensive, and information management is a critical operational and strategic resource that must not be compromised in a disaster situation. Loss of all or a portion of the institution’s information system functionality can quickly compromise clinical and business processes. Destruction of paper or electronic data can have far-reaching effects, including patient injury, legal liability, and significant financial loss to the organization.
Many facilities have an emergency disaster plan for dealing with patient care priorities, but the plan for handling IT disasters may be vague or nonexistent. Although patients’ well-being is important during a disaster, institutions also need to protect the technology supporting patient care. Anticipating and preparing for management of and recovery from information system disasters is just as important as preparing for the continuation of patient care in the event of a disaster.
As healthcare organizations rapidly increase their dependence on digital information capture and real-time data analysis to provide patient care, protection of IT becomes critical. Electronic information systems fail for many reasons, relatively few of which are attributable specifically to defects in system hardware or software. It is not enough to have an emergency plan that only deals with maintaining patient care functions; healthcare institutions must also have an IT disaster recovery plan. Information system disasters are, unfortunately, always a moment away. While you cannot totally immunize your organization against this threat, you can protect your information systems from potentially devastating effects.
Disaster Planning Requirements
Accreditation groups and several regulatory agents require formalized disaster recovery plans. For example, organizations seeking accreditation from The Joint Commission must show evidence of compliance with published standards, which include disaster planning and protection of information resources.
The Joint Commission information management standards require evidence of planning for and assurance of data and information security, broadly stated as protection "against loss, destruction, tampering, and unauthorized access or use." This requirement encompasses issues of confidentiality, or protection of a patient's privacy rights concerning health information, and security, which address the operational requirements of maintaining an information system. The information management standards cover patient care and business data systems. Therefore, planning for information systems protection and recovery should encompass both information systems.
The accreditation standards of other organizations have requirements similar to those of The Joint Commission. For example, the Accreditation Association for Ambulatory Health Care requires organizations to have a comprehensive emergency plan that addresses internal and external emergencies and the necessary personnel, equipment, procedures, and training to carry out the plan. The Commission on the Accreditation of Rehabilitation Facilities standards require disaster planning, including a plan for providing critical patient care information during service disruptions.
Developing Your Plan
HIM departments should follow three steps to develop and maintain an emergency preparedness plan for information system disasters: gather information; formulate and test the plan; and plan maintenance.
Gather Information
First, determine who should be involved in formulating the information system disaster plan. In a hospital setting, the chief information officer or HIM department director will probably take the lead in mobilizing the disaster team. People directly involved in patient care and business processes should be represented on the work group charged with plan development and maintenance. A multidisciplinary approach will ensure that the mission-critical information technologies and processes in each specialty area are considered.
Once the team is formed, conduct an impact assessment. Have the team members answer questions, such as the following:
• What are the most critical information functions or systems in my unit/department?
• Are these paper-based or electronic systems?
• Which of these systems are most critical to patient care? to business processes?
• What would be the impact if these systems were severely interrupted?
Documenting information management technology, systems, and processes already in place is a crucial starting point in the disaster recovery planning process.
Next, conduct a disaster risk assessment. The risk will vary by type and cause of the disaster (see Figure 1). Determine what types of disasters may compromise your organization’s health information system and the relative risk of an occurrence. Whenever possible, risk assessments should be based on historical trend data and input from knowledgeable people in the community.
Planning for a disaster doesn't require that you accurately identify every potential event that may occur. What disaster planning boils down to is answering the question: How can we best prepare for any sort of interruption to our information systems? The information-gathering phase should include meetings with steering and work teams, a tour of the facility, collection of current documentations, and question-and-answer sessions.
Then develop a recovery strategy. Determine how you will operate during a severe disruption of services to ensure that all critical information management functions can be performed. How will you get the HIM department back up and running?
Review your on-site and off-site backup and recovery procedures. For example, are you backing up critical patient information that is stored electronically? What provisions do you have for backing up critical paper-based information systems? Will backup information be affected if a fire or flood occurs in your building? How will electricity outages affect access to primary and backup information sources? Avoiding these types of disasters may be as easy as scanning a file. Document imaging and electronic medical records make relocation of critical patient information as easy as loading the data onto a disk. Another benefit to electronic records is the ability to store critical information at an off-site facility or on the Internet.
What if you can no longer perform work in your facility? Do you have an alternative location where information management functions can be performed? Explosions, earthquakes, fires, tornados, hurricanes—these phenomena can damage or destroy a facility. Getting patients and medical professionals out of the building and into another is one problem; getting patient records transferred is another. If a hospital has a computerized charting system, the information can be downloaded onto a disk, while hard copies of charts must be gathered and carried out.
Don’t overlook emergency situations that may occur in your community. While your healthcare facility may not be directly impacted by a tornado, hurricane, earthquake, or public transportation accident, patient information may need to reach caregivers at the disaster scene. How will you communicate critical patient information to rescue personnel? Do you have communication equipment that can quickly, accurately, and securely relay information from the hospital to those in the field?
The amount of time and financial resources that will be expended to prepare and maintain disaster recovery plans—plans you hope never to implement—will vary among organizations. The degree of risk an institution is willing to accept should be based on an educated judgment about the likelihood given events will occur and the liability associated with failure to prepare for the eventuality.
Formulate and Test the Plan
Once the disaster risks and possible recovery plans have been identified and thoroughly discussed, it’s time to write the emergency preparedness plan, which should document all components and steps, from recognizing a disaster and what to do during recovery to how information services will be restored.
The information systems disaster plan should be contained in a notebook kept at the institution, employees’ homes, and any off-site data storage facilities. The notebook should include sections on the current environment, as well as the recovery environment and action plans to follow at the time of a disaster or severe disruption—specifically, describing how recovery (as defined in the strategies) for each system, process, and application is accomplished. If technology plays a key role in managing patient care information, the disaster plan should also include information about network configuration, communications closet layouts, cable diagrams, port connections, server configuration, and back-up schedules.
Be sure to test the plan before an actual disaster. This will allow everyone in the organization to practice their responsibilities and will also help to reveal any shortcomings. Testing can be done through the creation of sample scenarios that simulate likely problems. Once staff have reacted to these scenarios, detailed scripts can be written describing the steps to take in case of such an event. These scenarios and scripts should be added to the disaster plan notebook to serve as learning resources for everyone in the organization. The better prepared the organization is, the faster the recovery will be if a disaster actually occurs.
Plan Maintenance
For numerous reasons, many disaster recovery plans are inadequate to guide action when a disaster occurs. For example, the written plan may not have been updated when an information system was upgraded or reconfigured, or it may not address a specific event.
Although the disaster recovery process may never be put into action, the plan should not become obsolete. When changes occur in the work force, system, equipment, or process, the plan needs to be updated. The information management disaster team should hold regular meetings—quarterly is ideal—to discuss any new technologies or processes that may have been added. The team should also test disaster scenarios and develop new action plans, if necessary, to maintain and refine the plan. The information systems disaster plan notebook should be updated appropriately and the changes communicated throughout the organization.
As organizations become more dependent on data communication networks and telecommunications, it is critical to be able to recover quickly from a disaster. A professional audit, at least biennially, of all systems and vendors involved may be necessary to maintain the proper links of communication and ensure the integrity of the disaster recovery plan.
Managers must attempt to avoid disasters by aggressively looking for weak areas within the recovery plan. Frequent testing and improvement of the plan are more desirable than demonstrating a successful recovery in a disaster situation. Many organizations become overconfident in their plans, thinking that they’ve anticipated every possible scenario and recovery strategy. In many instances, the plan will not apply to the disaster that has occurred, especially if organizations do not update their plans frequently enough to maintain current information. Because of ongoing internal changes in healthcare organizations, an information disaster plan can become outdated in as little time as one business quarter. Organizations cannot afford to put emergency preparedness on the back burner. Yearly funding must be set aside to keep the information disaster and recovery plan current and valuable for use.
Be Prepared
Healthcare organizations must practice preventive medicine within their information infrastructures. IT is becoming the backbone of hospitals, clinics, and doctors’ offices. More providers are implementing electronic patient record systems, and network configurations between hospitals and remote clinics now allow for instantaneous transfer of patient data. If these technologies are disrupted during a disaster, then patient services are threatened. While disasters are, by nature, sudden and destructive, they should not be unexpected, and they don’t have to destroy caregivers’ ability to access critical patient information. A well-executed and maintained recovery plan that specifically addresses information management problems is the best prescription for continuity of patient care during the worst of disasters. Use the checklist in Figure 2 to evaluate the completeness of your information system disaster management strategy.
Failure to prepare can have other unintended consequences, such as permanent damage to the institution’s customer base. For example, if an individual receives excellent care from a new healthcare provider during a highly emotional and critical time such as a disaster situation, the patient may feel a new alliance has been formed and abandon the original provider.
Disaster recovery planning consists of three principal sets of activities:
• identifying the common elements of plausible disruptions that might severely hamper critical or important HIM operations;
• anticipating the effects that might result from these operational disruptions; and
• developing and documenting contingent responses so that recovery can occur as quickly as possible.
Severe disruptions can arise from several sources: natural disasters, technical failures, and human actions. While an organization may not be able to prevent any of these disruptions, planning enables it to resume essential information system operations more rapidly than if no plan existed.
Preparedness for response and continued operation of a healthcare organization following a disaster must encompass two facets: continuation of patient care delivery and continuation of business processes. Ensuring continuation of these processes is no less important when the disaster situation affects the organization’s information resources than when the physical facility is damaged. Delivery of healthcare is an information-intensive process, and the technology associated with data capture and information management is a critical operational and strategic resource. Information disaster management is not an end in itself, but one part in the much larger process of organizational governance and risk avoidance.
— Patrice L. Spath, BA, RHIT, is a healthcare quality specialist, author of 101 Tools for Improving Health Care Performance, a partner in Brown-Spath & Associates (www.brownspath.com), an assistant professor in the department of health services administration at the University of Alabama in Birmingham, and a contributing editor at For The Record.
Resources
The American Medical Association has developed several disaster preparedness resources. These can be found on the organization’s Web site, www.ama-assn.org/go/disasterpreparedness
ARMA International has developed several disaster recovery tools. Excerpts from two chapters of the book, Emergency Management for Records and Information Programs, as well as other resources can be found on the association’s Web site, www.arma.org
Bumington-Brown J, Hughes G. Practice Brief: Disaster Planning for Health Information (updated). Available at: http://library.ahima.org/xpedio.