This document discusses business continuity planning and documentation during EMR downtime. It begins by distinguishing between business continuity and disaster recovery, then discusses considerations for EMR downtime including financial costs. Methods for documentation during an outage like paper forms or electronic options are presented. The document concludes by describing a business continuity solution called VitalCenter that allows providers to continue seeing patients and documenting visits electronically during an EMR outage.
Our Team
Best in KLAS – HIT Implementation Staffing and Support
Clinical workflow and operations experts
Average Staff HIT Experience: 12 Years
Our company culture - Strive for success, you get the entire Galen team behind every project
Cross-section of clinical and non-clinical healthcare application expertise
2.0MM Hours Healthcare Experience
280 Customers served in the last 2 years
Boutique, healthcare-focused services & solutions company
For over a decade, Galen has built a solid reputation of providing high-quality, expert level IT consulting services to health systems, hospitals and physician practices.
The foundation of our growth and success can be attributed to our people. It’s what we care about as a company that makes us unique.
Our Value Proposition:
We transform data into actionable, profitable information
Provide world-class Technical & Professional Services to healthcare organizations that interoperate, aggregate, convert, harvest and optimize clinical patient information within their multi-vendor systems portfolio including Practice Management, Electronic Health Record & Health Information Exchange.
Deliver a suite of fully-integrated Products that enhance, automate, and simplify the access and use of clinical patient data within those systems to improve cost-efficiency and quality outcomes.
Paper Charts versus EMR
Paper Charts
Not affected by loss of Internet
Perhaps some workflows are electronic, but for the most part, workflows are paper-based
No reliance on software
When software is involved, there is the possibility the software breaks down
No fees for software
No interfaces to other systems
Incoming documentation delivered via mail, fax, patient, etc.
Charts are centrally located
No backups made
If destroyed, typically cannot be recovered
Electronic Medical Record (EMR)
Increased reliance on technology
Patient care relies on the EMR
EMR and interfaces rely on internal network and Internet
Increased costs
Infrastructure costs, staff costs, software costs, underlying licensing costs such as OS and SQL licenses
Learning curve
Need to learn new software
New features introduced
UI changes
BC focuses on non-IT-related aspects such as key personnel, facilities and crisis communication
DR is focused on the technology infrastructure, and a disaster is any event that can compromise the proper operation of an organization’s system, data and network.
Data integrity problem – one or more patient records updated incorrectly or deleted, hacking, data corruption
Data availability problem – EMR down, server down, network down, PC down, power out, ransomware
AKA Downtime
Environmental problem – natural disaster, office unavailable, hazardous material spill
Personnel problem – loss of vital knowledge
Privacy problem – loss of data, not properly wiping hard drives, losing a laptop, hacking
Duration – if nothing changes, for how long will we be unable to see patients?
Severity – how severe is the disaster? What is the possibility it will get worse?
Patient Scope – will this disaster affect all patients or just a subset?
Physical Scope – is the disaster limited to a certain location or area within a particular location, or is the disaster affecting all areas of the business?
Financial – loss of income during event, cost of data recovery, loss of future income, HIPAA privacy violation penalties, which are now greater under HITECH, litigation costs
Patient trust – publicity /stigmaof HIPAA/privacy violations, patients being turned away from office visit because of downtime
Patient safety – down systems prevent accurate, quality patient care
The overall objective of a HIPAA risk analysis is to document the vulnerabilities to the confidentiality, integrity, or availability of ePHI and determine the appropriate safeguards to bring the level of risk to an acceptable and manageable level.
Identify what data your organization needs to protect and where that data is at rest and where it goes in motion. This can then provide the basis for your security policies, practices, and technologies you implement to protect all such data.
HIPAA Risk Assessment Scope
Administrative Safeguards
• Risk analysis procedures and demonstration of a risk management process;• Policies and procedures relevant to operational security, including business associate security requirements;• Information access restriction requirements and controls;• Incident response procedures and disaster recovery plan and;• Evidence of periodic technical and nontechnical reviews.
Physical Safeguards
• Physical access controls, such as building access and appropriate record keeping;• Policies and procedures for workstation security; and• Proper usage, storage, and disposal of data storage devices
Technical Safeguards
• Auditing and audit procedures;• Use of encryption devices and tools;• Implementation of technology to ensure ePHI confidentiality, integrity, and availability
A typical DRP process begins with a business impact analysis (BIA). The BIA is the foundation of any sound DRP, and it complements the risk assessment by utilizing the information generated during that process. The main difference between these analyses is that the HIPAA risk assessment focuses on data security and potential adverse events, while the BIA focuses directly on the operational impacts to the business. The BIA reviews what losses will be incurred if the system goes down. The importance of each downed application is ranked highest to lowest, along with the financial impact of each.
Identity/define potential disasters
Prevent disaster - minimize opportunity for disasters
Preparing for disaster – ensure all resources are available to cope with and recover from disaster, as not all disasters are preventable
Coping with downtime – operating procedure for downtime and business continuity plan
Recovering from disaster – how to resume normal operation
What to do when EHR is back up?
Scan forms in
Manual data entry
Disorganization leading to staff and patient stress
Hot site: fully equipped data center with servers that can be online within hours. Typically completely duplicated hardware-wise. This is the most-expensive option.
Warm site: Provides basic infrastructure and functionality but requires some lead time to get the servers up and running, a warm site is a less-expensive option, but could take up to a week to bring online.
Cold site: secure standby location with no equipment or data; equipment must be brought in and configured, which could take up to a month to be operational.
Community Support
Knowledge center with whitepapers, playbooks, guides.
Our contribution to move healthcare IT forward
Freely sharing our unique perspectives, our knowledge and our experience
Over 622 blog posts
Over 213 complimentary webinars delivered
Visit our knowledge center - galenhealthcare.com/knowledge-center/
Visit our wiki – wiki.galenhealthcare.com
Visit our Blog – blog.galenhealthcare.com