EHR disruptions: Do you have a Plan B?

We’ve all lived through them – power outages, computer malfunctions, etc. And, for the most part, they are minor inconveniences. But for healthcare institutions, disruptions such as these can mean the inability to access patient health records and that can literally mean the difference between life and death.

Add in the recent incidences of cyberattacks on hospitals, and it’s clear there is a need for electronic health record (EHR) contingency plans.

The good news, a recent study conducted by the Office of Inspector General at the U.S. Department of Health and Human Services found that almost all (95 percent) of the 400 hospitals surveyed had a written EHR contingency plan. The bad news is that only two-thirds reported that their contingency plans addressed the four HIPAA requirements reviewed by the OIG:

• Having a data backup plan: Nearly all hospitals reported that they maintained backup copies of their EHR and of those that did, almost all reported backing up data at least once a day.
• Having a disaster recovery plan: About three-quarters of hospitals reported having alternate sites, and almost half of them reported the ability to transfer EHR operations within the recommended right hours.
• Having an emergency-mode operations plan: Nearly all hospitals reported supplying staff with paper forms to document care during EHR disruptions and nearly all hospitals also reported having generators and uninterruptible power systems.
• Having testing and revision procedures: Less than three-quarters of hospitals reported that their EHR contingency plans or equivalent alternative plans addressed testing and revision procedures. HIPAA permits hospitals to address testing and revision in an equivalent alternative.

The report noted that some of the hospitals without contingency plans were developing them at the time of the questionnaire because they had only recently adopted EHR systems. Others noted that they had implemented practices related to contingency plans, but did not document those practices in policies or procedures.

If your healthcare facility has experienced an unplanned EHR disruption, you are not alone. The survey found that for the year preceding the questionnaire, 59 percent of hospitals reported an unplanned EHR disruption that made their system unavailable to hospital staff. One-fifth of those reported disruptions that lasted more than 8 hours.

Hardware malfunctions accounted for the largest percentage of disruptions (59 percent), followed by Internet connectivity problems (44 percent) and power failures (33 percent). Natural disasters accounted for 4 percent of the disruptions and a hacking incident accounted for 1 percent.

One of the biggest concerns of these disruptions, of course, is related to patient care and 24 percent of those with unplanned EHR disruptions reported it resulted in a delay of care.

Since the survey, which was begun in 2015, awareness of cybersecurity threats to health information has increased. In January, a California hospital reported a ransomware attack that disabled its network and EHR system for a week, leading to delayed patient care and the need to send patients to other facilities. In March, the Washington, D.C.-area hospital chain Medstar became the victim of another cyberattack that crippled its system, forcing staff to revert to paper records.

Not only can these cyberattacks take down a health system’s computer system, it can result in patient data falling into the wrong hands. While healthcare facilities have made great strides in recent years to protect their systems, much still needs to be done to ensure they do not become vulnerable to attack. It is imperative that healthcare facilities find vulnerabilities and constantly update their systems to meet today’s new challenges.

The Health Law Offices of Anthony C. Vitale assists clients with EHR/OCR audits as well helping providers with contingency plans in situations where the software is interrupted for reasons of unknown origin. If you have any questions or concerns, feel free to contact The Health Law Offices of Anthony C. Vitale at 305-358-4500 or email us at info@vitalehealthlaw.com.