For the first time in the healthcare industry in the United States, business continuity planning and disaster recovery capability will become mandatory for all healthcare organizations. The Health Insurance Portability and Accountability Act (HIPAA), passed by the US Congress in 1996, has as part of its phased implementation "Security Guidelines," (referring to information security), which mandate that all healthcare organizations using healthcare data comply with data security and business continuity standards within two years. The final regulations were published in the Federal Register at the end of 2000. The "Security Guidelines", with business continuity requirements, are expected in early 2001. The penalties and fines for noncompliance will be substantial. Any organization not showing due diligence in starting this process will be in noncompliance. This legislative mandate has a strategic goal of reducing costs in healthcare by standardizing data processing, as a prelude to establishing a centralized clearinghouse for claims processing, similar to the financial industry. The financial industry is highly regulated and audited for business recovery capability by both the federal and state governments.
Currently, healthcare providers in the US are visited approximately every three years (pressure is being exerted to make this more often and even surprise) by the Joint Commission on Accreditation of Healthcare Organizations (JCAHO), which grades the entire environment of care. It is voluntary for a healthcare organization to submit to a JCAHO inspection (a high grade confers prestige), but the JCAHO does not have enforcement power and also does not consider business recovery during the inspection. It is not clear at this time which agency will be the enforcement arm of the federal government for HIPAA.
Medical centers in the US, especially in California, have well documented and well practiced emergency response plans. Healthcare providers in California have experience in "battlefield medicine," due to a high level of societal violence and the regular occurrence of natural disasters such as earthquakes. Business recovery is different in that it considers what happens when the emergency response triage period of 24 or 48 hours is over. The business continuity plans that start implementation at the time of the disaster come to fruition while the triage period is happening, enabling the recovery of critical business functions and supporting information technology within the specified Recovery Time Objective (RTO). In healthcare, business recovery planning by definition has an automated systems focus and works with the information technology dependent business functions in the planning process. Medical care can be provided without computers or technology of any kind in triage mode, but in a matter of days when the emergency response phase is winding down, dependency on information technology increases because the goal is to return to as close to normal operations as possible. Imagine the difficulty in scheduling appointments over a diverse and geographically dispersed healthcare system without information technology.
Business Continuity According to HIPAA
The Health Care Financing Agency, part of the US Department of Health and Human Services, convened a task force to write the "Security Guidelines," which contains a section on Business Continuity Planning and Disaster Recovery. This task force, composed of experts in information security and business recovery from healthcare and other industries, utilized standard business continuity methodology in writing "to-the-point" guidelines.
The primary "bullet" points are shown below. The detailed sub-points are available at www.disaster-resource.com.
Contingency Planning General Elements
• Mapping of critical business functions to specific computer applications.
• Mapping the computer applications to the platform technologies.
• Impact of the business cycles (quarter end, year end) to contingency plans.
• Regular update and review of contingency plans.
• Clear statement of risk assumption.
• Definition of minimum acceptable level of service and detailed actions to get to that level.
• Management prioritization and signoff on prioritization recommendations.
Procedures To Be Established
• Work Around
• Emergency Operations Center (EOC).
• Crisis management guidelines.
• Public relations/media interaction guidelines.
• Emergency notification process and responsibilities.
• Hardcopy of local backup strategies.
• Key vendor information.
• Recovery logistics.
• Human elements.
• Teams composition: skill set match, training, testing.
• Specific procedures for activation and deactivation, including triggers.
• Responsibilities/accountabilities during contingency operations.
Voice communications recovery planning must be done related to the overall contingency plan as well as the specific critical business units.
History of HEICS
In the 1980s, an inter-agency cooperative effort was formed to develop a common organizational system which fire protection agencies could use in response to a very large incident, as well as smaller, day to day operations. The cooperative plan, known as Firescope, produced a management system that has become standard operating procedure across the United States - Incident Command System (ICS).
In 1987, the Hospital Council of Northern California completed work on an adaptation of ICS to hospital emergency response functions. This work served as the cornerstone of the original version of HEICS (1991) developed by Orange County Emergency Medical Services.
The HEICS structure is a chain of command which incorporates four sections under the overall leadership of the Emergency Incident Commander (IC). Each of the four sections - Operations, Logistics, Planning and Finance - has a Section Chief. The hospital or organization's disaster/emergency plan must be modified to incorporate the newly developed business recovery team structure.
There should be an Emergency Operations Center (EOC) and emergency management system in place that incorporates business recovery teams and the infrastructure necessary to support recovery. HEICS must therefore be modified to incorporate business recovery concerns. Existing HEICS job action sheets (checklists) should be expanded. Disaster drills and exercises should include business recovery elements.
General Infrastructure Functions that Enable Business Recovery
• Emergency management.
• Administrative support.
• Damage assessment.
• Facilities preparation.
• Site restoration.
• Human resources.
These functions are part of the HEICS framework and are included in the Emergency Response/Disaster Plan required by JCAHO. The checklists for HEICS need to be expanded in these areas to include business recovery detailed tasks. For more details related to HEICS and business recovery as well as Business Impact Analysis and detailed action steps related to recovery, For more details see www.disaster-resource.com.
Business Impact Analysis and Risk Assessment
The key to developing an effective business continuity plan is to perform a Business Impact Analysis (BIA) which identifies the critical business functions and supporting information technology and support functions necessary to meet the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO is how fast the business units need to have that function up and running. RPO is the most recent point in time to which systems can be restored, reflecting the amount of data that can be lost without adversely affecting the organization. The RPO reflects the timeliness of the data stored offsite, and all critical business functions' data that interfaces must be synchronized to the same point in time or the databases may become corrupted. The shorter the RTO and RPO, the more complex, technological, and expensive the recovery plans become.
Financial institutions require services back online in hours, not days, while most healthcare providers require emergency response immediately but business recovery within 48 hours. Financial institutions cannot afford to lose more than minutes worth of data, so develop recovery plans that include electronic mirroring or shadowing, where online data is captured real time in both the production and backup environments. In the healthcare environment, the critical business functions are not likely to be Emergency Medicine, Surgery, and Orthopedics since they are not particularly technology dependent, especially during the triage period.
It is estimated that HIPAA compliance could cost the healthcare industry in the United States more than the amount expended on Y2K preparedness. In addition, there are new regulations concerning the earthquake retrofits of hospitals that could price many standalone community hospitals out of the market. There will be a trend towards a larger percentage of the population, especially in California, obtaining medical care from large health care systems such as HMOs. Large health care systems are growing even larger with mergers and acquisitions.
Large health care systems become ever more dependent on information technology to keep the business running. Thus, the business continuity planning process is increasingly complex, but nevertheless must keep the focus on the planning process as business function driven. Recovery solutions must be developed at the same time as healthcare providers strengthen their emergency preparedness efforts.
HIPAA will finally mandate business continuity planning in the healthcare industry, which along with stepped up emergency response capabilities, will prepare US healthcare organizations for the disasters to come.
Visit www.disaster-resource.com for the unabridged version of this article complete with checklists for plan development.