Emergency Preparedness Best Practices

Emergency Preparedness Best Practices

In the wake of two damaging hurricanes, the topic of emergency preparedness is at the top of mind for many Covered Entities and Business Associates. The goal of emergency preparedness is to ensure electronic protected health information (ePHI) is secure, and the confidentiality, integrity, and availability of ePHI is not jeopardized both during and after an emergency.

Effective emergency preparedness consists of having a contingency plan which includes a data backup plan, disaster recovery plan, and emergency mode operation plan.  The disaster recovery plan ensures that you have accurate backups of the ePHI, while the disaster recover plan is how you recover from those backups.  The emergency mode operation plan outlines how ePHI will remain secured during the course of the emergency.  While not specifically required, your organization should consider testing your contingency plan and revise it as necessary.

When thinking about putting you plan together, you can follow a seven step process,

  1. Assess your situation;

  2. Identify risks;

  3. Formulate an action plan;

  4. Decide if and when to activate your plan;

  5. Communicate the plan;

  6. Test the plan; and

  7. Treat the plan as an evolving process.

While this process is linear, these steps can take considerable time to finalize.  If you don’t have a contingency plan in place now, you should begin the process to develop and implement one as soon as possible.

Plan Now For New CMS Emergency Preparedness Rule

Plan Now For New CMS Emergency Preparedness Rule

Last Fall CMS released new rules for emergency preparedness activities.The types of facilities that must comply by November 15, 2017 are wide ranging and include,

  • Community Mental Health Centers;
  • Hospitals;
  • Long-term care facilities;
  • Rural health clinics; and
  • Federally Qualified Health Centers.

In total, there are 17 types of organizations that must comply. Penalties for non-compliance can include loss of Medicaid and Medicare funding.

The Final Rule was intended to be flexible and therefore is not detailed. However, three primary elements of the rule are safeguarding human resources, maintaining business continuity, and protecting physical resources.

Five tasks will need to be completed to fully comply with the new rules,

  • Perform a risk assessment which focuses on the likely risks to the institution;
  • Develop emergency plans based on the risks identified in the risk assessment;
  • Develop communications plans to provide timely notification in times of emergency;
  • Develop policies and procedures to ensure successful execution of emergency plans; and
  • Train staff and test plans to ensure all necessary personnel are prepared to fill their designated role if needed.

This type of planning will take many weeks, if not months, to complete. It is advised that you begin to prepare now in order to be compliant by the November 15, 2017 deadline. Please let us know if you have any questions during your preparation.