You can't be overprepared: Disaster planning
■ If you think calamity happens only to other practices, think again. Experts say having a plan to cope in the aftermath of physical destruction is good business. Having one to safeguard electronic data is the law.
By Tyler Chin — Posted June 12, 2006
- WITH THIS STORY:
- » Ready for anything
- » Back up your data
- » You neglected backups? There may still be hope of recovery
- » External links
- » Related content
When experts advise physicians to have a detailed disaster plan in place -- so detailed it may seem ridiculous -- they point to examples such as Neil F. Notaroberto, MD.
The solo ophthalmologist thought he had a plan to withstand the worst calamity he could conceive: a fire. Then Hurricane Katrina came.
Fortunately for Dr. Notaroberto, his practice in Slidell, La., received relatively minor physical damage. But the hurricane did punch holes in what the physician thought was meticulous disaster planning. Dr. Notaroberto had extensively protected the practice's physical aspects: having off-site computer data backup, keeping old computer equipment in case current systems were destroyed, even keeping tabs of office space available for a quick move.
But he missed the human side. Employees fled in advance of the hurricane and had no way to contact each other. Nor were there arrangements for temporary housing. Dr. Notaroberto also didn't have his plan available for employees to consult. It was all in his head.
Still, Dr. Notaroberto was able to open his three offices about 21 days after the hurricane hit, becoming what he says was the first area ophthalmologist to reopen. He figures if his disaster plan had been complete, he could have re-opened a week earlier, when electric and telephone service had been restored.
"One thing I learned: You can never be overprepared for a disaster of any magnitude," Dr. Notaroberto said.
Most physicians won't be hit by a major hurricane, but plenty of other disasters threaten.
Having a detailed disaster plan is good business. It can minimize the time your practice is out of commission, as well as protect data and other resources.
Plus, HIPAA security regulations require practices to have a disaster recovery plan for electronic records. The rules state physicians must have a written analysis of the "risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information." Practices also need written plans for creating and maintaining copies of electronic data, a recovery plan to restore lost data, a plan for data protection during "emergency mode," and procedures for periodic testing to make sure data is protected.
Experts say the HIPAA requirements are a good starting point for creating a preparedness plan.
"The goal of the plan is to minimize the disruption and the cost to get back into business," said Steven S. Lazarus, PhD, president of Boundary Information Group, a health care technology consultancy in Denver and co-author of the Handbook for HIPAA Security Implementation, published in 2004 by AMA Press.
Physicians can hire experts to review or create a plan for $400 to $1,000 per practice, said John F. Jessop, senior consultant at Optimal Practice Solutions, a Grantham, N.H., health care technology consultancy. Or they can do it themselves.
The first step is determining what could go wrong.
"If you're living in Illinois, you stand more of a chance of getting hit by a tornado than you do living in New Hampshire, where you stand a greater chance of getting hit by a horrendous ice storm that can take down trees and power lines," Jessop said. Any practice could get hit by a flood, fire, or even a truck crashing through the front door. A power surge could shut down the computers. Someone could hack into your data from the outside.
The disaster plan itself might have some "in-case-ofs" depending on the calamity, but experts say many of the responses will be the same.
First, doctors should identify and make copies of critical documents, including health plan contracts and partnership agreements, Jessop said, noting that the copies should be stored on site and the originals off site in fire-proof containers.
Physicians also should implement "redundant" backups of their electronic data. This can be accomplished by backing up data on the network in real time and backing up data daily on servers and databases located both on site and off site. If one server fails, doctors can readily access information or transfer it to a replacement server later, Dr. Lazarus said.
Doctors also should check their property insurance policies. Business interruption or "time element" coverage enables the policyholder to continue to run the business in a setting similar to his old one in case of a disruption, said Eric Goldberg, assistant general counsel at American Insurance Assn., which represents more than 400 property/casualty insurance companies.
"It doesn't provide coverage if your business goes down for any reason," Goldberg cautioned. "It's got to go down for a covered clause of loss under your property and casualty policy."
Physicians should look at their policies carefully to determine what coverage they have and if it's adequate, Goldberg said. They also should ask carriers if they offer lower rates for practices with a disaster recovery plan. "There may or may not be a discount available, but it's certainly something worth asking," Goldberg said. "And as long as you're on the phone with your carrier, you might also want to ask if they are able to provide any assistance in helping you prepare some sort of a business continuity or disaster preparedness plan."
Once the disaster plan is written, physicians have to make sure that it's being followed. Matthew White, MD, a solo family physician in Lakewood, Wash., discovered a gap in his plan only after the building housing his practice was destroyed by arson. The plan called for daily backup of his data on magnetic tapes, but employees had failed to do it, Dr. White said.
Fortunately, his server survived the 2000 fire, and he was able to transfer information to a replacement server and work with the vendor of his practice management and electronic medical records software to resume operations at another location within three days.
"Now, I'm obviously quite a bit more careful about making sure that we have daily backups with no more than one week behind [and have it stored] off site," Dr. White said. He also backs up billing and electronic medical records databases onto a portable hard drive.
Between his and his landlord's property casualty policies, Dr. White was able to replace most everything he lost. He was aided by having extra for "replacement cost," which replaces damaged goods at today's prices, instead of "actual cash value" coverage, which factors in depreciation. "I never thought of insurance as part of a so-called disaster recovery plan, but it certainly is," Dr. White said.
Taking elaborate steps
Even before Katrina, Dr. Notaroberto was vigilant in disaster preparedness. He backs up his entire electronic records system monthly over the Internet, storing those backups off-site in Georgia and California, at a cost of $200 a month. When he upgrades computers, he stores the old equipment in his office, in case he needs equipment quickly. Twice a year, his office manager obtains a list of available commercial office space from Slidell's business development office.
But his plan never anticipated his offices being down at the same time. And, "the weakest part of the link was communication between me and my staff." He has since formalized a new disaster plan, put it in writing, designated one employee at each office to activate the plan in the event of an emergency, and specified to whom other employees would report. He also identified a central out-of-state phone number for employees to call -- his in-laws in New Jersey -- and had employees provide their e-mail addresses and phone numbers of their closest relatives in addition to their personal telephone numbers.
Dr. Notaroberto also vows that if a similar disaster strikes again, one of his first acts will be to rent hotel rooms, condominiums or trailers to house his staff.
"The other problem I found is that when people tried to come back, they could not because they had no place to live. There was no hotel space. That was all taken."