You can't be overprepared: Disaster planning

If you think calamity happens only to other practices, think again. Experts say having a plan to cope in the aftermath of physical destruction is good business. Having one to safeguard electronic data is the law.

By Tyler Chin — Posted June 12, 2006

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

When experts advise physicians to have a detailed disaster plan in place -- so detailed it may seem ridiculous -- they point to examples such as Neil F. Notaroberto, MD.

The solo ophthalmologist thought he had a plan to withstand the worst calamity he could conceive: a fire. Then Hurricane Katrina came.

Fortunately for Dr. Notaroberto, his practice in Slidell, La., received relatively minor physical damage. But the hurricane did punch holes in what the physician thought was meticulous disaster planning. Dr. Notaroberto had extensively protected the practice's physical aspects: having off-site computer data backup, keeping old computer equipment in case current systems were destroyed, even keeping tabs of office space available for a quick move.

But he missed the human side. Employees fled in advance of the hurricane and had no way to contact each other. Nor were there arrangements for temporary housing. Dr. Notaroberto also didn't have his plan available for employees to consult. It was all in his head.

Still, Dr. Notaroberto was able to open his three offices about 21 days after the hurricane hit, becoming what he says was the first area ophthalmologist to reopen. He figures if his disaster plan had been complete, he could have re-opened a week earlier, when electric and telephone service had been restored.

"One thing I learned: You can never be overprepared for a disaster of any magnitude," Dr. Notaroberto said.

Most physicians won't be hit by a major hurricane, but plenty of other disasters threaten.

Having a detailed disaster plan is good business. It can minimize the time your practice is out of commission, as well as protect data and other resources.

Plus, HIPAA security regulations require practices to have a disaster recovery plan for electronic records. The rules state physicians must have a written analysis of the "risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information." Practices also need written plans for creating and maintaining copies of electronic data, a recovery plan to restore lost data, a plan for data protection during "emergency mode," and procedures for periodic testing to make sure data is protected.

Experts say the HIPAA requirements are a good starting point for creating a preparedness plan.

"The goal of the plan is to minimize the disruption and the cost to get back into business," said Steven S. Lazarus, PhD, president of Boundary Information Group, a health care technology consultancy in Denver and co-author of the Handbook for HIPAA Security Implementation, published in 2004 by AMA Press.

Physicians can hire experts to review or create a plan for $400 to $1,000 per practice, said John F. Jessop, senior consultant at Optimal Practice Solutions, a Grantham, N.H., health care technology consultancy. Or they can do it themselves.

The first step is determining what could go wrong.

"If you're living in Illinois, you stand more of a chance of getting hit by a tornado than you do living in New Hampshire, where you stand a greater chance of getting hit by a horrendous ice storm that can take down trees and power lines," Jessop said. Any practice could get hit by a flood, fire, or even a truck crashing through the front door. A power surge could shut down the computers. Someone could hack into your data from the outside.

The disaster plan itself might have some "in-case-ofs" depending on the calamity, but experts say many of the responses will be the same.

First, doctors should identify and make copies of critical documents, including health plan contracts and partnership agreements, Jessop said, noting that the copies should be stored on site and the originals off site in fire-proof containers.

Physicians also should implement "redundant" backups of their electronic data. This can be accomplished by backing up data on the network in real time and backing up data daily on servers and databases located both on site and off site. If one server fails, doctors can readily access information or transfer it to a replacement server later, Dr. Lazarus said.

Doctors also should check their property insurance policies. Business interruption or "time element" coverage enables the policyholder to continue to run the business in a setting similar to his old one in case of a disruption, said Eric Goldberg, assistant general counsel at American Insurance Assn., which represents more than 400 property/casualty insurance companies.

"It doesn't provide coverage if your business goes down for any reason," Goldberg cautioned. "It's got to go down for a covered clause of loss under your property and casualty policy."

Physicians should look at their policies carefully to determine what coverage they have and if it's adequate, Goldberg said. They also should ask carriers if they offer lower rates for practices with a disaster recovery plan. "There may or may not be a discount available, but it's certainly something worth asking," Goldberg said. "And as long as you're on the phone with your carrier, you might also want to ask if they are able to provide any assistance in helping you prepare some sort of a business continuity or disaster preparedness plan."

Once the disaster plan is written, physicians have to make sure that it's being followed. Matthew White, MD, a solo family physician in Lakewood, Wash., discovered a gap in his plan only after the building housing his practice was destroyed by arson. The plan called for daily backup of his data on magnetic tapes, but employees had failed to do it, Dr. White said.

Fortunately, his server survived the 2000 fire, and he was able to transfer information to a replacement server and work with the vendor of his practice management and electronic medical records software to resume operations at another location within three days.

"Now, I'm obviously quite a bit more careful about making sure that we have daily backups with no more than one week behind [and have it stored] off site," Dr. White said. He also backs up billing and electronic medical records databases onto a portable hard drive.

Between his and his landlord's property casualty policies, Dr. White was able to replace most everything he lost. He was aided by having extra for "replacement cost," which replaces damaged goods at today's prices, instead of "actual cash value" coverage, which factors in depreciation. "I never thought of insurance as part of a so-called disaster recovery plan, but it certainly is," Dr. White said.

Taking elaborate steps

Even before Katrina, Dr. Notaroberto was vigilant in disaster preparedness. He backs up his entire electronic records system monthly over the Internet, storing those backups off-site in Georgia and California, at a cost of $200 a month. When he upgrades computers, he stores the old equipment in his office, in case he needs equipment quickly. Twice a year, his office manager obtains a list of available commercial office space from Slidell's business development office.

But his plan never anticipated his offices being down at the same time. And, "the weakest part of the link was communication between me and my staff." He has since formalized a new disaster plan, put it in writing, designated one employee at each office to activate the plan in the event of an emergency, and specified to whom other employees would report. He also identified a central out-of-state phone number for employees to call -- his in-laws in New Jersey -- and had employees provide their e-mail addresses and phone numbers of their closest relatives in addition to their personal telephone numbers.

Dr. Notaroberto also vows that if a similar disaster strikes again, one of his first acts will be to rent hotel rooms, condominiums or trailers to house his staff.

"The other problem I found is that when people tried to come back, they could not because they had no place to live. There was no hotel space. That was all taken."

Back to top


Ready for anything

To get started:

  • Identify risks specific to your locale that could affect your ability to operate and assess how to protect against them. For example, if you're in a flood-prone area, consider buying flood insurance.
  • Make copies of critical information such as insurance policies, health plan contracts, and employee, lease and payroll records. Store that information in a secure, off-site location.
  • Read your property and casualty insurance policy to ensure it provides adequate coverage, particularly for "business interruption" or "time element" coverage.
  • Consider "replacement cost" rather than "actual cash value" coverage for office equipment, including computers and furnishings.
  • Develop a data recovery backup plan for electronic health records.
  • Keep an accurate inventory of your equipment, software and software licenses.
  • Document the configuration of your computer network.
  • Make a video record of the contents of every room in your practice, to serve as proof of losses when you file an insurance claim.
  • Negotiate alternate office space in the lease agreement with your current landlord. In the event of an area-wide disaster, immediately contact real estate agents or hotels to line up alternate office space.
  • Compile an up-to-date contact list for local and state emergency management agencies, electrical utilities, telephone companies, qualified contractors, vendors, realtors and insurance agents. Store copies on-site and off-site.
  • Develop emergency evacuation procedures.
  • Familiarize staff with your disaster plan.

Sources: American Insurance Assn.; Boundary Information Group; Insurance Information Institute; John F. Jessop; Steven S. Lazarus, PhD; Optimal Practice Solutions; Neil F. Notaroberto, MD; Matthew White, MD.

Back to top

Back up your data

If you subscribe to an application service provider, your monthly fee should include access to software applications and data backup over the Internet. If you have a client server system and are responsible for backing up your own data:

  • Scan or microfilm paper-based records.
  • Back up financial, clinical and other important electronic data on tape or other storage media on a daily basis.
  • Use separate tapes for every weekday. Back up the full system weekly, storing the most recent three weeks of tapes at a secure, off-site location.
  • Designate an employee to be responsible for backing up the data and make sure the task is being done.
  • Store backup tapes or other duplicate records in fireproof safety boxes.
  • Test the backup recovery process annually. If you use magnetic tapes, make sure the data is being recorded properly. Physicians should take pains to learn exactly how many times a tape can be reused, consultant John F. Jessop said. "I've been at practices where they have the same backup tape for years ... and the way they found that out is they had a failure, went to use the backup tape and the backup tape was garbage because they had used it so much."
  • Date and label the backup tapes.
  • Put the recovery plan in writing and store it on site as well as off site so employees can easily access it and know what to do. At least two employees in each office should know where the plan is stored.
  • Revise and review the plan whenever there is a change in the technology environment.
  • Keep an up-to-date list of names and phone numbers of employees and suppliers.
  • Store your data on a "redundant" server. For example, if you have two offices, you can have duplicate data on a second server in one office and on a third server in your second office.

Sources: American Insurance Assn.; Boundary Information Group; Insurance Information Institute; John F. Jessop; Steven S. Lazarus, PhD; Optimal Practice Solutions; Neil F. Notaroberto, MD; Matthew White, MD.

Back to top

You neglected backups? There may still be hope of recovery

You had good intentions, but didn't get around to it. Or maybe you did back up your data regularly but something happened, and they're corrupted or your server suddenly fried. Don't panic.

Contact your health plan. It may be able to help you recreate your records based on claims-related information, a copy of your contract and other data you have submitted.

"We have all that sort of stuff stored electronically, so we would be able to access it on behalf of the doctor," said Joseph Mondy, an assistant vice president of information technology communications at Cigna. But the data Cigna could provide "would only be a slice of what that physician actually does [because] obviously a physician works with a lot of health payers and would have to be able to pull data from all of them," Mondy said.

Another option is to contact a data recovery business, which specialize in recovering data from computer hard drives. These services can cost thousands of dollars, and they "do not guarantee complete recovery of data," said John F. Jessop, senior consultant at Optimal Practice Solutions, a Grantham, N.H., health care technology consultancy.

The best treatment remains prevention. Physicians should diligently back up data and regularly check the quality of the backups. Otherwise, recovery is "a crapshoot, when instead of doing backups, you just let things go," Jessop said.

Back to top

External links

U.S. Small Business Administration on disaster preparedness (link)

U.S. Dept. of Homeland Security's Federal Emergency Management Agency how-to guide on disaster preparedness (link)

Handbook for HIPAA Security Implementation from AMA Press (link)

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn