The lyrics “let’s get physical” from the 1981 hit by Olivia Newton-John comes to mind when we start talking about the various components of a disaster recovery plan (DRP) in healthcare. You don’t have to don your neon leggings, legwarmers or headband to get on board. You can get started by asking a few key questions about critical components of your DRP to ensure physical safeguards around PHI are addressed.
In a recent blog entitled “Leveraging IG to Enhance Your Preparedness for Hurricane Season“, Karen Snyder, director of Healthcare & Life Sciences Channels & Solutions at Iron Mountain, outlines key steps for disaster planning. Step 1 is to establish data backup and disaster recovery plans. Those plans should address physical records, including paper, images, microfilm, microfiche, slides and blocks, as well as other considerations, for ensuring that PHI is protected and can be quickly accessed for continuity of patient care. Consider the following physical aspects when developing your disaster recovery plan:
1. Where is your DRP stored and how will you ensure access in the event your systems, intranet or entire site goes down?
Consider saving your DRP on an application that can be accessed in the event that your intranet is down
Does staff know where the DRP is and are they familiar with the plan as well as individual responsibilities for protecting physical records?
IG practices require a DRP that has been vetted, approved, tested and staff is educated.
2. Do you know where PHI is located?
Consider paper records containing PHI. You may still have some paper records onsite in HIM. But also, think outside the HIM department. What about hospital departments or provider-based clinics? Do you have an inventory of paper records? Are those records classified so you can easily identify those with protected health, personally identifiable or confidential business information?
Consider laboratory specimens, blocks and slides
Consider images and monitor strips that aren’t part of the paper or electronic medical record and may be filed in special file systems or cartons
Consider PHI physically stored on other types of media, such as discs, thumb drives, or other
Prepare an inventory of where all PHI and critical business records are housed whether paper-based, electronic, or on other types of media as indicated above.
“You don’t know what you don’t know” isn’t a good approach in healthcare and particularly in the event of a disaster. IG practices dictate the need for a comprehensive, documented information inventory.
3. Do you know how the physical PHI is protected? Consider the environmental conditions where physical records are located? Is shelving appropriately positioned off the floor and from the ceiling? Are sprinklers in place? Is the space designed for record storage? Is it dry, weather and disaster resilient?
Consider one central location that can ensure all forms of protection for physical records containing PHI, including proper shelving, fire protections, and appropriate access.
While IG practices don’t prescribe how you store your records, there are requirements around protecting your information to ensure that PHI is available and appropriately accessed for patient care.
4. Do you have a downtime plan?
Where are downtime forms and are they accessible?
Is your downtime plan and procedure accessible in the event of a disaster?
5. How does your organization handle the backup of PHI?
Are backups onsite or offsite in a geographically dispersed area?
Do you have PHI stored in the cloud?
Can PHI be quickly accessed and restored?
IG practices provide the guardrails around how all types of information should be managed. PHI is a very important subset of your organization’s information and ensuring that it is available in the event of any type of disaster is critical to your mission of quality patient care.
It’s not so much “if” but “when” your organization will be affected by a natural or human-induced disaster. Are you ready? Now, “let’s get physical!”