With 59 percent of hospitals experiencing EHR downtime in the past year, the importance of EHR contingency plans comes to the forefront. In a recent report from the Office of the Inspector General, experts explain the need for EHR contingency plans, and highlight contingency plan trends throughout the healthcare industry.
According to OIG, hospitals are required to have EHR contingency plans under HIPAA protocol as a means to mitigate any unavoidable EHR downtime. In an OIG survey, 95 percent of hospitals reported that they have an EHR contingency plan in place.
A majority of the remaining five percent explained that they were developing their contingency plans at the time of the survey because they had only recently implemented their EHRs.
Most of the EHR contingency plans included four components: data backup plans, disaster recovery plans, emergency-mode operations plans, and test and revision procedures.
Data backup plans included having separate copies of patient health data in different locations or stored in paper copies. Typically, hospitals backup data once per day in an effort to help providers continue patient care with minimal gaps in data.
Hospitals reported several strategies, including separate technology systems that backed up data every four hours or read-only copies of all EHR data. Further, OIG posed suggested data backup plans, including storing data in an off-site location and visually differentiating backup copies of EHR data from originals to signal to providers EHR downtime.
For disaster recovery efforts, most hospitals either have a separate EHR in a different location which can be activated during a downtime, or have additional internet connections. However, only about 25 percent of hospitals reported testing their alternate systems at regular intervals.
Other OIG suggested methods for disaster recovery include replacement strategies, locating alternate EHR sites 50 miles from the original site, and testing alternate sites at least quarterly.
Many surveyed hospitals also reported emergency-mode operations, used in case of natural disaster to technological disruption. As of recently, these operations also help support hospitals experiencing ransomware of cybersecurity attack.
A majority of surveyed hospitals reported alternative power generators, with nearly three quarters of hospitals having enough fuel to power these generators for at least two days.
Many hospitals also reported a reliance on paper forms during these periods. Although these methods reportedly slow the efficiency of providers, they offer a solution for documenting patient visits during the EHR downtime.
A final component of EHR contingency plans includes testing procedures to ensure that backup protocol will work during a genuine time of dismay. Eighty-eight percent of surveyed hospitals reported testing their plans within the past two years, while 45 percent reported having regular drills to train hospital employees in EHR contingency plans.
Some hospitals do not perform practice drills because they are concerned that efficiency and care performance may suffer in the process.
As noted above, nearly 60 percent of hospitals have experienced EHR downtime within the past year. Fifty-nine percent of that downtime is the result of hardware malfunctions, with other issues being the result of internet connections, power failures, natural disasters, and hacking incidents.
According to OIG, EHR contingency plans are critical to maintaining hospital efficiency and patient safety. During major natural disasters, EHR systems are at risk of malfunctioning or going offline, barring providers from accessing vital patient data. These plans help providers mitigate these issues, giving them a method by which they can view some patient data and continue to administer quality patient care.
As healthcare organizations and hospitals continue to face the threat of ransomware, as well as other potential issues that could afflict technology systems, it is important that they clearly define their EHR contingency plans.
“Persistent and evolving threats to electronic health information reinforce the need for EHR contingency plans,” OIG concluded in its report. “This review and cyberattacks that have occurred since 2014 underscore our previous recommendation that OCR fully implement a permanent audit program for compliance with HIPAA.”