Third of Hospitals Lack HIPAA-Compliant EHR Contingency Plans

According to a recent report issued by the Department of Health and Human Services’ Office of Inspector General, a third of hospitals do not have HIPAA-compliant EHR contingency plans in place, although most are “largely addressing” HIPAA requirements for EHRs.

In September 2014, OIG sent a survey to 400 hospitals that had applied for Medicare EHR incentive payments and asked questions to determine whether HIPAA-compliant EHR contingency plans had been developed and implemented. Respondents were also asked about the extent to which EHR systems had been disrupted in the past. In addition to the survey, six hospitals were also selected for in-depth investigations involving site visits, interviews with hospital staff, documentation checks, and reviews of EHR contingency plans.

The purpose of the study was to assess the state of hospitals’ EHR contingency planning and to determine whether patient health information could still be accessed during natural disasters and other situations where EHR system downtime occurs. In light of the recent ransomware attacks on hospitals in recent months, the results of the survey are particularly relevant.   

HIPAA-Compliant EHR Contingency Plans

The Security Rule of the Health Insurance Portability and Accountability Act requires covered entities to establish safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information.

All hospitals (and other HIPAA-covered entities) are required to have a contingency plan in place for responding to disruptions to electronic health record systems, whether they are cyberattacks, natural disasters, power outages, hardware malfunctions, or Internet connectivity problems.

The HIPAA Security Rule specifies five separate areas that must be addressed in policies and procedures. A data backup plan must exist to ensure that PHI can be recovered in the event of disaster. A disaster recovery plan must be developed to ensure that PHI can be recovered. Covered entities are required to have an emergency mode operations plan which can be put in place to ensure that critical business processes can continue in emergencies. Testing and revising of contingency plans must also be addressed, and an applications and criticality assessment should be conducted. Fully HIPAA-compliant EHR contingency plans must address all five areas.

Both the Office of the National Coordinator for Health Information Technology (ONC) and the National Institute for Standards and Technology (NIST) have released guidance on contingency planning for information systems to assist covered entities.

OIG assessed hospitals on four out of the five areas detailed in the HIPAA regulations and found that the majority of hospitals had addressed three out of the four HIPAA requirements. Most had a data backup plan and were able to recover data in the event of an emergency. Most had a disaster recovery plan and also an emergency mode operations plan. However, only 73% of hospitals had addressed testing and revision in their EHR contingency plans. According to the OIG report, just 68% of hospitals had addressed all four requirements of HIPAA. Therefore, almost a third of hospitals did not have fully HIPAA-compliant EHR contingency plans.

Hospitals with Written EHR Contingency Plans

HIPAA Requirement Percentage of Hospitals
Data backup plan 83%
Disaster recovery plan 95%
Emergency mode operations plan 95%
Testing and revision procedures 73%

EHR Outages Experienced by 60% of Hospitals

EHR outages can have a negative impact on the provision of patient care. The report indicates that 60% of hospitals have experienced at least one EHR outage. Some of those have been serious enough to require patients to be re-routed. 15% of hospitals reported having to resort to this on at least one occasion, while 24% of hospitals said that EHR outages had delayed patient care. In some cases, outages can last for considerable periods of time. A fifth of hospitals said that outages had lasted for more than 8 hours.

The main cause of EHR outages were hardware malfunctions or failures (59%), Internet connectivity problems (44%), power failures (33%), natural disasters (4%), and hacking incidents (1%). The frequency of EHR outages highlight the importance of having HIPAA-compliant EHR contingency plans in place.

So far this year, a number of healthcare organizations have experienced ransomware infections that have forced them to shut down computer systems including their EHRs. In January, Hollywood Presbyterian Medical Center experienced a ransomware attack that resulted in its EHR system being taken out of action for more than a week. With ransomware attacks on hospitals increasing, and hackers increasingly targeting hospitals, HIPAA-compliant EHR contingency plans are essential.

Typically, OCR does not conduct audits or investigations that assess whether HIPAA-compliant EHR contingency plans exist, unless they specifically relate to a particular complaint or data breach investigation. Consequently, until OIG conducted its survey it was not clear whether hospitals were complying with this aspect of HIPAA Rules.

The report points out just how important it is for HIPAA-compliant EHR contingency plans to be developed. “Disruptions to EHRs from these [cyberattacks] and other threats can present significant safety risks to patients. Contingency plans are crucial because they are designed to minimize the occurrence and effects of such disruptions.”

According to the report, “OIG previously recommended that OCR fully implement a permanent audit program to assess compliance with HIPAA requirements;” however, the permanent audit program still appears to be some way off. OIG says, “Recent events underscore the importance of this recommendation.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.