Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
Recent ransomware attacks and the Phase II Office for Civil Rights Audits underscore the importance of adequate policies and procedures.
Whether your practice is one of the covered entities lucky enough to be participating in the Department of Health and Human Services's Phase II Office for Civil Rights audits, or have suffered a ransomware attack, or an EHR failure, a disaster recovery plan always needs to be put in place along with a data back-up plan and contingency plan.
Pursuant to 45 CFR §§ 164.308(7), et seq. (Administrative Safeguards), , all of these plans are "required." The ultimate purpose behind these policies is to have a plan to prevent, detect, contain, and correct security violations. Yet, as I see on a regular basis, many plans in place are inadequate.
First, let's start with exactly what the law requires in relation to the three aforementioned plans:
1. (7)(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
2. (7)(ii)(A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
3. (7)(ii) (B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
Second, let's develop an approach to developing a framework for each plan. Here are some elements that need to be addressed: scope; purpose; a general policy that ties into the entity's mission and relevant area of the legal requirement (e.g., 45 CFR § 164.308); as well as referencing the relevant procedure(s); specific plan of action for different scenarios in relation to prevention, detection, and correction of the security violation; and roles of individuals and departments.
Third, let's put this into action. Say your organization has experienced a ransomware attack. First, as a preventative measure, did you encrypt the data at rest and in transit? Second, do you have adequate screening and oversight processes in place to detect an intrusion? Third, are your policies and procedures adequate, so that you know what role people play? Finally, as part of your plan, once an attack occurs, what are you going to do to correct it while keeping patient care safe?
Physicians, regardless of the size of their practice, should take steps now to ensure compliance with HIPAA and the HITECH Act, as well as other applicable laws. The take-away is that not having the appropriate proactive and reactive measures in place can be costly from a financial, legal and reputational standpoint.