Preparing Your Medical Practice for Unexpected Emergencies

February 4, 2014

Here's how to prepare for three of the worst unexpected emergencies: natural disasters, theft, and active-shooter incidents.

Hurricane Irene, which swept through most of the mid-Atlantic in August 2011, didn't have any major impact on family medicine physician Joseph Scalia's six-physician practice, Raritan Family Healthcare, in Raritan, N.J. But it did affect patients.

Hurricane Irene caused several of his patients to lose power - and that sounded a bit of an alarm that Scalia's practice would need to be even more prepared should another hurricane come to town.

And sure enough, the next year's hurricane, Sandy, which arrived in late October 2012, proved far more devastating.

"Knowing how difficult it would be for patients, before Sandy [touched down] we proactively reached out to patients … knowing we might be out of power for a week or they might be out of power or out of commission for a week," says Scalia.

As most business owners know, unexpected emergencies can strike anytime and take many forms; from the untimely death of a physician partner to a major malpractice lawsuit.

But many practices are woefully unprepared or underprepared for some of them, like theft, being held up at gunpoint, or having your premises and data destroyed in the wake of a weather-related incident. The good news is you don't have to experience an unexpected emergency in order to prepare for a one.

Here, we take a closer look at the less-likely, but potentially more devastating, unexpected emergencies that could wreck your practice, and how to prepare for them - just in case.

Natural disaster safeguards

Natural disasters can sweep through a coastline with just a few days' warning, like Hurricane Sandy, or just a few minutes' warning, like an earthquake. Regardless, what you do beforehand to prepare for them can make all the difference in your practice's staying afloat.

One thing that made a big difference for Scalia, whose practice was out of power for an entire week, was having a patient portal for mass communications.

"After Irene, we realized there has to be some way we can appropriately mass communicate with patients," says Scalia. "What happens through using e-mail is you'll start getting patient e-mails back with information [such as] 'I have, X, Y, Z, problem.' How do I know someone who isn't computer savvy isn't going to hit 'reply all' and send their information to 12,000 patients? The Cerner patient portal was key, because with the use of Wi-Fi, or just 3G networks, [patients] are able to directly communicate to a physician during the time of emergency."

The portal also allowed for easy electronic prescribing, where pharmacies were able to send patient information securely.

Equally important to preparing a secure, mass-communications system is having backups in place for everything that could occur.

Like a lot of practices in his area, Scalia secured a backup generator (for $14,000) in Hurricane Irene's wake. And he also secured a backup T1 line (which costs about $180 per month) so that Internet would always be up and running. Because of all his preparation, Scalia's practice was ready for business within a few days after Hurricane Sandy made landfall.

Another thing that made a difference for Raritan Family Healthcare: Having a cloud-based EHR for the last five years, also from Cerner. This not only made data more accessible but routinely backed it up.

"When I just started practicing in 1999, there was a hurricane called Floyd, and there was a town near us that was completely flooded," says Scalia. "That was well prior to widespread EHR use. Peoples' medical records washed away. That sent a strong message to me then. We're responsible for someone's entire medical records. I don't want that responsibility for medical records in someone's building."

In addition to a secure mass-communications system, a backup power supply, and a way to protect data, experts recommend having a good data-backup system in place, like Scalia's.

"The biggest threats to data are power outages and voltage spikes, equipment failure, and having the software or a user accidentally damage or corrupt the live data," says healthcare IT consultant Marion Jenkins, executive vice president of healthcare for 3t Systems. "You need to have a backup in case the primary data gets lost or damaged. This is good business practice and also a HIPAA Security Rule requirement."

Your practice should also have a written plan detailing how you will physically secure your structure in the event of an emergency, remotely access records, and communicate with patients and staff. You should also make sure your insurance policies that cover equipment and loss of income are adequate and up to date, suggests Ike Devji, a Phoenix-based asset-protection attorney.

Scalia's written disaster plan for his practice details what to do in the event of another Hurricane Sandy, including how to access information offsite.

"Even small practices need to have a disaster plan in place … [a] stepwise approach for what to do in the event of a power failure," says Scalia.

See "Crafting a Written Emergency Disaster Plan" for more on crafting great policies.

Theft-proofing your practice

Like natural disasters, theft is a threat to all businesses. But medical practices have a particular reason to be concerned, as theft of protected health information (PHI) is on the rise. And the penalties for data breach are pretty steep under the HIPAA Security Rule, up to $1.5 million for your practice (not to mention that HIPAA-covered entities and their business associates must provide notification to patients following a breach of unsecured PHI).

This means if a robber breaks into your practice and steals your laptops or physical patient records, not only do you have to deal with replacing the goods (the cost of which varies depending on your insurance policy), but you have to deal with an aftermath of post-data-breach cleanup.

For information on what to do if your practice experiences a data breach, see bit.ly/post-breach-MD.

"As individuals become more aware of the value of the medical record, that type of information can be valuable to somebody if they need care, so they might steal it from someone else," says Nicole K. Martin, a Flanders, N.J.-based healthcare regulatory and corporate attorney and founder of Martin Law, LLC.

Healthcare consultant Laurie Morgan of Capko & Morgan, says there are a few things practices can do to protect themselves from theft:

1. Take inventory. Note the serial numbers on all devices that are practice property so they can be more easily tracked. And consider paring down the number of devices that are portable and contain PHI. "I actually think it's best for practices not to use those thumb drives at all," says Morgan. "They're too easy to lose; they're too easy to steal."

2. Boost tracking technology. "One thing you want to really look into is what kinds of audit trail or log report [technology] is available from your vendors so you can have a better idea of what's going on," says Morgan. "If one person's downloading a lot of data, you want to really be able to see that." Another suggestion: Look into remote-wipe systems to erase data from afar, for example, in the case of a stolen tablet or smartphone.

3. Conduct good background checks. Oftentimes, theft of cash, goods, and data is an inside job - which is why knowing as much as you can about your prospective employees can make all the difference in whether your practice becomes victim to theft. "Practices are liable for breaches," says Morgan. "When it comes to theft of records, a lot of times it's an inside person working with someone on the outside who sells the records."

4. Divide duties. One way to theft-proof your practice from ill-intentioned employees is to divide front-office duties. Doing this makes it harder for thieves to cover their tracks, says Morgan. "It's so the same people who are taking in payments from patients are not the ones reconciling payments at the end of the day."

5. Don't keep a lot of cash on hand. Cash is like catnip for ill-intentioned employees, as well as robbers who target vulnerable businesses. Therefore, it's important to make deposits on a daily basis, so money is off premises. Morgan recalls working with a practice that had thousands of dollars stolen from a safe (managers believe it was a collaborative effort between the practice's cleaning service and one or more staff members). If the risk of theft is especially stressful, Morgan suggests moving to a no-cash policy. "These days it's rare that a patient won't have either a check or credit card."

Surviving active shooter incidents

If a man walked through the front door of your practice and started firing his gun, what would you do?

If your answer is "run and hide" under a desk or a table, you're in the majority. But hiding should be just a last resort, if you have no other means to flee the premises.

"That is the most popular answer and that is absolutely wrong," says Raymond Osborne, a 20-year law enforcement veteran and director of security, parking, and patient transportation for the University of California San Diego Health System.

Osborne acknowledges that running off can present a dilemma for physicians and clinical staff. If, for example, you have a patient who is under your care and cannot fend for himself, you face a decision: Do you break a window and run out? Or do you stay put with the patient? If you decide the latter, barricading a door by putting an exam table or other heavy equipment in front of it to slow a shooter, and turning off the lights, may be your next best option. But freezing, hiding, and doing nothing presents the least likely survival scenario for you and/or a patient, says Osborne.

Fortunately, there are plenty of security-minded companies and experienced law enforcement workers to conduct active-shooter training drills (Osborne recommends doing an Internet search on "active shooter training" drills in your geographic area, and looking for a company or expert that has recommendations or good references). Security experts who run those drills teach physician practices and other businesses how to make quick decisions that will give them and their colleagues (or patients) the greatest chance of surviving a shooting or other violent incident.

"If something were to happen, or someone has a gun, most people never think about what they'd do, and it takes time to formulate those decisions," says Osborne. "So to go through a training, it can prompt you to think about those things, so when you're in those situations, you automatically start thinking."

Osborne says he frequently hears about gun-related incidents in medical practices and other healthcare facilities - and data seems to back him up. According to data from the Bureau of Labor Statistics, there were 69 homicides in health services from 1996 to 2000, leading the Occupational Safety and Health Administration to conclude that "healthcare and social service workers are at high risk of violent assault at work."

A stark reminder of the dangers physicians face in the workplace occurred in mid-December, 2013, when three members of a Reno urology practice were shot, one fatally. The California man accused of the shooting reportedly struggled with medical ailments he attributed to physician error, according to published reports.

In addition to looking into active-shooter training for providers, Osborne recommends the following to prevent, or at least minimize, the likelihood of a violent incident that ends catastrophically:

• Boost on-premises security: "Physicians' practices, they have to be warm and inviting, but there's some physical barriers that people are used to, such as locked doors," says Osborne, who also recommends security cameras. In addition to giving you peace of mind, these additions "will illustrate your reasonable efforts to back up your liability insurance," Devji recently wrote in Practice Notes, Physicians Practice's blog.

• Pay attention to surroundings: Often times, after a shooting incident, people say they saw red flags indicating that a person was behaving oddly - but chose to say nothing. Instead, they should be looking and listening to others. "Once you start to look at what's going on around you, especially at physician practices, you start to see what's going on - how that patient is interacting in the waiting room," says Osborne. "What are their conversations about? Is everything negative or are they just having a bad day? How well are people getting to really know the patient or look at them to see if their mannerisms are giving you any clues?"

• Keep doors locked between the exam and waiting room. In addition to actually investing in a door that locks, as well as security cameras and other low-cost measures, be sure staff is actually using these investments. "You'd be surprised how many of those doors are unlocked," says Osborne."Training and locked doors go a long way."

In Summary

Unexpected emergencies can destroy practices. Here's what you can do to prepare:

• Have a secure, mass-communications system, such as a patient portal, in place.

• Conduct employee background checks and switch up duties to prevent theft.

• Make sure you have a good data-backup system in place.

• Installing cameras is an easy way to boost security and deter ill-intentioned intruders.

• Craft a written disaster plan that instructs staff on what to do during emergencies.

Marisa Torrieri is an associate editor at Physicians Practice. She can be reached at marisa.torrieri@ubm.com.