The most recent HIPAA Final Rule which was released on March 26th, 2013 pays particular attention to the Security of (electronic patient health information) ePHI as well as specific requirements around Contingency Planning. If you’re like most healthcare customers, you’re currently facing multiple challenges with assuring compliance to this new ruling.

Hospitals are quickly learning that transforming IT and clinical operations in order to attest as a Meaningful Use Certified organization is not an easy task.

Attestation for either Stage 1 or Stage 2 Meaningful Use, states all organizations must have completed a thorough and detailed Security Risk Analysis as defined in CFR 164.308 of the HIPAA Final Rule (Core Item 7 of 16).  The Final Rule stipulates all US Healthcare organizations have 180 days from the March 26th release of the Final Rule.  In order to comply with Item 7, a Security Risk Analysis must be performed on a regular basis and adequate safeguards and controls must be implemented to best protect electronic health information.  Breaches of ePHI (lost/stolen data, improper disclosure, hacking) can prove costly and may result in civil monetary penalties, incident response costs, legal fees, reparations, and reputational harm.

According to the Final Rule:

• Data Backup Plan (Required as part of CFR  45 §164.308 (7)(ii)(a)). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (7-A of section 164.308)
• Disaster Recovery Plan (Required as part of CFR  45 §164.308 (7)(ii)(b)). Establish (and implement as needed) procedures to restore any loss of data
• Emergency Mode Operation Plan (Required as part of CFR  45 §164.308 (7)(ii)(c)). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode

Summit Healthcare’s Downtime Reporting Solution (DRS) proves to be a valuable tool and is a crucial piece of a hospitals disaster recovery plan.  Furthermore it can assist in satisfying the HIPAA Final Rule as it pertains to data protection and availability.  DRS provides hospitals with the confidence and certainty they need to maintain access to critical patient information in the event of a system downtime or network failure.  Do you have a plan in place to meet the September deadline?