FAQ: Disaster recovery planning for health care data

Disaster recovery planning takes on special importance in health care organizations dealing with patients and care delivery. Here are the steps for considering a DRP.

As the health care industry moves toward the adoption of electronic health records (EHRs), the need for solid disaster recovery planning (DRP) becomes more important. This tutorial explains why DRP is especially important for health care data, and provides information for health care CIOs looking to establish or solidify a disaster recovery plan.

Why is disaster recovery planning important in health care?

Due to the nature of their business, health care organizations -- especially hospitals -- must maintain a high degree of system and network availability. Patients' lives may depend on systems being up and running, and patients' health could be jeopardized by lack of access to health care data in the event of system downtime.

Hospitals devastated by tornadoes in Joplin, MO learned that disaster recovery planning must consider the impact to clinical workflows, especially in the event of a patient surge. As physicians and clinicians become more reliant on clinical applications to deliver patient care, the importance of disaster preparedness and infrastructure resiliency in health care become apparent.

Unfortunately, when establishing IT budgets, many health care organizations overlook the importance of developing an effective disaster recovery plan. It's important for health care CIOs to make the business case and receive a budget for disaster recovery planning.

What are the first steps for disaster recovery planning in health care?

The first step in disaster recovery planning is to conduct a business impact analysis (BIA). This involves identifying all of your systems and applications, and then determining their impact to the business if they went down. In the case of a health care organization, this includes determining the impact to patients and care delivery.

The next step is to identify possible points of failure and develop a plan to address those vulnerabilities. This plan may include establishing a remote data center or working with EHR vendors to determine service level agreements in the event of a disaster or system failure.

It's also a good idea to examine the different data replication strategies available and determine which ones best suit your health care organization.

What are the HIPAA requirements for disaster recovery planning?

A HIPAA covered entity must have a contingency plan in place to ensure continued access to electronic protected health information (ePHI) in the event of a system failure. HIPAA disaster recovery requirements also include the need for an ePHI data backup plan, along with disaster recovery and emergency mode operation plans.

Organizations developing a HIPAA disaster recovery plan must also explain how sensitive health care data will be moved without violating HIPAA privacy and security requirements.

How does virtualization impact disaster recovery planning?

Some organizations are turning to virtualized disaster recovery to restore access to health care data in the event of system downtime. While there are many benefits to using virtualized disaster recovery, it is still crucial for health care organizations to maintain HIPAA compliance.

In a virtual setting, disaster recovery planning should also include procedures for restoring backups to virtual hardware and must specify the conditions for use of virtual machines.

Let us know what you think about the FAQ; email Anne Steciw, Site Editor or contact @SearchHealthIT on Twitter.

Next Steps

One health system trusts its longstanding DR system

Dig Deeper on Electronic health care systems, data centers and servers