While about a third of U.S. hospitals reported to the Office of the Inspector General of the Department of Health and Human Services that they don’t have HIPAA-compliant EHR disaster recovery plans, most hospitals told OIG they have comprehensive plans to recover patient data after a disaster.
The OIG hospital disaster recovery survey, results of which were released July 22, came after widespread disruptions to hospital patient records after Hurricane Sandy hit the East Coast in 2012 and rapidly escalating cybersecurity threats to health data.
According to a release, OIG sent questionnaires to a sample group of 400 hospitals that receive meaningful use Medicare incentive funds asking about their EHR contingency plans, including:
- How they comply with HIPAA rules requiring all HIPAA-covered entities to have a contingency plan for disruptions to EHR systems, including maintaining a data backup plan, disaster recovery plan, emergency mode operations plan and having testing and revision procedures
- How they follow practices for emergency contingency planning recommended by the Office of the National Coordinator for Health IT (ONC) and the National Institute for Science and Technology (NIST)
- Their experience with EHR disruptions.
OIG staff also made site visits to six hospitals, where they reviewed EHR contingency plans and related documents.
Nearly all the hospitals reported having written EHR contingency plans and about two-thirds said they met the four HIPAA requirements OIG reviewed.
Most of the hospitals also said they followed ONC and NIST recommendations such as maintaining off site backed up EHR data, supplying paper backups when electronic records are unavailable and training staff on contingency plans.
More than half of the respondents said they had experienced an EHR disruption, and a quarter of those said they had delays in patient care as a result.
OIG also found that HHS’s Office for Civil Rights (OCR), which enforces HIPAA, does not specifically focus on EHRs when assessing HIPAA compliance for disaster recovery.
“Persistent and evolving threats to electronic health information reinforce the need for EHR contingency plans,” OIG concluded in the release. “This review and the cyberattacks that have occurred since 2014 underscore our previous recommendations that OCR fully implement a permanent audit program for compliance with HIPAA.”
OCR is now engaged in a second round of audits of selected healthcare organizations and their business associates.
Many observers expect these audits to be followed by a permanent audit program funded by revenues of fines levied on healthcare organizations found to have violated HIPAA.