OIG: Only 68% of hospitals have HIPAA-compliant EHR contingency plans

Analysis identifies critical shortcomings in strategies to recover from IT failures, cyber attacks.

Ninety-five percent of hospitals have written electronic health record contingency plans, but only about two-thirds have plans that meet four HIPAA requirements, according to a survey conducted by the Department of Health and Human Services’ Office of the Inspector General.

The HIPAA Security Rule requires that all covered entities have a contingency plan for responding to disruptions to EHR systems. The rule specifies processes to recover EHRs and access backup copies of data in the event of a disruption as a result of software or hardware infrastructure failures, as well as power outages and natural disasters. HIPAA requirements include having a data backup plan, disaster recovery plan, an emergency-mode operations plan, and testing and revision procedures.

While OIG found that most hospitals are implementing recommended best practices—such as maintaining backup copies of EHR data offsite, supplying paper medical record forms for use when the EHR is unavailable, and training and testing staff on contingency plans—auditors noted that the Office for Civil Rights “considers HIPAA compliance broadly and does not target EHRs when reviewing a covered entity’s contingency plans.”

In fact, OIG revealed that “HIPAA requirements do not prescribe how covered entities should develop or use contingency plans.”

Auditors sent a questionnaire to 400 hospitals asking them about their EHR contingency plans in relation to HIPAA requirements, the practices for contingency planning recommended by two federal agencies, and their experiences with EHR disruptions that curtailed access to patient records.

When it comes to the latter, more than half of hospitals indicated that they experienced an unplanned EHR disruption, and about a quarter of those experienced delays in patient care as a result. Hospitals reported that hardware malfunctions accounted for the largest percentage of EHR disruptions, followed by Internet connectivity problems.

During Hurricane Sandy in 2012, for example, some hospitals in the New York City area were unable to access their EHR systems because of power outages that affected data centers or other buildings in which patient data were stored. Last year, the EHR system at Boston Children's Hospital experienced an outage for five days caused by a hardware issue related to storage, which forced the hospital to use paper and caused personnel to manually order diagnostic tests and medications as well as track test and treatment results.

In addition, cyberattacks have similarly prevented or limited access by hospitals to EHRs. In 2014, for instance, Boston Children’s Hospital suffered a distributed denial of service attack.

“Though no data were lost and no patient harm occurred, some of the hospital’s systems lost Internet-based functionality,” states the OIG report. “The hospital relied on its contingency planning and workarounds to continue operating.”

Auditors concluded that “persistent and evolving threats to electronic health information reinforce the need for EHR contingency plans” and that “cyber attacks that have occurred since 2014 underscore our previous recommendations that OCR fully implement a permanent audit program for compliance with HIPAA.”

As OIG pointed out in its report, in January 2016 a hospital in California reported that it suffered a ransomware attack that disabled its network and EHR system for about a week, leading to delayed patient care and the need to divert patients to other facilities. And, in March 2016, MedStar Health reported a suspected ransomware attack that forced it to take computer systems offline throughout its entire system, which includes 10 hospitals.

More for you

Loading data for hdm_tax_topic #reducing-cost...