For the last 5 years, I have been out there doing all types of HIPAA security assessments. What I see the most, is a lack of disaster recovery plans in medical practices. For some reason, this gets left out. The practice itself is mostly concerned with the workstations, laptops, and patient privacy. Disaster recovery is one of those things that most practices put on the back burner. Buy why? One of the reasons is a lack of understanding as to what exactly is disaster recovery, and how do we go about planning it. Basically, they don’t know where to begin.
Data Backup and Disaster Recovery
If you think your data backup is the same as disaster recovery, you are not alone. Most practices I talk to confuse data backups with disaster recovery and business continuity. This is a disastrous mistake and unfortunately it is realized when the data is lost and the practice is paying a hefty price,
What is a Disaster?
Not having access to your patient records could be considered a disaster. There are many reasons this could occur. A flood, hurricane, tornado, fire and more. Think about what you would do if a tornado completely demolished your building. What would you do to restore your data, and continue seeing patients? Plan your disaster recovery and business continuity plan before this happens. Of course, not all disasters are of the tornado proportion. They could be smaller things like a virus, malfunction, hard drive crash, or server theft. Still, it gives you the same result. You cannot access your patient data, and you may or may not be able to see patients. What would you do right now if a virus wiped away all your data? You would restore from backup. That you have planned. But what if that backup is not good, or someone steals your server? What would you do? Let’s think about it now, and not after it happens.
What are the Differences?
Just to be clear, there are differences between data backup, business continuity and disaster recovery. Let’s be clear.
Data backup – This simply means that a copy of your data is replicated to a tape, hard drive, or off-site location. The key to a good backup is to make sure there is a good path to recovery.
Business Continuity – This is the ability for your practice to continue to see patients, and operate as normally as possible. For example, if your medical practice burned down, and all your charts burned, you would be out of business. At least for a while. Let’s say you had a backup in the cloud, or a hosted EMR. Your business continuity plan would be to maybe call a colleague, see if you could see patients in their office, and call all your patients from home to reschedule. Keep in mind the idea here is to continue doing business.
Disaster Recovery – This is the ability of your practice to “recover” after a disaster. It is the capacity to recover files, software and any other business functionality on a timely basis. Let’s face it. Does any practice want to lose their billing, or their accounts receivable?
Part of the HIPAA requirements is that there are disaster recovery plans in medical practices. If you do not have one, don’t wait until you need one. Tier3MD can provide you with a free template for your disaster recovery and business continuity. You can obtain your free copy by calling 1-855-698-4373′