[ Friday, August 03, 2012 ]
Computer Outage takes EMRs off-line:
A huge computer network outage
earlier this week took the electronic medical records of dozens of hospitals "off-line" for 5 hours. What happens in a hospital when you can't access medical records for 5 hours?
HIPAA requires covered entities to have administrative, physical and technical safeguards in place to protect the confidentiality, integrity, and availability of PHI it keeps in electronic format. Every BAA should impose that specific requirement on the business associate (I use the memnonic "APT-CIA" to remember the requirement when I'm reviewing a BAA). Everyone always thinks of the "C": that's what the vast majority of HIPAA compliance is all about. The "I" ("integrity" means that the data can't be easily corrupted or changed) generally takes care of itself when you take steps to protect confidentiality like audit trails. But what about availability?
The issue with availability came into stark relief when the tornado hit Joplin, Missouri last year. While the hospital was devastated and paper medical records were found miles away, the hospital's electronic medical record system was backed up offsite, and the backup was brought online almost immediately. Many hospitals (especially those in tornado-prone areas in the middle of the country) began investigating their EMR backup and recovery capabilities in the event of a natural disaster like a fire, flood or tornado. But what if the problem isn't with nature, but with your computer system?
This is another learning opportunity, and hospitals and physician practices with EMRs should take a close look at how they operate and what would happen to their PHI's "availability" in a computer outage.
Jeff [8:47 AM]
Blogger: HIPAA Blog - Edit your Template