Hospitals 'largely' addressing HIPAA requirements for EHR contingency plans

Hospitals are doing a fairly good job at protecting their electronic health record data as required by the HIPAA security rule, according to a new report from the Department of Health and Human Services’ Office of Inspector General (OIG).

The OIG sent a questionnaire to a sample of 400 hospitals that had received Medicare incentive payments for using a certified EHR pursuant to the Meaningful Use program as of September 2014. It also conducted site visits at six hospitals.

The survey found that 95 percent of the hospitals had a written EHR contingency plan, and more than two-thirds (68 percent) reported that their plan addressed the four HIPAA requirements that the OIG reviewed: having a data backup plan; having a disaster recovery plan; having an emergency mode operations plan; and having testing and revision procedures.

Most of the hospitals were also implementing practices recommended by the National Institute for Standards and Technology and the Office of the National Coordinator for Health IT, such as maintaining backup copies of their EHR data off site, supplying paper medical record forms when EHRs were not available and training and testing staff on the contingency plan.

More than half (59 percent) of the hospitals reported an unplanned EHR disruption in 2014, the year before the questionnaire was sent. Of those, 24 percent experienced a delay in patient care as a result.

The report pointed out that the HHS Office for Civil Rights views HIPAA compliance “broadly” and doesn’t target EHRs when reviewing contingency plans. The OIG noted that it has recommended that OCR fully implement its permanent HIPAA audit program, and that recent cybersecurity events “underscore the importance” of this recommendation.

“Persistent and evolving threats to electronic health information reinforce the need for EHR contingency plans," OIG said. "Since we administered this review’s hospital questionnaire in 2015, awareness of cybersecurity threats to health information technology has grown.  Stakeholders in government, healthcare, and information technology sectors have raised concerns about vulnerabilities in networked medical devices that may put hospital networks and EHR systems at risk. ... Disruptions to EHRs from these and other threats can present significant safety risks to patients. Contingency plans are crucial because they are designed to minimize the occurrence and effects of such disruptions."

To learn more:
- here’s the  report