Everything going on today with hurricanes and such makes it is a great time to talk about disaster recovery planning. We mention it all the time but this episode is going to be just about what DR/BC means and what you can do to be prepared in advance. So, this episode covers disaster recovery planning under HIPAA but any business can learn from our discussion!

HIPAA For MSPs by David Sims Disaster Recovery Planning Under HIPAA
00:00:00 00:00:00

What is DR/BC Planning?

  • DR – how can we recover our operating assets and positions after a disaster of any kind.
  • BC – how do we keep our business running while we recover

I have a backup so I am ok, right?


Who should do it?

  • All businesses – micro to enterprise
  • Family planning is a good idea too

Is this another big expense?

  • You can have plans for very little money and very expensive ones
  • Resources are available all over the place
    • companies who help you do it or do it for you
    • free templates and instructions – Ready.gov/business
      • Plan to stay in business

What is involved in building and maintaining DR/BC plans?

  • Write it down.
  • Think of the unthinkable and work from that point backwards.
  • Discuss it with everyone – you never know who might think of something or have a very helpful idea
  • Test and review it if you don’t use it
  • Review it and update it after tests and especially after you had to use it

General elements of Disaster Recovery Planning

  • Recovery priorities

    • Protecting all of your assets during and after the disaster plus throughout the BC time periods
    • Seeing patients
    • Access to EHR
    • Billing for the work being done during the disaster – are you going to have no income during that time?
    • Helping your clients see patients and access EHR
    • Setting up alternate sites
    • Rebuilding or repairing damaged facilities
  • Plan objectives

    • Minimize the impact to your patients, employees, clients, and your business
    • Minimum requirements for all planning – HIPAA, etc.
    • Disaster preparation strategy
    • Response strategy
    • Time frames for recovery of each area
    • Maintaining business viability
  • Communication

    • Written plan accessible to everyone before, during, and after the disaster
    • How will you advise all parties from the alert and implementation throughout the process
    • Who manages “command central” with all information
    • Decisions made need immediate access to team and resources
    • If everyone is evacuated how do you communicate with each other
    • Call tree, password protected page on your website, etc.
  • Decision process or list

    • Everyone is stressed, what do you want to be sure you think about all along the way
  • Roles for teams

    • Who makes the decisions in different areas
      • Execs and money folks down to people on the front lines
      • What is the “org chart” in case of injuries or worse to members of the team who will step up
    • Who will do damage analysis and evaluate where you are and what needs to be done.
      • They will need to be the first on the scene so make sure they know how to make that happen
    • Who will communicate with the media, public, patients, etc.
    • Use your priorities and objectives and make someone in charge of knowing the details of those elements
    • Someone to deal with the money – it isn’t like you will just get a check
    • Someone assigned specifically to IT
      • An IT plan with details should be built separately
      • Where are the backups?
      • Where can we co-locate
      • Do you have a hot site or a plan to set up an alternate site
  • Preparation checklists

    • Flashlights
    • Batteries
    • Charge EVERYTHING
    • Generators
    • Food and water supplies
    • First aid supplies
    • A “go bag” for each employee or each team
    • Furniture, supplies, and equipment needed for temp site AND a rebuild
    • Software that needs to be up and running in what order
  • Other plan elements

    • Confirm contact names and numbers for FEMA, insurance provider, local medical and law enforcement hotlines as well as all employees
    • Critical business vendors and contractors that you plan to rely on need to know that you are counting on them – maybe they aren’t planning to do that for you
      • Review with staff during regular training and meetings from time to time
      • Desktop review with your team
    • Time frames
      • What needs to happen in the first 8 hours, next 8 hours, etc.
      • Plan for being affected for 1 day, 5 days, 2 weeks, months, etc.
    • Alternate site details and equipment plans
      • Power
      • Internet
      • Communications