The Department of Health and Human Services’ Office of Inspector General has conducted a survey to investigate whether HIPAA standards for EHR contingency planning were being met by U.S. hospitals. 400 hospitals were asked questions about EHR contingency planning and whether their plans had been put into practice.
While a majority of hospitals had developed EHR contingency plans and had largely complied with HIPAA regulations, only 68% of hospitals surveyed had met all four of the requirements that were assessed by OIG.
HIPAA Standards for EHR Contingency Planning
The Health Insurance Portability and Accountability Act requires all healthcare organizations that use electronic medical record systems to develop plans that can be put in place during emergencies to ensure that the ePHI of patients can be accessed.
HIPAA standards for EHR contingency planning cover five areas: Data backups, disaster recovery plans, emergency operations planning, testing and revising of contingency plans, and applications and criticality assessments. In the survey OIG assessed organizations on the first four of these areas. However, 32% had failed to comply with at least one of the requirements of the HIPAA Security Rule that was assessed.
Only 83% of hospitals had a data backup plan and 73% had testing and revision procedures, although 95% of organizations reported having a disaster recovery plan and the same percentage had an emergency mode operations plan.
Most hospitals had implemented recommended best practices to ensure operations could continue in emergencies. Regular data backups were being performed and those backups were being stored offsite or in the cloud. Paper medical record forms were made available to physicians when the EHR system could not be accessed, and the hospitals performed regular staff testing on contingency plans.
OIG pointed out that while the Office for Civil Rights has been assessing compliance as part of the agency’s investigations into HIPAA complaints, EHRs were not targeted when reviewing a covered entity’s contingency plans and HIPAA compliance was only broadly considered. Until OIG conducted the survey it was therefore unclear whether hospitals were complying with HIPAA regulations covering EHR contingency planning.
Clear Need for EHR Contingency Planning
Organizations were asked questions about recent EHR outages and unplanned EHR disruption. Over half of hospitals reported having experienced an unplanned disruption in the past, and in a quarter of those cases those disruptions had resulted in delays to the provision of patient care. Oftentimes, the disruptions to EHRs lasted a considerable amount of time. Delays of more than 8 hours were not uncommon.
The most common reason for disruptions was hardware failures, which caused 59% of unplanned EHR disruptions. Internet connectivity problems were another major cause of unplanned disruptions for 44% of organizations. Power failures caused 33%, while natural disasters accounted for 4% and hacking incidents just 1%.
The survey was conducted in 2014, although the results of the study have only recently been published. The survey has particular relevance given the increase in ransomware attacks on U.S. hospitals. A number of hospitals have experienced ransomware attacks this year that have resulted in their EHR systems being taken offline. In January, Hollywood Presbyterian Hospital in California experienced EHR downtime of more than a week as a result of a ransomware attack.
The report concluded that “persistent and evolving threats to electronic health information reinforce the need for EHR contingency plans.” OIG also recommended that the Office for Civil Rights proceed with a permanent audit program to ensure more comprehensive oversight of HIPAA regulations and to make sure that HIPAA standards for EHR contingency planning are met.