Hospitals Largely Reported Addressing Requirements for EHR Contingency Plans
WHY WE DID THIS STUDY
Disruptions, such as natural disasters or technical malfunctions, can make electronic health records (EHRs) unavailable to hospital staff. Prior OIG work found, for example, that hospitals experienced substantial challenges responding to the effects of Superstorm Sandy, which included damage to health information systems and curtailed access to patient medical records. More recently, cyberattacks on hospitals have similarly prevented or limited access to EHRs. The Office for Civil Rights (OCR) enforces the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which requires all covered entities to have a contingency plan for responding to disruptions to electronic health information systems. Contingency plans specify processes to recover EHR systems and access backup copies of EHR data in the event of a disruption. This evaluation provides information about the status of hospitals' contingency plans in light of evolving threats to their electronic health information systems.
HOW WE DID THIS STUDY
We sent a questionnaire to a projectable sample of 400 hospitals that received Medicare incentive payments for using a certified EHR system as of September 2014. We asked hospitals about their EHR contingency plans in relation to the following: HIPAA requirements, the practices for contingency planning recommended by two Federal agencies, and hospitals' experiences with EHR disruptions. To gain a deeper knowledge of hospital EHR contingency plans and experiences, we also conducted site visits at six hospitals, where we interviewed hospital staff and reviewed EHR contingency plans and related documents.
WHAT WE FOUND
Almost all hospitals reported having written EHR contingency plans, and about two-thirds reported that their contingency plans addressed the four HIPAA requirements we reviewed, i.e., having a data backup plan, having a disaster recovery plan, having an emergency-mode operations plan, and having testing and revision procedures. Most hospitals also reported implementing recommended practices, such as maintaining backup copies of EHR data offsite, supplying paper medical record forms for use when the EHR is unavailable, and training and testing staff on contingency plans. Over half of hospitals reported an unplanned EHR disruption, and about a quarter of those experienced delays in patient care as a result. Finally, we found that OCR considers HIPAA compliance broadly and does not target EHRs when reviewing a covered entity's contingency plans.
WHAT WE CONCLUDE
Persistent and evolving threats to electronic health information reinforce the need for EHR contingency plans. This review and cyberattacks that have occurred since 2014 underscore our previous recommendation that OCR fully implement a permanent audit program for compliance with HIPAA.