Business Continuity and HIPAA Business Continuity Management in the Health Care Environment [Electronic resources] نسخه متنی

How many employees would fall within the scope of this endeavor (generally, this is the number of your employees working at above facility)?

This will give you an idea of the relative magnitude of the planning effort and the number of planners it will take. The number of employees listed should be compared to the healthcare organization's staff list.

Provide an organization chart with names and positions.

The Org Chart is a critical document. It will ensure you have included all parts of the healthcare organization in your plan. It will also give you a hierarchy for conflict resolution.

Beneath the Chief Executive level of the healthcare organizational chart is the 2nd level of executives. Other than the second level executives, identify key staff members who should be interviewed in order to obtain an understanding of this healthcare organization's process flows.

Here you identify the number of staff that you will be interviewing. Also, you are letting the business know that you wish to interview the senior management of the healthcare organization and those that have highly technical skills such as the IT and Communications experts.

Do Business Continuity Documents and Procedures currently exist (e.g. IPL procedures, evacuation procedures)? If yes, specify

If reasonable and appropriate, these should be included in the recovery plan.

Will this project require us to meet with vendors whom your healthcare organization relies upon for various business processes or resources? If so, how many?

This will determine any additional interviews that will be required.

Will this project require us to meet with major customers to determine their needs? If so, how many customers will we need to interview?

This will determine any additional interviews that will be required.

Are current Staff lists (which include an employee's home phone, address, and department) available?

This can be quite time consuming if you have to compile this list yourself. You will find that in most healthcare organizations, the staff contact list is at least 40% inaccurate. If possible, have Human Resources verify the list's integrity before they give it to you. Also, try to get the data in a format that is compatible with your plan software.

Is a current Vendor list which includes the vendor's address (not PO Box), phone number, emergency contact, and explanation of services provided available?

This list can also be quite time consuming to compile. You may find yourself copying information from all over the healthcare organization. This list will be a critical component of the recovery document.

Will a knowledgeable staff member be assigned to assist in this project?

For each of the healthcare organization's divisions, you must have a knowledgeable staff member assisting you. Do not let the manager assign a low-level clerk to the project as your assistant. This can kill your project.

Will adequate workspace be made available for work on this project?

It is important that you have adequate workspace and tools (printer, paper, telephone, data link, etc) if you are to be efficient in producing the plan.

Are key individuals readily accessible, or must appointments be made to discuss BCP matters?

This has a tremendous bearing on the amount of time the project will take. The question sends the message that you expect your requests to be responded to promptly. The answer to this will assist you in assigning a value to the "Complexity Factor" component of the "BCP Timing Estimate."

Would recovery team members (to be appointed later) be available for assisting in the development of recovery plans?

If the answer is no, the plan will be less than effective. This question is a good indication of the overall commitment to the planning process by the healthcare organization.

What do you hope to achieve from a Business Impact Analysis?

What are the expectations? Many times the success or failure of a project is measured by

What are the main objectives you hope to receive from a BCP Strategy activity?

Expectations again.

Is there a software preference for the development of the Business Continuity Plan?

You will want to use software with which you are familiar; but if the client insists, you may have to learn new software.

BCP TIMING ESTIMATE

Company Name

Date___day___I_mo___I___year___

Number of BIA Interviews (NBIA)

109

Number of Sites (NS)

1

Number of RFP Recipients

0

Number of BCP Recovery Teams (TMS)

12

Complexity Factor (CF)

1

Task

Phases and Task Descriptions

Estimating Feature

Hours

BEST PRACTICES REVIEW / RISK ASSESSMENT / BIA ANALYSIS

ORGANIZE

Meet with plan manager. Assemble management team and present overview of project.

3

3.0

Identify reason for doing project.

0

0.0

Define project scope.

0

0.0

Obtain management support.

0

0.0

Determine staff to be interviewed. Schedule interviews.

0

0.0

Meet with plan Coordinator and determine healthcare organizational structure. Prepare organization chart (If not previously prepared).

1

1.0

Determine desires of management for Progress Reporting (Format, dates, i.e., weekly, daily, every other day, etc.)

0

0.0

Determine Service Outage Durations.

0

0.0

Review the healthcare organization's strategic plans if available.

2

2.0

TOTAL

6

6.0

BEST PRACTICES REVIEW

Meet with plan coordinator and explain overall methodology and

1XCF

1.0

Identify key staff to be interviewed.

1XCF

1.0

Conduct interview with plan coordinator. Identify others to interview. Identify documents to be verified.

20XCF

20.0

Conduct other interviews (IT representative, recovery team members, etc.)

4XCF

4.0

Obtain identified documentation.

1XCF

1.0

Review and verify documentation.

10XCF

10.0

Create report on findings.

10XCF

10.0

Review preliminary report with Sr. Management.

5XCF

5.0

Present report findings 5XCF

5.0

TOTAL

57.0

RISK ASSESSMENT

Identify exposures that could impact operations.

8XCFXNS

8.0

List containment measures used to mitigate impact.

4XCFXNS

4.0

Identify and document back-up methodology.

1XCFXNS

1.0

Obtain existing contracts and store off-site.

1XCFXNS

1.0

Identify and document change control procedures.

1XCFXNS

1.0

Obtain vital records schedule and retention records.

2XCFXNS

2.0

Obtain insurance coverage documents and store off site.

2XCFXNS

2.0

Review all Risk Assessment information.

2XCFXNS

2.0

Prepare recommendations for enhanced containment.

1XCFXNS

1.0

TOTAL

22.0

BUSINESS IMPACT ANALYSIS (BIA)

Meet with selected Business Unit Managers to complete BIA.

((NBIA/4)X10)XCF

272.5

Review and document business process flows.

1XNBIAXCF

109.0

Complete item input sheet immediately following BIA.

0.5XNBIAXCF

54.5

If possible, get dollar values of outage at various durations.

3XNSXCF

3.0

Interview dependent business units (if required) to determine RTO, RPO.

0.25XNBIA

27.3

Rank Critical Services.

2XCF

2.0

Prepare BIA report and review preliminary report with management.

10XCF

10.0

Present BIA report to management.

5XCF

5.0

TOTAL

483.3

II. STRATEGIES

Compare recovery requirements to recovery capabilities.

3XNSXCF

3.0

Identify negative gaps in recovery capabilities.

0

0.0

Prepare a list of potential strategies to reduce or eliminate negative gaps.

2XCF

2.0

Discuss potential strategies with appropriate staff.

3XNSXCF

3.0

Develop advantages and disadvantages for select proposed strategies.

4XCFXNS

4.0

Prepare strategy selection report and review with management.

6XNS

6.0

Present Strategy Selection findings to management.

8

8.0

TOTAL

26.0

III. BUSINESS CONTINUITY PLANNING (BCP) DEVELOPMENT

Prepare and disseminate RFP for hot-site (A hot-site is a computer center in a ready state in case of disaster).

4XRFP

0.0

Help client select best hot-site.

3XRFP

0.0

Enter facilities data into plan.

0

0.0

Enter department information.

0

0.0

Load staff information.

4XNSXCF

4.0

Print Staff Report and pass out copies to Business Unit Managers for verification.

1

1.0

Contact critical vendors to determine their service commitment during a disaster situation (IT Vendors, Communications Vendors, Commercial Real Estate Broker, Insurance Co., Off-site Storage Facility).

3XNSXCF

3.0

Gather information and input data on Vendors, Customers, Regulators, Insurance Company, and Storage Locations.

2XNSXCF

2.0

Complete the resource item matrix for inclusion into the plan.

1XNS

1.0

Obtain service commitments from critical internal dependencies.

3XNSXCF

3.0

Prepare Procedures to Tasks Worksheets.

1

1.0

Prepare Procedures.

1

1.0

Prepare Tasks.

1

1.0

With management, determine team composition.

1XNSXCF

1.0

Link Procedures to teams.

0.25xNS

0.3

Review Procedures and Tasks with Teams.

3XTMSXCF

36.0

Identify vendors linked to procedures.

0.25XTMSXCF

3.0

Identify vendors linked to tasks.

1XTMSXCF

12.0

Insert identified vendors into plan.

0

0.0

Link Backup Storage facilities to appropriate Resource Items.

1XNS

1.0

Meet with management to determine the management succession

0.25XNSXCF

0.3

Print the Plan.

1XNS

1.0

Review the plan and make changes as necessary.

4XNSXCF

4.0

Distribute the edited plan to the appropriate members of

0

0.0

Make changes to the plan as necessary.

0.5XNS

0.5

Print the final copy of the Plan.

1XNS

1.0

TOTAL

77.0

PREPARE APPENDICES

Load vendor information into mapping software.

3XNSXCF

3.0

Prepare Recovery Center procedure.

1XNSX.1

0.1

Prepare Public Relations News Release form.

1

1.0

Prepare any other appendices that might be required for hehealthcare organization.

2XCFXNS

2.0

Create "print ready" proof copy of manual.

1XNS

1.0

Have requisite number of copies of the Disaster Recovery Manual

1

1.0

TOTAL

8.1

MAINTENANCE

Develop and Communicate Guidelines for Plan Maintenance.

1XNS

1.0

Develop maintenance triggers.

1

1.0

Develop and Communicate Schedule for Plan Maintenance to

1

1.0

TOTAL

3.0

IV. PLAN TRAINING and TESTING

TRAINING

Prepare training materials and develop training presentation.

3XNS

3.0

Train Recovery Team Members in use of the Plan.

3XNS

3.0

Document attendees to training session.

.25

0.3

TOTAL

6.3

TESTING

Develop objectives and scope.

2XNSXCF

0.0

Develop measurement criteria.

2XNSXCF

0.0

Prepare Test script.

6XNSXCF

0.0

Conduct Tests.

1XNS

1.0

Modify BCP based upon results of test.

4XNS

0.0

Document results.

1XNS

0.0

TOTAL

1.0

TOTAL HOURS

689.6