Foreword - Business Continuity and HIPAA Business Continuity Management in the Health Care Environment [Electronic resources] نسخه متنی

Foreword

Daniel Dec

The Health Care Portability and Accountability Act of 1996, widely known as HIPAA, mandates administrative standards on almost the entire health care industry - a trillion-dollar industry not well known for its administrative efficiency nor for its willingness to collaborate on standards. Nonetheless, it is now a fact of life for health care that HIPAA's designated entities (hospitals, physicians, pharmacies, dentists, health plans and their middlemen) are obligated to establish and maintain new levels of electronic business proficiency.

The HIPAA transactions and codes standards impose innumerable technical requirements in the search for elusive efficiencies and economies of scale. HIPAA's privacy standards impose duties to protect patient information, while at the same time providing new access to that information. HIPAA's security rule ties the privacy and transaction rules together.

Through my years of consulting experience including hundreds of clients, it is apparent that the level of business continuity and recovery planning in place varies widely. While this process has always been a prudent business practice, it has not been a high priority for many organizations. Not only has the increase in external and internal threats made this process more relevant, but regulation has increased its necessity and it has gained attention in the Board room.

An effective contingency plan enables a healthcare organization to minimize the effects of a disaster. It helps the organization to address the steps required to preserve the business operations in the event of disruptions due to either natural disasters or human error. Anyone who has been through a disruption will tell you how invaluable a tested recovery plan is during that event.

While most are apprehensive of government dictating business process, the approach HIPAA takes regarding business continuity and disaster recovery enables individual entities to determine the level of planning and the strategies used. While requiring that plans be put in place, your organization retains the responsibility to determine how and where recovery plans will be instituted. This flexibility enables entities of different sizes and complexities to scale their recovery appropriately and implement safeguards that are suitable.

Jim's book provides the reader with guidelines, processes and the tools necessary to develop a plan that would be compliant with the HIPAA regulation. I agree with the caution that this is not a cookie cutter project and that significant specific knowledge of the business is required to tailor these processes appropriately thus enabling the production of an effective recovery program.

In addition, having senior management support for this effort is a critical success factor as this process often ventures into each vital business process of the firm. Executive leadership can demonstrate their commitment in a policy statement and support that policy statement by allocating required resources (human, technical, and financial) in order to complete the business continuity and disaster recovery planning processes.

Regarding HIPAA, the required implementation specifications include:

having a data backup plan

having a disaster recovery plan

having an emergency mode operation plan

The addressable implementation specifications include:

having testing and revision procedures

having applications and data criticality analysis.

"Addressable" should not be equated with optional. The "addressable" notation means that your organization can determine the type and level of testing that is appropriate for it. Jim covers these areas as he guides the reader through the steps that can be used to achieve these objectives.

The critical function that healthcare entities play in our society, its economy, and its ability to deal with catastrophes requires that these entities assess their operations and include "reasonable" recovery plans against reasonably anticipated threats. After the events of September 11, 2001 that threat definition was broadened as never before.

Just like the Fortune 500 companies, health care businesses must now go beyond planning for strikes and power outages, and plan for that inevitable day when a bomb, a plague, a tornado or some major catastrophe shuts them down. HIPAA also requires significant documentation of your planning process and decisions.

Capitalizing on James Barnes' planning experience across many settings and many years is a valuable expansion of your planning team's personal horizons. In this book, Mr. Barnes provides the steps, the tools, the core questions and the processes to realistically and systematically analyze potential threats to your operations. He guides you through the process of making the business, economic, political and human decisions necessary to develop the pre-plan you will need both for HIPAA compliance and to implement when a threat actually materializes.

There is no magic bullet. Business continuity and disaster recovery planning requires hard work and harder decisions; there is no free lunch. But with the aid of this book, you will be in a better position to make the planning, analysis and decision processes more manageable and productive.

Daniel Dec, MBA, CISA, CISM, has over 20 years experience in Information Technology and is a former partner with PricewaterhouseCoopers LLP. Today Dan consults with firms regarding their Information Security and Contingency Planning strategies as President of AMLA Resiliency LLC.