Business Continuity and HIPAA Business Continuity Management in the Health Care Environment [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Business Continuity and HIPAA Business Continuity Management in the Health Care Environment [Electronic resources] - نسخه متنی

Jim Barnes

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید







STRENGTHS AND CONCERNS


Strengths




Electrical power redundancies.



Communications redundancies.



Internal computerized system redundancies.



Effective crisis management team structure.



Tremendous attention to fire suppression



Outstanding facility security.




Concerns




Procedures needed for viral intrusion team.



Access control to computer room should be strengthened.



All key equipment needs to have fail-over redundancy.























































































Sample Insurance Coverage


Insurance Type


Real and Business Personal


Property business Income and Accounts


Not to exceed the following sub-limits:


US$126,677,950


Business Income including Extra Expense


US$76,000,000


Property in Transit


US$25,000


Expediting Cost


US$25,000


Consequential Loss


US$2,500,000


Accounts Receivable


US$15,000


Valuable Papers


US$25,000


Inventory or Appraisal


US$100,000


Personal Property of Officers or Employees


US$25,000


Errors or Omissions


US$100,000


Loss to Objects


US$25,000,000


Ammonia Contamination


US$25,000


Fine Arts


US$55,000


Sewers or Drains


US$5,000,000


Flood


US$5,000,000


Earthquake


US$5,000,000


General Liability:




General Aggregate Limit




US$2,000,000




Products./Completed Operations




US$2,000,000




Personal & Advertising Injury




US$1,000,000




Medical Expense




US$ 10,000




Employee benefits Errors & Omissions




US$1,000,000


Listed Deductibles:























Earthquake


US$50,000


Flood


US$50,000


Sewer Backup


US$50,000


Loss to Objects


US$2,500


Consequential Loss


US$5,000


All Other Cause of Loss


US$1,000



























The Healthcare organization: Royal & Sun Alliance


Broker:


Aon Risk Services, Inc of Indiana


1717 N. Naber Blvd. 3rd Floor


Naberland, Ind 46563


111-955-0333


Debbie Camphill, CIC


(SOURCE: Brian May …. The Healthcare organization)



Recovery Window Analysis


The Healthcare organization authorized this Business Continuity Study to identify and develop business continuity strategies for recovery of the Healthcare organization's functionality. Based upon interviews conducted, the sequence in which departments should be recovered in the event of a disaster is listed in the following pages. Recovery priorities are based on respondents' information and both tangible and intangible considerations obtained from the surveys and interview process.


Strategies


As The Healthcare organization responds to the gaps in HIPAA compliance related to business continuity, many components should be considered. The Board of Directors and management understand that a disaster affecting any of the following components could significantly affect The Healthcare organization beyond just compliance issues: Customers, Business Process and Staff, Vendors and Supplies, Information Technology, Power, Facilities, Data Communications and Voice Communications.

In the areas of information technology and communications, steps have been taken to provide computer and communication continuity, and these types of activities should be continued.



The hot site capability should be enhanced to provide adequate connectivity to the business units.



The hot site should be able to connect to a temporary worksite if the headquarters location were incapacitated by disaster.



The hot site contract should be reevaluated given the identification of critical applications during Phase One business continuity planning effort.



Voice communication backup plans should be established to address alternate site requirements.



Additional steps are recommended related to vendors and suppliers to become HIPAA compliant and be better prepared in the event of a disaster.



To be compliant with HIPAA, The Healthcare Organization needs to have certain vendors sign chain of trust agreements to help ensure confidentiality of protected patient information during a disaster.



For resources that are critical to recovery, The Healthcare Organization needs to determine if the suppliers of those resources represent single points of failure and if those suppliers are vulnerable to the same threat as The Healthcare Organization. For suppliers that both apply, an alternate source needs to be identified.



The Healthcare Organization should create quick response procedures with critical vendors (e.g., direct access phone numbers).



In the area of customer service, a concern is that documented procedures have not been developed to provide vital services during an extended disruption to the headquarters facility.



Providers and subscribers depend upon The Healthcare Organization for payments and authorizations. Currently there are no procedures in place to address these services in the event of a disaster.



To accommodate the needs of the customer, The Healthcare Organization should develop documented business continuity plans that:



Provide for the continuity of payments to providers



Handle subscriber claim payments



Modify the pre-certification process



For The Healthcare Organization, the probability of losing power is much greater than losing the use of the entire headquarters facility; however alternate power can be costly. The Healthcare Organization should evaluate if the ability to restore power within one business day justifies the estimated costs.

In order to mitigate the effect of a sustained power outage, The Healthcare organization should consider implementing the capability to connect to a portable generator sufficient to accommodate both processing and business unit environmental needs of the headquarters facility. The following are estimates of the three cost considerations involved with implementing a portable generator capability to be delivered when needed:



One-time site preparation costs would be approximately $285,000



The annual reservation fee for the generator would be approximately $40,000 (8 hour onsite operational guarantee)



Disaster operating cost would be approximately $12,000 per disaster day



Each major business unit needs to know what their responsibilities and tasks are to support critical business processes in the case of an emergency. In addition to restoring customer related business processes are considerations such as payroll and training.

Documented business continuity plans should be developed to assist in the timely, efficient recovery of critical business processes.



Business unit plans should be developed that include the tasks and reference information necessary to resume time critical business processes within pre-established timeframes



Procedure manuals need to be developed to utilize alternate staff in the event key staff are unavailable



Procedures should be written to address staff family needs and continue payroll disbursements without interruption



Facilities is currently a major risk area for The Healthcare Organization. If, for whatever reason, the headquarters facility could not be occupied, and the business units had to be relocated to an alternate facility, The Healthcare Organization would experience significant financial and operational impacts.



The Healthcare Organization's current relocation strategy would be to secure a temporary work site when a disaster occurs (option 1) - recovery could take 30 days to 3 months. This is a concern because management has indicated The Healthcare Organization would be significantly impacted if not up and running in 5 to 10 days after a disaster.



Because of The Healthcare Organization's objective to recover up to 1,000 staff positions during an extended outage, we recommend a recovery strategy utilizing both options 2 and 3: subscribe to a mobile recovery site provider (option 2) for short term recovery, and build out leased space (option 3) in the event the outage is expected to last longer than 30 days.



/ 90