April 2001 Bulletin

Be ready when disaster hits

‘Business continuity is when a disaster happens and no one even knows it. . . .’

Every practice needs a plan to maintain patient care

By Sandra Lee Breisch

It could have been the medical practice’s worst nightmare: no phone service. But when the phone service went down at the Orthopaedic Associates of New Orleans in Louisiana, they were prepared. Eight additional lines kicked in to accept incoming calls forwarded from their primary number.

"As disasters go and from a business standpoint, diminished phone service hurts," says Ben F. McKown, the practice’s administrator. "Some problems can be anticipated, others cannot. When moving our office, we allowed 45 days to switch phone service, but it wasn’t enough. Experience told me not to trust the telephone service vendor. I had a contingency plan to reduce the risks. When the phone company failed to deliver service in a timely fashion, I activated the plan and via modern ‘phone magic’ our practice provided ‘business as usual’ with minimal inconvenience."

Although this practice demonstrated its readiness to respond to the unexpected, does your practice have a business continuity or disaster recovery plan in place?

A power outage, fire, flood or earthquake could wipe out your business in an instant.

So believes William P. DiMartini, vice president, consulting operations, SunGard Planning Solutions, a business continuity consulting firm in Wayne, Pa. "Every medical practice, no matter its size, should have a business continuity plan or disaster recovery plan in place," he stresses. "Practices should look at business continuity as disaster prevention. Business continuity is when a disaster happens and no one even knows it—rather than it being an event-driven system."

Maintaining critical patient care services is the primary reason practices have adopted business continuity plans, notes DiMartini. "Then there’s administrative criticality in maintaining billing and reimbursement," he adds.

And McKown agrees. "Patients expect to be able to get in touch with medical facilities," he says. "If they call and get a disconnect message, this creates a lot of fear in their minds. That is the real problem because the patient could’ve fallen, broken a hip or had any number of injuries. The perceived problem is that your patient might believe your facility is less of a facility than it should be."

Because today’s computer systems are so integrated and linked via the Internet, day-to-day activities could be severely affected if telecommunications or information technological services go down. "For instance, scheduling appointments, keeping current medical records, all this interacts with clinical systems like pharmacies and labs," says DiMartini. "A lack of information technology also impedes the physician’s ability to make a correct diagnosis."

DiMartini suggests practices define their disaster prevention and recovery needs by conducting a risk analysis to identify the strengths and weaknesses of existing security programs.

If you’re unsure about putting the necessary effort and dollars into disaster planning, DiMartini says, "Ask yourself, ‘What would happen if you were unprepared?’" Basically, he says you’d be starting all over from scratch. "For instance, how would the practice be impacted in terms of revenue, customer service, patient care and intangibles?" he asks. "If I have a large or small staff, their morale and sense of job security or safety would be affected."

Usually, administrators of solo or small group practices can conduct a risk analysis on their own to determine what physical threats and internal disruptions could create a disaster, notes DiMartini. "However, medium or large group practices typically bring in an outside consulting firm to do a risk analysis because of the complexity of the various integrated information systems, number of providers, patients and practice size," he says.

A thorough inspection of your facilities could identify, for instance, faulty electrical wiring, information system backup problems and other internal factors that could disrupt your practice. "Hazard prevention and emergency management reporting systems and controls, environmental characteristics, maintenance and redundancy, and effectiveness of access control and monitoring systems, including audit trails should also be examined," says DiMartini. "Other areas to investigate would be the enforcement of policies and controls."

For starters, a recovery planning process includes:

If your organization has a business recovery plan in place, it should be reviewed and tested regularly. "You might want to compare your current disaster prevention and mitigation processes to other practices to identify its strengths and weaknesses of recovery strategies," suggests DiMartini. "Also, you’ll have a keener awareness of the estimated levels of recovery preparedness and testing practices."

Planning for the recovery of the practice itself is a "complex matter," notes DiMartini. "If your practice had an electrical fire, what steps would be necessary to resume operations," he asks. "Where would you send your patients—to another colleague’s practice or to a hospital? What would happen to your computer database and hard copy files? Would an off-site storage or automated information backup system be in place?"

As a short-term measure, DiMartini recommends solo or small practices monthly print a list of their patients’ records and store them off-site—even if it’s in a physician’s basement.

For medium-to-large sized medical practices, many network data companies provide electronic vaulting (daily or periodic backups) or mirroring (real time). These systems should be tested regularly during the year, advises DiMartini.

With a computer center recovery plan, practices can:

"Your providers—basically the people you are connected to electronically every day such as hospitals and insurance companies—can support your recovery system," says DiMartini. "You need to work with them to see how they could help you in the event of a disaster. For instance, you need to know what information they could pass back to you? Could they come back to you and say, ‘In the past week, you sent me this and that information?’"

Scheduling is another critical function of a medical practice. According to DiMartini, many practices have a PC-supported software-scheduling package that is supported by an outside service. "If you lose scheduling in your practice, right there you have an immediate impact on patient care," says DiMartini. "And you also have an impact to your billing because your system keeps track of the number of patient encounters."

Once a business continuity process is in place, it must be tested regularly and maintained.

"Conduct regular meetings for awareness and keep the plan current," says DiMartini. "Assign key personnel to be notified in the event of a disaster. Have a floor plan that includes network configurations, communications closet layouts, cable diagrams, port connections, server configurations, backup schedule, web software floor plans of the practice, disaster scenarios and have a reference manual."

Your practice’s plan should be in compliance with state and federal regulatory guidelines, the Occupational Safety and Health Administration and the Health Insurance Portability and Accountability Act regarding the security and confidentiality of electronic health information, notes DiMartini.

Additionally, your practice should have adequate insurance coverage for catastrophic and non-catastrophic occurrences.

Home Previous Page