Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Security Policies & Procedures

Section 6 - Contingency Plan

 

Title: Data Backup Plan Policy: SEC-06.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(a)(7)(ii)(A)
Standard: Contingency Plan Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Ensure retrievable copies of EPHI are available.

Policy

OSU will establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.  §164.308(a)(7)(ii)(A)

Procedure

OSU will backup all servers and databases that house electronic PHI on a daily basis.

These servers and database backups will be stored in a manner that the ability to retrieve and recreate a working environment can be done in a timely manner.

OSU does have and will maintain a redundant backup system in the event of a natural disaster, flood, fire, tornado, or other means in which a data center is deemed not operational, we can switch to use the redundant system.

Please reference SEC-11.03 Data Backup and Storage Policy for more specific details.
Reference

OSU Stillwater Electronic Backup Policy
OSU Stillwater Application Archive Policy
OSU-CHS Data Backup and Storage Policy SEC-11.03


top of page top

 

Title: Disaster Recovery Plan Policy: SEC-06.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(7)(ii)(B)
Standard: Contingency Plan Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Restore EPHI data Policy  

Policy

OSU will establish (and implement as needed) procedures to restore any loss of data.

OSU will use the disaster recovery as necessary for protection and recovery of EPHI data.
Procedure

In a contingency situation, OSU must be able to access necessary EPHI as quickly as possible. The emergency operating procedures in conjunction with IT policy will be used to revert to an emergency response mode.

The technical systems managers have a full complement of backups including data and applications. Hot spare servers are not available. In the event of a hardware failure resulting in server outage, the technical systems managers will solicit spare parts from vendors and/or other OSU campuses for a smooth transition to contingency operations. Hardware outages should not affect access to necessary EPHI for more than 24 hours in the EMR system and 72 hours in the Practice Management System.
Reference

Appropriate Emergency Operating Procedures for Clinic
Institutional Safety Emergency Procedures
Data Backup Plan


top of page top

 

Title: Emergency Mode Operation Plan Policy: SEC-06.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(a)(7)(ii)(C)
Standard: Contingency Plan Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Identify Emergency Mode Operation plans for clinic systems

Policy

OSU will establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.  §164.308(a)(7)(ii)(C)

During an interruption of electronic services, either by forces of nature or system failures, the OSU clinic systems will continue business using Emergency Mode Operations.

Procedure
  1. Emergency Notification:  The Medical Director, Director of Clinic Financial Services, I.T., Director of Physical Plant, Security and corresponding Department Chairs should be notified immediately of the interruption of services and expected restoration of those services.
  1. Procedure for operations during an emergency
    1. Total Facility Power Outage
      1. Patient Care: The goal is to provide an environment that allows both completion of required exam treatment, appropriate triage as needed, safe dismissal for later follow-up as appropriate, and communication with those patients scheduled for later in the day.

 

      1. Patient Check-in: The Patient Financial Counselors will manually write the patients demographics on the patient’s feeslip at the arrival time of their scheduled appointment.
        1. First name, middle initial and last name
        2. Date of birth
        3. Address
        4. Phone Number(s)
        5. Social Security Number – if provided
        6. Insurance company information – if provided
      1. Notification of patient arrival to nursing staff if telephone is operable.
        1. Call nurse station when feeslip is manually completed

 

      1. Notification of patient arrival to nursing staff without telephone service.
        1. Manually walk the feeslip to nurse station
        2. Use of walkie-talkies or cell phones shared between front desk and nurse stations
      1. Patient schedules printed the day before

 

      1. Emergency Lighting
        1. OSU clinics have an emergency lighting system to help illuminate portions of the treatment areas.
        2. Each clinic has been provided flashlights to use for guiding patients.
      1. Procedures in Progress
        1. Patient undergoing a procedure (pap smear, minor surgical procedure, etc) should be completed where needed using emergency lighting, or if able to be terminated, done so with assurance to the patient for completion later. (Example – suturing would generally be completed, while a pap smear would be halted, allowing the patient to get dressed and make certain it was scheduled for a later date or when power resumed.)

 

      1. General Evacuation
        1. Using flashlights and emergency lighting, the nursing staff will direct the patients from the treatment area to the general reception area.
        2. Patients are counseled by the Nursing and Scheduling staff about the visit. If an extended time of power outage is expected, patients should be rescheduled using written paper documentation.
        3. Short power outages would serve only as a disruption and at its conclusion patient care would resume as usual.
      1. Scheduled Appointments
        1. If an extended time is expected, the Scheduler would attempt to notify patient in advance and suggest that they reschedule. Cellular phones would/may need to be used by the staff.

 

      1. Medication/Reagents: A power outage will put at risk medication and reagents that are temperature sensitive.
        1. OSU CHS MM004 Policy and Procedure covers the storage and monitoring of medications
        2. OSU CHS L001 Policy and Procedure covers the storage and monitoring of laboratory reagents
      1. Power Outage Checklist :
        1. Direct all patients and employees to the general check-in area where outdoor lighting is available
        2. Check the treatment areas, rooms, to be sure everyone was evacuated
        3. Turn off all computers in the clinic system
        4. All lights and equipment are to be turned off to reduce the immediate electrical load on the power grid when power is restored
        5. Refrigerated medications and laboratory reagents are to be placed in a cooler and transported to another facility where power is functioning normally

 

    1. Primary Practice Management Computer Failure: Patient care continues uninterrupted utilizing paper documentation. Refer to Policy SEC 12.02 Emergency Access for further guidance.
    1. Primary Electronic Medical Records Failure: Patient care continues uninterrupted utilizing paper documents. Refer to Policy SEC 12.02 Emergency Access for further guidance.

 

    1. For additional information, refer to the CHS Emergency Operations Procedures in the CHS contingency and business continuity plans.

top of page top

 

Title: Testing and Revision Procedures Policy: SEC-06.04
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(a)(7)(ii)(D)
Standard: Contingency Plan Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To specify procedures for periodic testing and revision of contingency plans. Proper testing and revision will serve to continually refine resumption and recovery procedures and reduce the potential for failure.

Policy

OSU will implement procedures for periodic testing and revision of contingency plans.  §164.308(a)(7)(ii)(D)

Procedure

Contingency procedures must be tested periodically to ensure the effectiveness of the plan. The scope, objective, and measurement criteria of each exercise will be determined and coordinated by the Contingency Plan Coordinator on a “per event” basis.

There are two categories of testing: announced and unannounced. In an announced test, personnel are instructed when testing will occur, what the objectives of the test are, and what the scenario will be for the test. Announced testing is helpful for the initial test of procedures. It gives teams the time to prepare for the test and allows them to practice their skills. Once the team has had an opportunity to run through the procedures, practice, and coordinate their skills, unannounced testing may be used to test the completeness of the procedures and sharpen the team’s abilities. Unannounced testing consists of testing without prior notification. The use of unannounced testing is extremely helpful in preparing a team for emergency response because it focuses on the adequacy of in-place procedures and the readiness of the team. Unannounced testing, combined with closely monitored restrictions, will help to create a simulated scenario that might exist in an actual contingency operation. This more closely measures the teams’ ability to function under the pressure and limitations of a disaster. Once it has been determined whether a test will be announced or unannounced, the actual objective(s) of the test must be determined. There are several different types of tests that are useful for measuring different objectives.

A recommended schedule for testing is as follows:

  • Desktop testing on a quarterly basis
  • One structured walk-through per year
  • One integrated business operations/information systems exercise per year

Designated HIPAA Officials and other staff at each clinical area will determine end-user participation.


top of page top

 

Title: Applications and Data Criticality Analysis Policy: SEC-06.05
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(7)(ii)(E)
Standard: Contingency Plan Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To enable the continuation of critical business processes for protection of the security of EPHI during emergency mode operations.      

Policy

Assess the relative criticality of specific applications and data in support of other contingency plan components.

Procedure
  1. Activities and Materials that are critical to daily business operations include:
    1. Network services (i.e. firewalls, switches, fiber optic lines, wireless)
    2. Servers (i.e. authentication server, EMR server, PM server)
    3. Software (EMR, PM)
    4. Equipment (computers, printers)
  2. Automated processes that support critical services or operations
      1. Network services (i.e. firewalls, switches, T1 lines, wireless)
      2. Servers (i.e. authentication server, EMR server, PM server)
      3. Software (EMR, PM)
      4. Equipment (computers, printers)
      5. IT personnel
  1. Power outages disrupting network services, servers, and EMR application can only be tolerated for 24 hours. Practice Management disruption can only be tolerated for 72 hours.
  2. In response to an emergency where servers were destroyed, a new server would be purchased and put in the most secure and reliable location. Data would be restored as described in the Data Backup Plan policy. Please see Contingency Plan policy for further details.
Reference

Data Backup Plan
Contingency Plan


top of page top

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube