BUSINESS CONTINUITY PLANNING AND HIPAA:
BUSINESS CONTINUITY MANAGEMENT IN THE HEALTH CARE ENVIRONMENT
By James C. Barnes
Edited by Deborah Barnes, Philip Jan Rothstein, FBCI

ENDORSED BY THE BUSINESS CONTINUITY INSTITUTE (BCI) AND THE DISASTER
RECOVERY INSTITUTE INTERNATIONAL (DRII).


This book examines business continuity planning as adapted to encompass the
requirements of The Health Care Portability and Accountability Act of 1996, or HIPAA. We
examine the typical business continuity planning model and highlight how the special
requirements of HIPAA have shifted the emphasis. The layout of this book was designed to
afford assistance, hints, and templates to the person charged with the task of implementing
business continuity planning into a healthcare organization.

You will notice that this book does not address Emergency Management (building
evacuations and other immediate response procedures) because this is outside the scope of
the HIPAA regulations.

Upon reading and re-reading the HIPAA regulations and the “Comments and Responses” in
the federal register, it becomes quite evident that the "Contingency Plan" (read Business
Continuity Plan) requirements were written by those looking to protect health information
data. That being said, many of the examples that I use in this book relate to information
technology and disaster recovery (recovery of computer capabili-ties). What is also
important, and that I try to emphasize throughout the book, is that recovering the com-puter
systems of a health care organization will not necessarily get it operational again after a
disaster; a multitude of other production components must be present in order to deliver
services and products to customers/patients. Where appropriate, I have identified
procedures and strategies that are unique to healthcare provider organizations. If not so
indicated, it can be assumed that I am referring to healthcare organizations in general.

The audience for whom I have designed this book are the people who are responsible for
implementing a plan in a healthcare organization that comes under the scope of the HIPAA
regulations. At first reading, the book may appear to be an exact template to be used to
design a business continuity plan. What I hope that you will get out of the book (perhaps on a
reread once you are into the planning project) is that this is a pencil outline on a canvas and
that your insights and knowledge of your healthcare organization will add the color that will
make it a masterpiece.

What you will notice in this book is that we present an approach that is similar to traditional
business continuity planning. This is done purposefully. The basic business continuity
planning model looks to protect and/or recover all critical components of production. This
model assumes an industry-specific nature not by changing the model itself, but by placing
greater emphasis on the protection and recovery of those production resources that
characterize that industry. In our view, "thinking outside the box" is only required if the box
was ill-conceived in the first place.

This book includes the special precautions and procedures that address the unique concerns
of HIPAA, but it will present them along with the other business components in order to
emphasis the need to take a holistic approach when constructing and maintaining a business
continuity plan.

- - - - -

EXCERPT FROM THE PREFACE
THE BUSINESS CONTINUITY INSTITUTE

“Healthcare is rapidly turning into one of the most critical resources in modern society. As a
branch of industry, it must balance the need for socially motivated service thinking with good
business sense. It is nevertheless imperative that all healthcare institutions adhere to
standards that are often higher than those found in other sectors of industry. Accordingly,
HIPAA sets the scene for stringent regulation and supervision in hospitals and other
healthcare-related organizations.

“Business continuity management in the healthcare industry creates many questions marks,
particularly where HIPAA provisions are concerned. Jim Barnes’ book provides pragmatic
answers and delivers a long-overdue framework for introducing business continuity to the
world of HIPAA - and vice versa.

“Thorough research, clear guidelines and a wealth of templates and samples have been
combined to highlight what is needed, when and who should be responsible. For those who
are less familiar with the healthcare sector, Jim’s book will be a work of reference - for
experienced practitioners, it will provide many an unexpected insight into the HIPAA mode of
thinking.

“The survey results included cannot be ignored: the hard, empirical database of what
happens in reality is clear evidence to support Jim’s conclusions, and to reinforce the need
for comprehensive business continuity management at all levels within healthcare
organizations. Where the BCM framework suggested in this book is followed, the results will
be practical, useful and “HIPAA-tested.”

“BUSINESS CONTINUITY PLANNING AND HIPAA: BUSINESS CONTINUITY
MANAGEMENT IN THE HEALTH CARE ENVIRONMENT is a “must read” for all
practitioners in the healthcare field!”


Rolf von Roessing CISA, CISM, FBCI
Member of the Board and Chairman of the Audit
Committee
The Business Continuity Institute

- - - - - -

EXCERPT FROM THE PREFACE
DISASTER RECOVERY INSTITUTE INTERNATIONAL

“In today’s business environment, change is the norm. The path to your business goals is
seldom marked, and never direct. Success in this world demands agility and resilience, and
relies on its ability to easily adapt and be flexible in a world of uncertain times. An adaptive
infrastructure that tightens integration and synchronization between IT resources and
business processes while delivering a level of interoperability that supports the requirements
for a new infrastructure ecosystem. An adaptive infrastructure delivers virtualized resources
as services in response to business process requirements. It scales or redeploys resources
quickly and efficiently as the business requires, in a single department or across the entire
enterprise. To adapt effectively to change in the business environment, the infrastructure itself
must deliver services continuously, secure against attack and threat.

“But continuous, secure operations are more than a step toward somewhere else: they are a
destination of their own. It is time to begin the journey toward an infrastructure that can serve
as a dependable foundation for your business today, and the engine of quick, smooth
adaptation to business requirements in an unpredictable future.

“Businesses build cultures of business continuity by planning, then overcoming everyday
threats and obstacles, until continuity is no longer optional but rather is built into the
company’s corporate culture. Never complete, the process cycles through analysis, building,
integration, management and evolution. With every turn, your business becomes more
secure, efficient and agile in its response to both challenge and opportunity.

“The continuity and security of your business are not isolated destinations. Even your first
steps will bring you toward a broader, more integrated operational vision. And efficiencies
will only improve as employees move together toward common objectives. As you go, the
path will get easier. Protecting and organizing information systems helps you pick up
speed—moving ahead with new sophistication and efficiency. Your systems will become not
just safer, but easier to use and manage - for employees, partners and customers.

“No destination is final, but the journey toward continuous operations brings its own practical,
measurable rewards along the way. And with every step, your business grows more resilient,
more agile and better prepared to take advantage of the next business change.

“Newer and reinforced regulation such as HIPAA is changing the world of business as we
know it. With more of a focus on corporate governance and compliance, business continuity
practices and program management have become in most cases, the focus of compliance.

“As more healthcare organizations look to go paperless, recovery and continuity become
even more difficult to achieve. Data storage banks are growing at an all time high and
expected to continue as other regulation such as HIPAA< Sarbanes-Oxley and Basel II
Accord are rolled out into organizations. Penalties in not complying with regulation may have
a higher degree of financial and operational impact to the organization than previous impacts
regarding revenue loss and lost production.

“This book helps healthcare professionals crystallize some of the ways companies can
comply with HIPAA regulation. The structured approach is easy to follow and conforms to the
best practices and standards as presented by DRI International (DRII).”

Belinda Wilson, CBCP
Executive Director
Hewlett-Packard, Business Continuity Services
Vice-Chairperson, DRII

- - - - - -

EXCERPT FROM THE PREFACE
by Daniel Dec, MBA, CISA, CISM

“The Health Care Portability and Accountability Act of 1996, widely known as HIPAA,
mandates administrative standards on almost the entire health care industry - a trillion-dollar
industry not well known for its administrative efficiency nor for its willingness to collaborate on
standards. Nonetheless, it is now a fact of life for health care that HIPAA's designated
entities
(hospitals, physicians, pharmacies, dentists, health plans and their middlemen) are obligated
to establish and maintain new levels of electronic business profi-ciency.

“The HIPAA transactions and codes standards impose innumerable technical requirements
in the search for elusive efficiencies and economies of scale. HIPAA's privacy standards
impose duties to protect patient information, while at the same time providing new access to
that information. HIPAA's security rule ties the privacy and transaction rules together.

“Through my years of consulting experience including hundreds of clients it is apparent that
the level of business continuity and recovery planning in place varies widely. While this
process has always been a prudent business practice, it has not been a high priority for
many
organizations. Not only has the increase in external and internal threats made this process
more relevant, but regulation has increased its necessity and it has gained attention in the
Board room.

“An effective contingency plan enables a healthcare organization to minimize the effects of a
disaster. It helps the organization to address the steps required to preserve the business
operations in the event of disruptions due to either natural disasters or human error. Anyone
who has been through a disruption will tell you how invaluable a tested recovery plan is during
that event.

“While most are apprehensive of government dictating business process, the approach
HIPAA takes regarding business continuity and disaster recovery enables individual entities
to determine the level of planning and the strategies used. While requiring that plans be put
in place, your organization retains the responsibility to determine how and where recovery
plans will be instituted. This flexibility enables entities of differ-ent sizes and complexities to
scale their recovery appropriately and implement safeguards that are suitable.

“Jim's book provides the reader with guidelines, processes and the tools necessary to
develop a plan that would be compliant with the HIPAA regulation. I agree with the caution
that this is not a cookie cutter pro-ject and that significant specific knowledge of the business
is required to tailor these processes appropriately thus enabling the production of an
effective recovery program.

“In addition, having senior management support for this effort is a critical success factor as
this process often ventures into each vital business process of the firm. Executive leadership
can demonstrate their commit-ment in a policy statement and support that policy statement
by allocating required resources (human, technical, and financial) in order to complete the
business continuity and disaster recovery planning processes.

“Regarding HIPAA, the required implementation specifications include:
- having a data backup plan
- having a disaster recovery plan
- having an emergency mode operation plan

“The addressable implementation specifications include:
- having testing and revision procedures
- having applications and data criticality analysis.

“Addressable" should not be equated with optional. The "addressable" notation means that
your organization can determine the type and level of testing that is appropriate for it. Jim
covers these areas as he guides the reader through the steps that can be used to achieve
these objectives.

“The critical function that healthcare entities play in our society, its economy, and its ability
to
deal with catastrophes requires that these entities assess their operations and include
"reasonable" recovery plans against reasonably anticipated threats. After the events of
September 11, 2001 that threat definition was broadened as never before.

“Just like the Fortune 500 companies, health care businesses must now go beyond planning
for strikes and power outages, and plan for that inevitable day when a bomb, a plague, a
tornado or some major catastrophe shuts them down. HIPAA also requires significant
documentation of your planning process and decisions.

“Capitalizing on James Barnes' planning experience across many settings and many years is
a valuable expansion of your planning team's personal horizons. In this book, Mr. Barnes
provides the steps, the tools, the core questions and the processes to realistically and
systematically analyze potential threats to your operations. He guides you through the
process of making the business, economic, political and human decisions necessary to
develop the pre-plan you will need both for HIPAA compliance and to implement when a
threat actually materializes.

“There is no magic bullet. Business continuity and disaster recovery planning requires hard
work and harder decisions; there is no free lunch. But with the aid of this book, you will be in
a
better position to make the planning, analysis and decision processes more manageable
and productive.”

“Daniel Dec, MBA, CISA, CISM, has over 20 years experience in Information
Technology and is a former partner with PricewaterhouseCoopers LLP. Today Dan consults
with firms regarding their Information Security and Contingency Planning strategies as
President of AMLA Resiliency LLC.”

- - - - - -

TABLE OF CONTENTS

CHAPTER I. INTRODUCTION
ABOUT THIS BOOK
CHAPTER II. BUSINESS CONTINUITY PLANNING AND HIPAA
CHAPTER III. PROJECT FOUNDATION
BUSINESS CONTINUITY PLANNING EVALUATION
Plan Management
Business Impact Analysis
Recovery Strategies
Plan Development
Plan Maintenance
Plan Testing
PRE-PROJECT QUESTIONNAIRE
BCP TIMING ESTIMATE
POLICY STATEMENT
DATA REQUESTS
KICK-OFF MEETING

CHAPTER IV. BUSINESS ASSESSMENT
RISK ASSESSMENT
INFORMATION PROTECTION
Protection
Detection
Response
BUSINESS IMPACT ANALYSIS (BIA)

CHAPTER V. STRATEGY SELECTION
COMPUTER CENTER RECOVERY
No Strategy
Relocate, Rebuild, Restore
Hot-site
Hot Site with Electronic Vaulting
Active Recovery Site (Mirrored)
DATA RECOVERY
OTHER COMPONENT RECOVERY
COMMUNICATIONS RECOVERY
Voice Communications
Data Communications
FACILITIES RECOVERY
Structure
Power
STAFF RECOVERY
VENDOR SELECTION
CUSTOMER RELATIONS
PATIENT SERVICES
PLAN STRATEGIES
PLAN FUNDING

CHAPTER VI. PLAN DEVELOPMENT
TEAMS
Emergency Management Team
Recovery Teams
ACTION PLAN BY TEAM
SERVICES PRIORITY ORDER
PROCEDURES TASKS AND SCHEDULES
Recover Telecommunications
Recover Mid-Range Computer
Recover Alternative Processing Sites
Recover Local Area Network And Servers
Recover Wide Area Network
Recover Personal Computers
Incident Response
Recover Facility
Recover Off-site Records & Documentation
Replace Staff
Recover Office Furniture
Recover Office Equipment
Provide Human Comforts & Support
Maintain Media Relations
Maintain Customer Relations
Disperse Patients
RESOURCE ITEM MATRIX
DOCUMENTATION RULES

CHAPTER VII. TESTING AND MAINTENANCE
TESTING
MAINTENANCE

APPENDIX 1 - SURVEY RESULTS
APPENDIX 1 - SURVEY RESULTS
APPENDIX 2 - SAMPLE BIA MANAGEMENT SUMMARY REPORT
APPENDIX 3 - REQUEST FOR PROPOSAL
APPENDIX 4 - VENDOR LISTING
APPENDIX 5 - TEST PLAN EXAMPLE
APPENDIX 6 - GLOSSARY

- - - - - -

EXCERPT FROM THE INTRODUCTION

“On August 21, 1996 the Health Insurance Portability & Accountability Act (HIPAA) became
a
law. The purpose of this act is to provide US citizens with better access to health insurance,
limit fraud, and reduce healthcare companies' administrative costs. At the highest level,
HIPAA is a set of government-mandated standards for business to business healthcare
e-commerce. It mandates standard electronic transactions with standard code sets using
standard identifiers in a secure environment.

“HIPAA is the result of the convergence of healthcare cost pressures, available web
technologies, and growing demands by consumers. By enacting this legislation, congress
has established a standard basis or framework for the healthcare industry to embrace the
economies of e-business.

“Within HIPAA are five primary components identified as Titles I, II, III, IV, and V. Title II, or
Administrative Simplification, is the component of HIPAA containing, among other elements,
the requirement for business continuity planning. The breakdown of the HIPAA components is
as follows:

- Title I guarantees health insurance access, portability, and renewal. It eliminates
some pre-existing condition exclusions. It prohibits discrimination based on heath status. It
guarantees coverage renewal.

- Title II prevents health care fraud and abuse, promoting administrative
simplification. Within Title II are fraud and abuse controls, procedures for administrative
simplification, and medical liability reform.

- Title III addresses medical savings accounts and health insurance tax deductions
for self-employed individuals.

- Title IV provides for the enforcement of group health plan provisions.

- Title V addresses revenue offset provisions.

What has caused HIPAA to occur at this point in time? In 1991, it was estimated that one
quarter of the total cost of healthcare was attributable to the cost of administration.

In 1995, over 5 billion claims a year were filed in the US with less than 20% submitted
electronically. Over 400 different formats are used to file electronic claims. By streamlining
this process, it is estimated that $9 billion annually could be saved without impacting the
quality of care. The time had come when these economic forces could not be ignored.

HIPAA is the most sweeping legislation to affect the health care industry in over 30 years. It
is
anticipated that large health plans will have to spend $50 to $200 million to become HIPAA
compliant. Nearly everyone in healthcare will need to comply: payers, employers, providers,
clearinghouses, healthcare information systems vendors, billing agents, and service
healthcare organizations.

Who is affected? The answer is health plans, providers, health care clearing houses, and
some others. Health plans include individual or group plans that provide or pay the cost of
medical care. It also includes employers who self-insure. Providers include a provider of
medical or other health services and any other person furnishing health care services or
supplies. Health care clearing houses are public or private entities that process or facilitate
the processing of nonstandard data elements of health information into standard data
elements. Finally, the "other" category which includes employers who want to do data mining
and pharmaceutical companies that conduct clinical research.”

- - - - - -

ABOUT THE AUTHOR

JIM BARNES received an early introduction to check-listed emergency operating procedures
as a commander of an ICBM launch crew in the Air Force's Strategic Air Command. While in
the Air Force, Jim received a Master's degree in Economics which led him into being a bank
economist when he left the service. This economics and financial background have forged a
view of business continuity planning that is more business than technically oriented.

Jim has over 15 years of extensive experience in Business Continuity Planning. He was in
charge of designing Business Continuity Planning software which was marketed and used
internationally. Most recently, Jim assisted in the design of a Business Continuity
Certification course which he taught to "Big Four" consultants in Europe, South America, and
the United States. Jim has written over 300 Business Continuity Plans most of which were for
Health Services "Payer" institutions and for Financial Institutions. Jim has completed and has
published, "A Guide to Business Continuity Planning", "E-Commerce Security-Business
Continuity Planning: A Technical Reference Guide", and has written "The Linchpin to
Successful Business Continuity Planning" in the Fall, 2003 Disaster Recovery Journal.

Jim is the founder and CEO of Barnes Continuity Planners, Inc. (BCP, Inc), a consulting firm
that assists client companies with in business continuity planning. BCP, Inc. specializes in
creating recovery plans, recovery strategies, and institutionalizing continuity management
within an organization's culture. Jim is a Certified Recovery Planner and a Member of the
Business Continuity Institute.

- - - - - -
Published by Rothstein Associates Inc.
ISBN #1-931332-25-8
2004, 240 pages (est.). Order #DR733.
- - - - - -

4 Arapaho Rd.

Brookfield, CT 06804-3104 USA

1-888-ROTHSTEin; (888.768.4783)

Telephone: 203.740.7444; 888.768.4783

Fax: 203.740.7401

"Keep Me Posted" Business Survival Newsletter