Business Continuity Management in the Health Care Environment. By James C. Barnes; Edited by Deborah Barnes & Philip Jan Rothstein, FBCI

BUSINESS CONTINUITY PLANNING AND HIPAA:
BUSINESS CONTINUITY MANAGEMENT IN THE HEALTH CARE
ENVIRONMENT
By James C. Barnes
Edited by Deborah Barnes, Philip Jan Rothstein, FBCI

ENDORSED BY THE BUSINESS CONTINUITY INSTITUTE (BCI) AND THE
DISASTER
RECOVERY INSTITUTE INTERNATIONAL (DRII).

This book examines business continuity planning as adapted to encompass the
requirements of The Health Care Portability and Accountability Act of 1996, or
HIPAA. We
examine the typical business continuity planning model and highlight how the
special
requirements of HIPAA have shifted the emphasis. The layout of this book was
designed to
afford assistance, hints, and templates to the person charged with the task of
implementing
business continuity planning into a healthcare organization.

You will notice that this book does not address Emergency Management (building
evacuations and other immediate response procedures) because this is outside
the scope of
the HIPAA regulations.

Upon reading and re-reading the HIPAA regulations and the “Comments and
Responses” in
the federal register, it becomes quite evident that the "Contingency Plan" (read
Business
Continuity Plan) requirements were written by those looking to protect health
information
data. That being said, many of the examples that I use in this book relate to
information
technology and disaster recovery (recovery of computer capabili-ties). What is also
important, and that I try to emphasize throughout the book, is that recovering the
com-puter
systems of a health care organization will not necessarily get it operational again
after a
disaster; a multitude of other production components must be present in order to
deliver
services and products to customers/patients. Where appropriate, I have identified
procedures and strategies that are unique to healthcare provider organizations. If
not so
indicated, it can be assumed that I am referring to healthcare organizations in
general.

The audience for whom I have designed this book are the people who are
responsible for
implementing a plan in a healthcare organization that comes under the scope of
the HIPAA
regulations. At first reading, the book may appear to be an exact template to be
used to
design a business continuity plan. What I hope that you will get out of the book
(perhaps on a
reread once you are into the planning project) is that this is a pencil outline on a
canvas and
that your insights and knowledge of your healthcare organization will add the color
that will
make it a masterpiece.

What you will notice in this book is that we present an approach that is similar to
traditional
business continuity planning. This is done purposefully. The basic business
continuity
planning model looks to protect and/or recover all critical components of
production. This
model assumes an industry-specific nature not by changing the model itself, but
by placing
greater emphasis on the protection and recovery of those production resources
that
characterize that industry. In our view, "thinking outside the box" is only required if
the box
was ill-conceived in the first place.

This book includes the special precautions and procedures that address the
unique concerns
of HIPAA, but it will present them along with the other business components in
order to
emphasis the need to take a holistic approach when constructing and maintaining
a business
continuity plan.

- - - - -

EXCERPT FROM THE PREFACE
THE BUSINESS CONTINUITY INSTITUTE

“Healthcare is rapidly turning into one of the most critical resources in modern
society. As a
branch of industry, it must balance the need for socially motivated service thinking
with good
business sense. It is nevertheless imperative that all healthcare institutions adhere
to
standards that are often higher than those found in other sectors of industry.
Accordingly,
HIPAA sets the scene for stringent regulation and supervision in hospitals and
other
healthcare-related organizations.

“Business continuity management in the healthcare industry creates many
questions marks,
particularly where HIPAA provisions are concerned. Jim Barnes’ book provides
pragmatic
answers and delivers a long-overdue framework for introducing business continuity
to the
world of HIPAA - and vice versa.

“Thorough research, clear guidelines and a wealth of templates and samples have
been
combined to highlight what is needed, when and who should be responsible. For
those who
are less familiar with the healthcare sector, Jim’s book will be a work of reference -
for
experienced practitioners, it will provide many an unexpected insight into the
HIPAA mode of
thinking.

“The survey results included cannot be ignored: the hard, empirical database of
what
happens in reality is clear evidence to support Jim’s conclusions, and to reinforce
the need
for comprehensive business continuity management at all levels within healthcare
organizations. Where the BCM framework suggested in this book is followed, the
results will
be practical, useful and “HIPAA-tested.”

“BUSINESS CONTINUITY PLANNING AND HIPAA: BUSINESS CONTINUITY
MANAGEMENT IN THE HEALTH CARE ENVIRONMENT is a “must read” for all
practitioners in the healthcare field!”

Rolf von Roessing CISA, CISM, FBCI
Member of the Board and Chairman of the Audit
Committee
The Business Continuity Institute

- - - - - -

EXCERPT FROM THE PREFACE
DISASTER RECOVERY INSTITUTE INTERNATIONAL

“In today’s business environment, change is the norm. The path to your business
goals is
seldom marked, and never direct. Success in this world demands agility and
resilience, and
relies on its ability to easily adapt and be flexible in a world of uncertain times. An
adaptive
infrastructure that tightens integration and synchronization between IT resources
and
business processes while delivering a level of interoperability that supports the
requirements
for a new infrastructure ecosystem. An adaptive infrastructure delivers virtualized
resources
as services in response to business process requirements. It scales or redeploys
resources
quickly and efficiently as the business requires, in a single department or across
the entire
enterprise. To adapt effectively to change in the business environment, the
infrastructure itself
must deliver services continuously, secure against attack and threat.

“But continuous, secure operations are more than a step toward somewhere else:
they are a
destination of their own. It is time to begin the journey toward an infrastructure that
can serve
as a dependable foundation for your business today, and the engine of quick,
smooth
adaptation to business requirements in an unpredictable future.

“Businesses build cultures of business continuity by planning, then overcoming
everyday
threats and obstacles, until continuity is no longer optional but rather is built into
the
company’s corporate culture. Never complete, the process cycles through
analysis, building,
integration, management and evolution. With every turn, your business becomes
more
secure, efficient and agile in its response to both challenge and opportunity.

“The continuity and security of your business are not isolated destinations. Even
your first
steps will bring you toward a broader, more integrated operational vision. And
efficiencies
will only improve as employees move together toward common objectives. As you
go, the
path will get easier. Protecting and organizing information systems helps you pick
up
speed—moving ahead with new sophistication and efficiency. Your systems will
become not
just safer, but easier to use and manage - for employees, partners and customers.

“No destination is final, but the journey toward continuous operations brings its
own practical,
measurable rewards along the way. And with every step, your business grows
more resilient,
more agile and better prepared to take advantage of the next business change.

“Newer and reinforced regulation such as HIPAA is changing the world of business
as we
know it. With more of a focus on corporate governance and compliance, business
continuity
practices and program management have become in most cases, the focus of
compliance.

“As more healthcare organizations look to go paperless, recovery and continuity
become
even more difficult to achieve. Data storage banks are growing at an all time high
and
expected to continue as other regulation such as HIPAA< Sarbanes-Oxley and
Basel II
Accord are rolled out into organizations. Penalties in not complying with regulation
may have
a higher degree of financial and operational impact to the organization than
previous impacts
regarding revenue loss and lost production.

“This book helps healthcare professionals crystallize some of the ways companies
can
comply with HIPAA regulation. The structured approach is easy to follow and
conforms to the
best practices and standards as presented by DRI International (DRII).”

Belinda Wilson, CBCP
Executive Director
Hewlett-Packard, Business Continuity Services
Vice-Chairperson, DRII

- - - - - -

EXCERPT FROM THE PREFACE
by Daniel Dec, MBA, CISA, CISM

“The Health Care Portability and Accountability Act of 1996, widely known as
HIPAA,
mandates administrative standards on almost the entire health care industry - a
trillion-dollar
industry not well known for its administrative efficiency nor for its willingness to
collaborate on
standards. Nonetheless, it is now a fact of life for health care that HIPAA's
designated entities
(hospitals, physicians, pharmacies, dentists, health plans and their middlemen)
are obligated
to establish and maintain new levels of electronic business profi-ciency.

“The HIPAA transactions and codes standards impose innumerable technical
requirements
in the search for elusive efficiencies and economies of scale. HIPAA's privacy
standards
impose duties to protect patient information, while at the same time providing new
access to
that information. HIPAA's security rule ties the privacy and transaction rules
together.

“Through my years of consulting experience including hundreds of clients it is
apparent that
the level of business continuity and recovery planning in place varies widely. While
this
process has always been a prudent business practice, it has not been a high
priority for many
organizations. Not only has the increase in external and internal threats made this
process
more relevant, but regulation has increased its necessity and it has gained
attention in the
Board room.

“An effective contingency plan enables a healthcare organization to minimize the
effects of a
disaster. It helps the organization to address the steps required to preserve the
business
operations in the event of disruptions due to either natural disasters or human
error. Anyone
who has been through a disruption will tell you how invaluable a tested recovery
plan is during
that event.

“While most are apprehensive of government dictating business process, the
approach
HIPAA takes regarding business continuity and disaster recovery enables
individual entities
to determine the level of planning and the strategies used. While requiring that
plans be put
in place, your organization retains the responsibility to determine how and where
recovery
plans will be instituted. This flexibility enables entities of differ-ent sizes and
complexities to
scale their recovery appropriately and implement safeguards that are suitable.

“Jim's book provides the reader with guidelines, processes and the tools necessary
to
develop a plan that would be compliant with the HIPAA regulation. I agree with the
caution
that this is not a cookie cutter pro-ject and that significant specific knowledge of
the business
is required to tailor these processes appropriately thus enabling the production of
an
effective recovery program.

“In addition, having senior management support for this effort is a critical success
factor as
this process often ventures into each vital business process of the firm. Executive
leadership
can demonstrate their commit-ment in a policy statement and support that policy
statement
by allocating required resources (human, technical, and financial) in order to
complete the
business continuity and disaster recovery planning processes.

“Regarding HIPAA, the required implementation specifications include:
- having a data backup plan
- having a disaster recovery plan
- having an emergency mode operation plan

“The addressable implementation specifications include:
- having testing and revision procedures
- having applications and data criticality analysis.

“Addressable" should not be equated with optional. The "addressable" notation
means that
your organization can determine the type and level of testing that is appropriate for
it. Jim
covers these areas as he guides the reader through the steps that can be used to
achieve
these objectives.

“The critical function that healthcare entities play in our society, its economy, and
its ability to
deal with catastrophes requires that these entities assess their operations and
include
"reasonable" recovery plans against reasonably anticipated threats. After the
events of
September 11, 2001 that threat definition was broadened as never before.

“Just like the Fortune 500 companies, health care businesses must now go
beyond planning
for strikes and power outages, and plan for that inevitable day when a bomb, a
plague, a
tornado or some major catastrophe shuts them down. HIPAA also requires
significant
documentation of your planning process and decisions.

“Capitalizing on James Barnes' planning experience across many settings and
many years is
a valuable expansion of your planning team's personal horizons. In this book, Mr.
Barnes
provides the steps, the tools, the core questions and the processes to realistically
and
systematically analyze potential threats to your operations. He guides you
through the
process of making the business, economic, political and human decisions
necessary to
develop the pre-plan you will need both for HIPAA compliance and to implement
when a
threat actually materializes.

“There is no magic bullet. Business continuity and disaster recovery planning
requires hard
work and harder decisions; there is no free lunch. But with the aid of this book, you
will be in a
better position to make the planning, analysis and decision processes more
manageable
and productive.”

“Daniel Dec, MBA, CISA, CISM, has over 20 years experience in
Information
Technology and is a former partner with PricewaterhouseCoopers LLP. Today Dan
consults
with firms regarding their Information Security and Contingency Planning strategies
as
President of AMLA Resiliency LLC.”

- - - - - -

TABLE OF CONTENTS

CHAPTER I. INTRODUCTION
ABOUT THIS BOOK
CHAPTER II. BUSINESS CONTINUITY PLANNING AND HIPAA
CHAPTER III. PROJECT FOUNDATION
BUSINESS CONTINUITY PLANNING EVALUATION
Plan Management
Business Impact Analysis
Recovery Strategies
Plan Development
Plan Maintenance
Plan Testing
PRE-PROJECT QUESTIONNAIRE
BCP TIMING ESTIMATE
POLICY STATEMENT
DATA REQUESTS
KICK-OFF MEETING

CHAPTER IV. BUSINESS ASSESSMENT
RISK ASSESSMENT
INFORMATION PROTECTION
Protection
Detection
Response
BUSINESS IMPACT ANALYSIS (BIA)

CHAPTER V. STRATEGY SELECTION
COMPUTER CENTER RECOVERY
No Strategy
Relocate, Rebuild, Restore
Hot-site
Hot Site with Electronic Vaulting
Active Recovery Site (Mirrored)
DATA RECOVERY
OTHER COMPONENT RECOVERY
COMMUNICATIONS RECOVERY
Voice Communications
Data Communications
FACILITIES RECOVERY
Structure
Power
STAFF RECOVERY
VENDOR SELECTION
CUSTOMER RELATIONS
PATIENT SERVICES
PLAN STRATEGIES
PLAN FUNDING

CHAPTER VI. PLAN DEVELOPMENT
TEAMS
Emergency Management Team
Recovery Teams
ACTION PLAN BY TEAM
SERVICES PRIORITY ORDER
PROCEDURES TASKS AND SCHEDULES
Recover Telecommunications
Recover Mid-Range Computer
Recover Alternative Processing Sites
Recover Local Area Network And Servers
Recover Wide Area Network
Recover Personal Computers
Incident Response
Recover Facility
Recover Off-site Records & Documentation
Replace Staff
Recover Office Furniture
Recover Office Equipment
Provide Human Comforts & Support
Maintain Media Relations
Maintain Customer Relations
Disperse Patients
RESOURCE ITEM MATRIX
DOCUMENTATION RULES

CHAPTER VII. TESTING AND MAINTENANCE
TESTING
MAINTENANCE

APPENDIX 1 - SURVEY RESULTS
APPENDIX 1 - SURVEY RESULTS
APPENDIX 2 - SAMPLE BIA MANAGEMENT SUMMARY REPORT
APPENDIX 3 - REQUEST FOR PROPOSAL
APPENDIX 4 - VENDOR LISTING
APPENDIX 5 - TEST PLAN EXAMPLE
APPENDIX 6 - GLOSSARY

- - - - - -

EXCERPT FROM THE INTRODUCTION

“On August 21, 1996 the Health Insurance Portability & Accountability Act
(HIPAA) became a
law. The purpose of this act is to provide US citizens with better access to health
insurance,
limit fraud, and reduce healthcare companies' administrative costs. At the highest
level,
HIPAA is a set of government-mandated standards for business to business
healthcare
e-commerce. It mandates standard electronic transactions with standard code
sets using
standard identifiers in a secure environment.

“HIPAA is the result of the convergence of healthcare cost pressures, available
web
technologies, and growing demands by consumers. By enacting this legislation,
congress
has established a standard basis or framework for the healthcare industry to
embrace the
economies of e-business.

“Within HIPAA are five primary components identified as Titles I, II, III, IV, and V.
Title II, or
Administrative Simplification, is the component of HIPAA containing, among other
elements,
the requirement for business continuity planning. The breakdown of the HIPAA
components is
as follows:

- Title I guarantees health insurance access, portability, and renewal. It
eliminates
some pre-existing condition exclusions. It prohibits discrimination based on heath
status. It
guarantees coverage renewal.

- Title II prevents health care fraud and abuse, promoting administrative
simplification. Within Title II are fraud and abuse controls, procedures for
administrative
simplification, and medical liability reform.

- Title III addresses medical savings accounts and health insurance tax
deductions
for self-employed individuals.

- Title IV provides for the enforcement of group health plan provisions.

- Title V addresses revenue offset provisions.

What has caused HIPAA to occur at this point in time? In 1991, it was estimated
that one
quarter of the total cost of healthcare was attributable to the cost of administration.

In 1995, over 5 billion claims a year were filed in the US with less than 20%
submitted
electronically. Over 400 different formats are used to file electronic claims. By
streamlining
this process, it is estimated that $9 billion annually could be saved without
impacting the
quality of care. The time had come when these economic forces could not be
ignored.

HIPAA is the most sweeping legislation to affect the health care industry in over 30
years. It is
anticipated that large health plans will have to spend $50 to $200 million to
become HIPAA
compliant. Nearly everyone in healthcare will need to comply: payers, employers,
providers,
clearinghouses, healthcare information systems vendors, billing agents, and
service
healthcare organizations.

Who is affected? The answer is health plans, providers, health care clearing
houses, and
some others. Health plans include individual or group plans that provide or pay the
cost of
medical care. It also includes employers who self-insure. Providers include a
provider of
medical or other health services and any other person furnishing health care
services or
supplies. Health care clearing houses are public or private entities that process or
facilitate
the processing of nonstandard data elements of health information into standard
data
elements. Finally, the "other" category which includes employers who want to do
data mining
and pharmaceutical companies that conduct clinical research.”

- - - - - -

ABOUT THE AUTHOR

JIM BARNES received an early introduction to check-listed emergency operating
procedures
as a commander of an ICBM launch crew in the Air Force's Strategic Air
Command. While in
the Air Force, Jim received a Master's degree in Economics which led him into
being a bank
economist when he left the service. This economics and financial background have
forged a
view of business continuity planning that is more business than technically
oriented.

Jim has over 15 years of extensive experience in Business Continuity Planning. He
was in
charge of designing Business Continuity Planning software which was marketed
and used
internationally. Most recently, Jim assisted in the design of a Business Continuity
Certification course which he taught to "Big Four" consultants in Europe, South
America, and
the United States. Jim has written over 300 Business Continuity Plans most of
which were for
Health Services "Payer" institutions and for Financial Institutions. Jim has
completed and has
published, "A Guide to Business Continuity Planning", "E-Commerce
Security-Business
Continuity Planning: A Technical Reference Guide", and has written "The Linchpin
to
Successful Business Continuity Planning" in the Fall, 2003 Disaster Recovery
Journal.

Jim is the founder and CEO of Barnes Continuity Planners, Inc. (BCP, Inc), a
consulting firm
that assists client companies with in business continuity planning. BCP, Inc.
specializes in
creating recovery plans, recovery strategies, and institutionalizing continuity
management
within an organization's culture. Jim is a Certified Recovery Planner and a Member
of the
Business Continuity Institute.

- - - - - -
Published by Rothstein Associates Inc.
ISBN #1-931332-25-8
2004, 240 pages (est.). Order #DR733.
- - - - - -