Risk: Lack of procedures and contingency plans in the event of an emergency
Explanation: In the event of an emergency, a well defined contingency plan helps the team to allow for data restoration in addition to providing physical security. A contingency plan is usually used when there is an emergency, for example when there is an outage. During the crisis it is important that the doctors still have access to ePHI so that the quality of care is not compromised.
Major Mitigation: Based on the size of the physician’s practice, the contingency plans in place may vary. For small doctor’s offices, the whole staff may need to be involved in restoration. In the case of large physician practices, authorized personnel may need to be accompanied into the buildings by guards.
A contingency plan should be in place that ensures the right people have access to where the PHI is physically housed. This would mean that there needs to be procedures and processes that are well established so that in the case of an emergency, authorized people that have access can retrieve the PHI or even make a back up copy of the PHI data. For example, this can mean bringing up the application in another data center if the primary data center housing the application becomes inaccessible. This should be done so that the physician’s have uninterrupted access to their patient’s PHI even in the event of an emergency.
Success Criteria: Periodic third party audits of contingency plans and mock emergency drills can help ensure that this risk has been taken care of.