Health Information Management

Revisit disaster recovery now to avoid future problems

HIM-HIPAA Insider, February 6, 2007

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Revisit disaster recovery now to avoid future problems

Editor's note: This article is the first in a two-part series. Don't miss next week's issue of HIM Connection to read about Providence Hospital's disaster recovery plan.

Two hospitals share their Katrina experience
The security rule requires that you develop a disaster recovery plan to protect and recover systems that store personal health information (PHI) and restore operations during a disaster. You must back up data so that you can recover it when necessary and create policies and procedures to protect the security and privacy of PHI during an emergency. HIPAA has always required these measures, but recent disasters (e.g., Hurricane Katrina) have focused attention on the critical need to protect PHI and maintain business continuity during an emergency. The problem is that these plans tend to become bureaucratic and unwieldy and, in the face of real chaos, they may be unworkable.

"Think about the streamlined disaster recovery plan," said Linda Reino, chief information officer for Universal Health Services, which operated several facilities in New Orleans during Hurricane Katrina. Reino spoke about her experiences during the American Health Information Management Association's 78th Convention and Exhibit. "In the middle of the disaster, you're not going to pick up the 12-inch binder. Make sure you have the resources to do what you're really going to need to do."

Expect the unexpected
Unfortunately for your disaster recovery plan, disasters don't follow a set script. For example, most hospitals plan to discharge as many noncritical patients as possible in advance of a major hurricane to free beds and reduce the need for an evacuation. Although Universal reduced its patient census in advance of the storm, the census climbed back up by the time Katrina made landfall. This is because many chronically ill patients and healthy local residents from surrounding neighborhoods evacuated not to special needs shelters, as directed, but to local hospitals.

Be ready for this influx, Reino advised. By the time Katrina hit, Universal had created a data center for all of its hospitals at the corporate offices in Pennsylvania. This enabled them to set up four groupware databases to track patients and critical health data the morning after the storm. Universal also worked quickly with local telephone companies to divert all of its New Orleans phone lines to the corporate office, enabling staff to handle the influx of calls. This was critical, as Chalmette Medical Center was completely submerged after the levees broke, and patients from Methodist Hospital also were evacuated.


  • Problem: In the chaos of the evacuation, patients flew all over the country-leaving Universal with no way to know where they ended up.

    Solution: Universal set up a simple log to take calls from family members looking for relatives and deployed phone bank staff to call shelters and facilities nationwide to find patients. "We had to work lightning fast," said Reino. "This was a moment in time when you needed to keep it simple."


  • Problem: When Reino called facilities for information about patients, she found that some refused to cooperate because of concerns about HIPAA.

    Solution: Reino faxed copies of a special Department of Health and Human Services bulletin (available here) that outlined permissible disclosures under HIPAA to reassure facilities that they could cooperate in reuniting families and supplying critical health information to healthcare providers.

The disaster also forced Reino to find alternative methods of communication, as land lines and cell phones were unreliable. She used satellite phones and text messaging to communicate with staff stranded on the facility's rooftop. Web and e-mail access also proved more reliable than phone service, but required constant staff monitoring to pick up urgent communications around the clock. "Think lean-mean communications," Reino explained. "If you don't have a satellite phone at your facility, you need to get one. They're not that expensive, and at the end of the day it was the only reliable form of communication."

Editor's note: The above article was adapted from the newsletter Briefings on HIPAA. For more information or to order, call 877/727-1728 or go to

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular