Q&A: Securing PHI during natural disaster or power outage

Q: The recent hurricanes (in 2019) around Florida have reminded us we need to prepare for physical disasters. What are some good ways to secure PHI when we know we've got weather that can potentially physically destroy buildings and potentially do damage to things like servers?

A: First, you need to make sure you have a solid disaster recovery plan (DRP) and business continuity plan (BCP). Also, the plan should be tested at least annually.

The time to test your DRP and BCP is not when the disaster hits. It’s wise to provide training regarding what staff are required to do in the event of a disaster, especially if they are on the DRP and/or BCP team.

In an ideal world, you would establish a hot site—another technical environment that you can immediately cut over to in the event of a disaster or outage. The hot site should also be located outside of the geographic region as your primary facility and where your production IT assets are located. For better or worse, hot sites are not always practical because of the cost associated with setting up and maintaining one.

You can think of it this way—you almost need to set up another technical environment that is the same as your production environment with all of the needed servers, appliances, and applications. Even if your IT infrastructure is in the cloud, there is still a significant cost to setting up a hot site.

You can also set up a warm site, which is an equipped data center, but no data has been loaded on servers or devices. That is less costly but still a significant investment.

When costs are too prohibitive, at the very least you need to include in your DRP a list of vendors that can ship on short notice the servers and other appliances you will need to set up to recover your production environment. Keep in mind that if someone out there is larger than you, such as a larger hospital or a big corporation, they are likely to be supplied with hardware sooner than you will.

You need to make sure your backup media is stored off-site, preferably outside of your geographic region. It needs to be secured and, preferably, encrypted. The off-site location to store backup media should be selected and set up prior to any disasters or significant storms.

If you try to do that when a storm is predicted, as an example, you may find you don’t have the time or can’t find a ready vendor to quickly set up your backup site.

Finally, if you still rely on paper, you may well be out of luck, at least for the paper that’s involved. The more the paper, the less likelihood that you will make an exact copy of the paper and transport it to an alternate location for storage.

Editor’s note: Chris Apgar is president of Apgar & Associates LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Kevin Duffy at kduffy@hcpro.com.