AHA Solutions
Resources for Hospitals
Forward this Email

HIPAA Tip
05/13/09

The HIPAA Tip is emailed the second, third and fourth Wednesday of every month.  In it you will find valuable information to ensure you are current on the latest news, trends and regulatory issues surrounding HIPAA. Subscribers total over 2,500.

If you're looking for assistance in HIPAA compliance training solutions, please contact:

Ali Pabrai, Security+, CISSP, CHP, CSCS
ecfirst.com/HIPAA Academy, Chief Executive
www.HIPAAAcademy.Net

HIPAA Academy's HIPAA Compliance Training Solutions have the exclusive endorsement
of the American Hospital Association (AHA).


To learn more about AHA-Endorsed products and services and the AHA Solutions Signature Learning Series, please call
(800) 242-4677 or visit www.aha-solutions.org

May 13, 2009

HIPAA & DISASTER RECOVERY PLANS
Organizations such as yours may have experienced recent outages to some key financial, clinical or other systems. A Business Impact Analysis (BIA) along with an organization’s Contingency Plan and Disaster Recovery Plan are critical to proactively plan to ensure the continuance of vital healthcare and financial operations in the event of a disaster or other catastrophic event. Not only are they important, regulations such as HIPAA require them! For example, in the area of finance, organizations should develop and test downtime procedures for critical processes such as:
-Payroll
-Accounts Payable
-Supply Chain
-Revenue Cycle

The development of downtime procedures requires planning sessions to collect vital information. Planning sessions are typically conducted to identify all supported processes and subsequent functions in each area. This may include manual processes, electronic processing, and / or 3rd party services. Questionnaires are typically developed to collect detailed information about downtime processes. Have you identified all of the processes and functions your Finance Department is responsible for? Could you list them in the event of a system downtime? Do you know what system interdependencies you currently have? These vital pieces of information can be mapped and documented by ecfirst.

Your organization must ensure that a list of reasonably anticipated risks for each process is identified and documented. Further, you need to establish a list of estimated likelihood for each reasonably anticipated risk. Organizations should also document their currently in-place risk management methodologies or mitigations, if known and available. The identification of risks that have no current or envisioned risk management methodologies should be documented as part of the gap analysis.

 
Has your organization developed detailed downtime procedures for all critical systems and applications identified in the BIA?


Contact ecfirst to Discuss Development of Downtime Polices, Technical and Departmental Procedures, Forms, and Tools. Consider the value of Process Mapping to your organization’s critical Departments and functions. Contact Steve.Ferrick@ecfirst.com or call 1.877.899.9974 x14 to discuss your requirements for developing comprehensive downtime procedures for critical financial and clinical applications and systems. ecfirst has significant experience enabling healthcare organizations conduct a Business Impact Analysis (BIA) and develop contingency plan, disaster recovery plan, and detailed downtime procedures.

CERTIFIED SECURITY COMPLIANCE SPECIALIST (CSCS) PROGRAM
To attend the only certification program in the industry that addresses PCI DSS, ISO 27001/27002, HIPAA, FISMA, and other information security regulations, please visit the website, www.ecfirst.com, and click on the CSCS Program. The CSCS Program is presented by compliance and cyber security experts. The CSCS program is offered in several cities across the USA – check the schedule on-line at www.ecfirst.com or bring the program on-site and have it tailored for your environment.

MANAGED SERVICES COMPLIANCE PROGRAM (MCSP) FOR HIPAA
For more information about our Managed Compliance Services Program (MCSP) and other security consulting solutions including development of a proposal for addressing your compliance requirements, please contact John Schelewitz at 1.480.663.3225 or at John.Schelewitz@ecfirst.com.

HEALTHCARE EXPANSION CONGRESS MIDDLE EAST PRESENTATION May 26-27 in Abu Dhabi: ARE MEDICAL RECORDS AT RISK?
The risk to medical records is emerging in Middle Eastern countries such as the UAE, which recently launched its new health information system, Wareed. Wareed will automate all healthcare processes and link all UAE 14 public hospitals and 68 affiliated clinics via an online network by 2011. Doctors and nurses will have access to each patient’s record, while patients will be able to view their own records online. Ali Pabrai – an expert on security and compliance – presents the rising risk to organizations from vulnerabilities in the enterprise and new mandatory regulatory requirements.