Implementing Stages of Meaningful Use

With the release of the final Stage 2 Meaningful Use regulations, CMS issued a CMS Press Release on Stage 2 that, among other things, attempted to clarify when practices that implement an EHR will need to comply with which stage of the regulations.  In the beginning of the incentive program, there was some concern that practices that delayed EHR adoption might have to jump right to a later stage of meaningful use to obtain any incentive money.  The following chart describes the current phased-in approach based on when a practice first adopts an EHR as compared to when that practice has to demonstrate which stage of meaningful use.

As you can see, for practices that decide to adopt an EHR in 2013, the individual eligible providers will be able to demonstrate compliance with the Stage 1 criteria in both 2013 and 2014, delaying the Stage 2 criteria to 2015.  Readers should note that Medicare eligible providers that delay implementing an EHR until 2015 will not be eligible for any incentive dollars; instead they will just be staving off the proposed Medicare reimbursement cuts of 1% per year (up to 5%) by adopting EHR.  See § 495.211.  For those Medicaid eligible providers, the last year one might adopt an EHR is 2017 to be able to receive any incentive payments (though such a provider would not have to meet the Stage 2 criterion until 2019).  See § 495.310.

Comparing Meaningful Use Stage 1 and Stage 2 Criteria

In an earlier post, I had analyzed side by side the final Stage 1 criteria for achieving meaningful use to the interim Stage 2 criteria that will be phased in starting in 2014.  Following that analysis, HHS released the final Stage 2 criteria.  As a result, the comparison has changed a bit from my post earlier this year.  The following two tables analyze the final Stage 1 Core and Menu Criteria in comparison to the same for the final Stage 2 criteria.

A few highlights on what changed between the interim and final Stage 2 criteria.  First, a few of the final Stage 2 criteria ended up reducing the compliance metrics from what was proposed in the initial Stage 2 criteria.  See 495.6(j)(1), (j)(9) and (j)(11).

However, a few of the Stage 2 criteria metrics were changed to include additional requirements for compliance which might present a curve ball for those of you planning on obtaining compliance with these.  For example, in the final Stage 2 regulation, the criterion on patient access to health information has an added metric that 5% of patients actually download information available electronically from the provider.  You may want to contact your information systems vendor to determine if the portal you are implementing can provide you with this kind of information as it may not be collected and stored in a way that a report could be generated to evaluate compliance.

In addition, a new Menu criterion was added in the final Stage 2 regulations, found at 495.6(k)(6).  Here, a practice could elect to enter patient chart information as structured data; the metric requires that 30% of patients that are seen during the reporting period have data entered in this manner.  As a practical matter, many EHR systems today will store documented patient information as structured data where the patient visit is documented electronically as a part of the patient visit.  This might be an easy Menu criterion to comply with (as you need to pick three of the six total criteria in the final Stage 2 regulations).

Table 1 – Core Criteria Under Stage 1 and Stage 2 Meaningful Use Comparison

Eligible Providers must meet all of the Core Criteria to Qualify for the Incentives.  Stage 1 had 15; Stage 2 has 17.  Stage 1 meaningful use Core Criteria are found in section 495.6(d) for eligible providers.  Stage 2 meaningful use Core Criteria are found in section 495.6(j) for eligible providers.

Core Criteria for EPSubsections (d), (j) Stage 1 Metric Stage 2 Metric
§ 495.6(j)(1) – provider use of CPOE for medication, lab, and radiology orders [§ 495.6(d)(1)] 30% of orders 60% of medication orders;30% of lab and rad orders
§ 495.6(d)(2) – drug-drug and drug-allergy checking Enabled during period moved to 495.6(j)(9), same metric
§ 495.6(d)(3) – maintain up to date problem list 80% of patients subsumed into transition of care requirement.
§ 495.6(j)(2) electronic prescriptions [§ 495.6(d)(4)] 40% of Rx 50% of Rx
§ 495.6(d)(5) – active medication list 80% of patients subsumed into transition of care requirement.
§ 495.6(d)(6) – active allergy list 80% of patients subsumed into transition of care requirement.
§ 495.6 (j)(3) demographics [§ 495.6(d)(7)]50% of patients with encounters 80% of patients with encounters
§ 495.6 (j)(4) vital signs [§ 495.6(d)(8)]50% of patients with encounters 80% of patients with encounters
§ 495.6 (j)(5) smoking status [§ 495.6(d)(9)]50% of patients with encounters 80% of patients with encounters
§ 495.6(d)(10) – reporting clinical measures to CMS or State Successful testing not a separate criterion; CQM submission required
§ 495.6 (j)(6) decision support [§ 495.6(d)(11)] Implement 1 decision support intervention Implement 5 decision support interventions
§ 495.6 (j)(7) lab results as structured data [§ 495.6(e)(2)] Was Menu in Stage 1; 40% of all lab results 55% of all lab results
§ 495.6 (j)(8) patient lists by specific condition for QI [§ 495.6(e)(3)] Was Menu in Stage 1; at least 1 list At least 1 list
§ 495.6 (j)(9) patient reminders [§ 495.6(e)(4)] Was Menu in Stage 1; 20% of patients sent during period 10% of patients seen in last 2 years receive a reminder
§ 495.6 (j)(10) patient electronic access of health information [§ 495.6(e)(5)] Was Menu in Stage 1; 10% of patients receive timely access 50% of patients receive timely access & 5% actually download information
§ 495.6 (j)(11) clinical summaries at patient visit [§ 495.6(d)(13)] 50% receive summary from office visit 50% receive summary from office visit
§ 495.6 (j)(12) patient education resources [§ 495.6(e)(6)] Was Menu in Stage 1; 10% of patients receive ed. resources 10% of all office visits
§ 495.6 (j)(13) medication reconciliation for transition of care [§ 495.6(e)(7)] Was Menu in Stage 1; 50% of transitions have recon 50% of transitions of care have medication recon
§ 495.6 (j)(14) patients transitioned to another provider’s care have care summary prepared by provider [§ 495.6(e)(8)] Was Menu in Stage 1; 50% of transitions have recon 50% of transitions of care have patient summary; 10% of transitions must involve exchange of data
§ 495.6 (j)(15) capability to submit electronic data to immunization registry [§ 495.6(e)(9)] Was Menu in Stage 1; perform 1 test to registry Ongoing submission of data to registry during CY
§ 495.6 (j)(16) security risk assessments under HIPAA security regulations [§ 495.6(d)(15)] Conduct security assessment Conduct security assessment
§ 495.6 (j)(17) use electronic messaging to communicate with patients N/A 5% of patients seen during period received secure message from provider
[§ 495.6(d)(14)] – capability to exchange key clinical information among care providers and patients One test of exchange N/A
[§ 495.6(d)(12)] 50% of patients receive timely access 50% in 3 days on patient request N/A

Table 2 – Menu Criteria Under Stage 1 and Stage 2 Meaningful Use Comparison

In Stage 1, EP had to meet 5 out of 10 Menu Criteria to qualify.  In Stage 2, EP must meet 3 out of the 6 Menu Criteria to qualify.  Stage 1 meaningful use Menu Criteria are found in section 495.6(e) for eligible providers.  Stage 2 meaningful use Menu Criteria are found in section 495.6(k) for eligible providers.

Menu Criteria for EPSubjections (e), (k) Stage 1 Metric Stage 2 Metric
§ 495.6(k) (1) – access to imaging results in EHR N/A 10% of imaging results in EHR
§ 495.6(k) (2) patient family health history in structured data N/A 20% of all patients seen
§ 495.6(k) (3) capability to submit syndromic surveillance data to public health agency [§ 495.6(e)(10)] Was Menu in Stage 1; perform 1 test to registry Successful ongoing submission of data for period
§ 495.6(k) (4) capability to identify and report cancer cases to State cancer registry N/A Successful ongoing submission of data for period
§ 495.6(k) (5) capability to report other specialized registry (other than cancer) to specialized registry N/A Successful ongoing submission of data for period
§ 495.6(k) (6) record electronic notes in patient records N/A 30% of patients seen during the reporting period
[§ 495.6(e)(1)] – implement drug formulary checking Enable functionality Moved to Core / decision support
[§ 495.6(e)(2)] – lab results as structured data 40% of lab results are structured data Moved to Core
[§ 495.6(e)(3)] – generate lists by specific conditions 1 reporting list Moved to Core
[§ 495.6(e)(4)] – send reminders to patients for follow-up care 20% of patients Moved to Core
[§ 495.6(e)(5)] – Provide patients with timely access to health information 10% of patients have electronic access Moved to Core
[§ 495.6(e)(6)] – Use EHR for patient education 10% of patients Moved to Core
[§ 495.6(e)(7)] – Incoming transition of care to EP medication reconciliation 50% of patients have medication recon Moved to Core
[§ 495.6(e)(8)] – Outgoing transition of care from EP care record summary 50% of patients have care summary Moved to Core
[§ 495.6(e)(9)] – immunization registry 1 certified test Moved to Core

 

Final Stage 2 Meaningful Use Regulations

The final version of the Meaningful Use regulations, including the final Stage 2 requirements, were published at the end of August.  A copy of the full regulations can be found here: 2012-21050 (you can also get these from the Federal Register’s web site; the final regulations were published on September 4, 2012.)  The final version of the Stage 2 regulations are similar to the interim regulations that were published earlier this year (and discussed in this post).  However, the final regulations made some changes to what’s in store for providers trying to obtain their incentive payments from the interim regulations.  This article is intended to briefly cover these changes.

Core Criteria Changes

First, the Stage 2 metrics for specific Core criteria were reduced from the interim regulation targets.  For example, for provider use of computerized order entry (§ 495.6(j)(1)), the interim regulations for Stage 2 required that 60% of orders be computerized.  The final regulations softened this so that only 60% of medication orders be electronic, leaving the target of 30% for lab and radiology orders where it had been under Stage 1.  Also, the Stage 2 target for electronic prescriptions in the interim regulation was to be 65% of all prescriptions (up from 40% in Stage 1).  In the final Stage 2 regulation, the metric has been reduced to 50%.

There was also a reduction in the final Stage 2 metrics for (j)(13) and (j)(14) requirements for patients that transition care.  The interim Stage 2 regulations had a metric of 65% of patients with transitions of care have a medication reconciliation performed, and for outgoing transitions, the provider prepare a care summary for the receiving provider.  The final regulations reduce this metric to 50% where it stood when these were Stage 1 Menu criterion.

The final regulations also reduced the target metric for the criterion for using electronic messaging to communicate with patients in (j)(17).  The interim regulations had set the metric at 10%; the final regulations reduce this to 5%.

However, there are other changes that may pose some dilemmas for providers.  The interim Stage 2 core criterion include one for patient electronic access to health information.  This originally was a Stage 1 Menu criterion; it becomes a core criterion in Stage 2.  The metric in the interim Stage 2 regulation was that 50% of patients receive timely access to information in their chart (up from 10% in Stage 1).  However, in the final Stage 2 regulation, there is a second aspect to the metric – namely, that 5% of patients actually download information made available to them.  It is not clear how this will be measured by the software, and it is also not clear how providers will cause patients to download the data made available to them.

An additional metric was added to (j)(14) between the interim and final Stage 2 regulations.  Not only must 50% of patients have a care summary prepared by the provider as part of the transition of care, but 10% of these transitions must involve the electronic exchange of data between the two providers.  This core requirement will tend to incentivize referral patterns between providers that are able to send and receive electronic data between them or through regional health information exchanges.  As a result, those that are unable to participate in such exchanges will become increasingly isolated.

Menu Criteria Changes

There were also two changes in the Menu criteria between the interim and final Stage 2 regulations.  First, the target metric for the first menu criterion, access to imaging results in the EHR, was reduced to 10% in the final regulations from 40% in the interim regulations.  Second, a new menu criterion was added to encourage providers to actually document notes into structured data within the EHR system, and setting the metric to 30% of patients seen during the period.

 

Comparing Meaningful Use Stage 1 and Stage 2

The following two tables compare the Stage 1 and Stage 2 meaningful use criteria under the Meaningful Use proposed/interim regulations that were issued last month.  These tables illustrate some of the changes to the existing criteria, and also the changes in the metrics for the measures (generally increasing the compliance rate required to continue to qualify for the incentive payments).

Table 1 – Core Criteria Under Stage 1 and Stage 2 Meaningful Use Comparison

Eligible Providers must meet all of the Core Criteria to Qualify for the Incentives.  Stage 1 had 15; Stage 2 has 17.  Stage 1 meaningful use Core Criteria are found in section 495.6(d) for eligible providers.  Stage 2 meaningful use Core Criteria are found in section 495.6(j) for eligible providers.

Core Criteria for EPSubsections (d), (j) Stage 1 Metric Stage 2 Metric
§ 495.6(j)(1) – provider use of CPOE for medication, lab, and radiology orders [§ 495.6(d)(1)] 30% of orders 60% of orders
§ 495.6(d)(2) – drug-drug and drug-allergy checking Enabled during period N/A
§ 495.6(d)(3) – maintain up to date problem list 80% of patients N/A
§ 495.6(j)(2) electronic prescriptions [§ 495.6(d)(4)] 40% of Rx 65% of Rx
§ 495.6(d)(5) – active medication list 80% of patients N/A
§ 495.6(d)(6) – active allergy list 80% of patients N/A
§ 495.6 (j)(3) demographics [§ 495.6(d)(7)]50% of patients with encounters 80% of patients with encounters
§ 495.6 (j)(4) vital signs [§ 495.6(d)(8)]50% of patients with encounters 80% of patients with encounters
§ 495.6 (j)(5) smoking status [§ 495.6(d)(9)]50% of patients with encounters 80% of patients with encounters
§ 495.6(d)(10) – reporting clinical measures to CMS or State Successful testing N/A
§ 495.6 (j)(6) decision support [§ 495.6(d)(11)] Implement 1 decision support intervention Implement 5 decision support interventions
§ 495.6 (j)(7) lab results as structured data [§ 495.6(e)(2)] Was Menu in Stage 1; 40% of all lab results 55% of all lab results
§ 495.6 (j)(8) patient lists by specific condition for QI [§ 495.6(e)(3)] Was Menu in Stage 1; at least 1 list At least 1 list
§ 495.6 (j)(9) patient reminders [§ 495.6(e)(4)] Was Menu in Stage 1; 20% of patients sent during period 10% of patients seen in last 2 years receive a reminder
§ 495.6 (j)(10) patient electronic access of health information [§ 495.6(e)(5)] Was Menu in Stage 1; 10% of patients receive timely access 50% of patients receive timely access
§ 495.6 (j)(11) clinical summaries at patient visit [§ 495.6(d)(13)] 50% receive summary from office visit 50% receive summary from office visit
§ 495.6 (j)(12) patient education resources [§ 495.6(e)(6)] Was Menu in Stage 1; 10% of patients receive ed. resources 10% of all office visits
§ 495.6 (j)(13) medication reconciliation for transition of care [§ 495.6(e)(7)] Was Menu in Stage 1; 50% of transitions have recon 65% of transitions of care have medication recon
§ 495.6 (j)(14) patients transitioned to another provider’s care have care summary prepared by provider [§ 495.6(e)(8)] Was Menu in Stage 1; 50% of transitions have recon 65% of transitions of care have patient summary
§ 495.6 (j)(15) capability to submit electronic data to immunization registry [§ 495.6(e)(9)] Was Menu in Stage 1; perform 1 test to registry Ongoing submission of data to registry during CY
§ 495.6 (j)(16) security risk assessments under HIPAA security regulations [§ 495.6(d)(15)] Conduct security assessment Conduct security assessment
§ 495.6 (j)(17) use electronic messaging to communicate with patients N/A 10% of patients seen during period received secure message from provider
[§ 495.6(d)(14)] – capability to exchange key clinical information among care providers and patients One test of exchange N/A
[§ 495.6(d)(12)] 50% of patients receive timely access 50% in 3 days on patient request N/A

 

Table 2 – Menu Criteria Under Stage 1 and Stage 2 Meaningful Use Comparison

In Stage 1, EP had to meet 5 out of 10 Menu Criteria to qualify.  In Stage 2, EP must meet 3 out of the 5 Menu Criteria to qualify.  Stage 1 meaningful use Menu Criteria are found in section 495.6(e) for eligible providers.  Stage 2 meaningful use Menu Criteria are found in section 495.6(k) for eligible providers.

Menu Criteria for EPSubjections (e), (k) Stage 1 Metric Stage 2 Metric
§ 495.6(k)(1) – access to imaging results in EHR N/A 40% of imaging results in HER
§ 495.6(k) (2) patient family health history in structured data N/A 20% of all patients seen
§ 495.6(k) (3) capability to submit syndromic surveillance data to public health agency [§ 495.6(e)(10)] Was Menu in Stage 1; perform 1 test to registry Successful ongoing submission of data for period
§ 495.6(k) (4) capability to identify and report cancer cases to State cancer registry N/A Successful ongoing submission of data for period
§ 495.6(k) (5) capability to report other specialized registry (other than cancer) to specialized registry N/A Successful ongoing submission of data for period
[§ 495.6(e)(1)] – implement drug formulary checking Enable functionality N/A
[§ 495.6(e)(2)] – lab results as structured data 40% of lab results are structured data Moved to Core
[§ 495.6(e)(3)] – generate lists by specific conditions 1 reporting list Moved to Core
[§ 495.6(e)(4)] – send reminders to patients for follow-up care 20% of patients Moved to Core
[§ 495.6(e)(5)] – Provide patients with timely access to health information 10% of patients have electronic access Moved to Core
[§ 495.6(e)(6)] – Use EHR for patient education 10% of patients Moved to Core
[§ 495.6(e)(7)] – Incoming transition of care to EP medication reconciliation 50% of patients have medication recon Moved to Core
[§ 495.6(e)(8)] – Outgoing transition of care from EP care record summary 50% of patients have care summary Moved to Core
[§ 495.6(e)(9)] – immunization registry 1 certified test Moved to Core

Maryland EHR Incentives

I’m willing to bet you didn’t know about Maryland’s best kept EHR incentives secret: namely, six private insurers will pay up to $15,000 each to each Maryland practice that implements an EHR before 2014.  Here are some details about the program and where you can find further information about it.

There are six insurers that participate in this incentives program: Aetna, CareFirst, Cigna, Coventry, Kaiser Permanente, and United Healthcare.  Each insurer will pay up to $15,000 in two parts to participating providers.  Half the incentive is calculated based on the total number of Maryland patients either assigned to the practice as a PCP, or at $8 per member for each Maryland insured seen by the practice in the last 24 months.  So, if in two years, you treat 938 members of one of the six insurers, you can maximize the first part of the incentive payment.  The other half of the incentive is based on your ability to meet one of the following three criteria: (a) sign up with a state MSO, (b) demonstrate advanced use of your EHR, or (c) participate in a quality improvement initiative with the insurer.

To obtain the incentive payments, you first file an Incentive Application with the appropriate private insurer prior to December 21, 2014.  The insurer will then acknowledge your application.  Then, six months after the application, you submit a Payment Application to the insurer, who will adjudicate the claim in 60 days and make your incentive payment.  These incentives are per practice (rather than by individual physician or provider), however, these are in addition to any federal incentive payments your practice may qualify to receive from CMS under the Medicare or Medicaid programs through the HiTech Meaningful Use incentives.

You can read more about this on the MHCC web site here.

Meaningful Use Stage 2 Regulations Released

The Meaningful Use Stage 2 proposed rule has been released earlier this week.  You can download a copy of the full 455 page regulation here: MU Stage 2 Proposed Rule.  For those keeping score at home, there are three stages of “meaningful use” as that term is defined in section 495.6 of the regulations.  Stage 1 set certain Core (required) and Menu (pick from the list to implement) Criteria, and established minimum compliance metrics for a “eligible professional” to qualify for the federal incentives.  The original regulations that defined “meaningful use” indicated that there would be future changes to the definition in two more stages.  We initially expected Stage 2 to be defined for compliance in 2013.  However, the regulations have pushed out compliance for Stage 2 to 2014.  This article will take a look at what’s been proposed for Stage 2.

First off, there are more “Core” or required Criteria in Stage 2.  Stage 1 had a total of 15 Core Criteria, some of which any certified electronic health record would have to meet (such as collecting certain demographic and vital signs data for patients seen in the office).  In addition, there were several Core criteria that, when originally published, no one had yet defined how you might actually comply.  For example, there is a Core Criteria in Stage 1 where providers were required to submit certain quality data to either CMS or their State Medicaid program.  But, no one had indicated when the regulations were published what data, exactly, or how this data was to be provided.  The metric in Stage 1 was merely the ability to submit a test file.

Stage 2 has 17 total Core Criteria.  In several cases, CMS has proposed to terminate a prior Stage 1 Core item entirely in Stage 2.  And in a number of cases, Criteria that were previously on the “Menu” in Stage 1 are now incorporated as Stage 2 Core Criteria.  For example, structured lab data, patient lists by specific condition for use in a quality improvement initiative, patient reminders, patient access to electronic health information, patient education resources, medication reconciliation for transition of care, care summary for patients transitioned to another provider, and data submission to an immunization registry were all Menu Criteria in Stage 1 and are now Core Criteria in Stage 2.

Also, where a Stage 1 Criteria was kept, the minimum compliance percentage has increased, in some cases substantially, in Stage 2.  For example, where a 50% compliance rate was sufficient for Stage 1 for collecting patient smoking status, in Stage 2, the compliance rate minimum is 80%.  In Stage 1, a single decision support rule needed to be implemented for compliance.  In Stage 2, five such rules must be implemented.

As for the Menu Criteria, Stage 1 required that you implement 5 of the 10 on the list as an eligible provider.  In total, therefore, a provider had a total of 20 Criteria that had to be met to achieve meaningful use.  In Stage 2, there are only 5 menu criteria, and the provider must meet at least three.  So the total number of required criteria is no different, but providers have fewer menu criteria to choose to comply with.  In addition, the Menu Criteria in Stage 2 include three interfaces with specific state or public health registries, and the remaining two involve access to imaging results in the EHR and storing family health history in a structured data format.  You may be able to waive out of some of these if there isn’t a way in your state to submit surveillance or other registry data electronically.  However, if you elect to implement one of these interfaces, the compliance requirement under Stage 2 is full year data submission to the registry (not just submitting a test file).  If you plan on doing one of these, start early to make sure you can get to the compliance target by 2014.

Overall, Stage 2 appears to “up the game” for providers who wish to continue to receive incentive payments in out years of the program.  The Stage 2 rules that were published this week are interim rules.  The public has 60 days to submit comments.  After that, CMS will ultimately publish a final rule, taking into account comments made during the comment period.  While it is possible that CMS may back down on some of these measures, providers should get plan to comply with much of this Rule.  Talk with your EHR vendor, consultant, MSO or other service providers to analyze and plan for compliance.

Preparing for Disasters – Practical Preparedness

Disasters happen in the world, some of which may directly affect your organization.  Preparing for disasters, whether they be hurricanes, tornadoes, terrorists, hackers, power outages, fires, or earthquakes, means thinking about: (a) how your business operates today, (b) how your business would likely operate in the event of a disaster, (c) and developing some kind of testable plan for recovering from a variety of disasters that is practical but well-designed.  Preparedness is also a commitment to ongoing planning and the investment of a certain amount of resources each budget period to the process, because your plan will evolve with the extent and scope of your business as it changes over time.

In Maryland, there are not specific ethics rules that require lawyers to prepare for disasters, though common sense would tell an attorney that missing a deadline because of a disaster is still a missed deadline, and the loss or inadvertent disclosure of confidential client information is still a loss whether or not caused by a natural disaster or simple human error.   Both circumstances can lead to an ethics complaint from a disgruntled client.  For attorneys, there are a number of resources available from the ABA to help firms do a better job of preparing for a disaster.

Doctor’s offices that are joining the electronic health record system revolution because of the incentives under ARRA, also will need to have a plan for disaster recovery.  The HIPAA security regulations include standards for preparing for recovering from disasters (45 CR § 164.308(a)(7) is addressed specifically to contingency planning for covered entities and business associates).  The security regulations are cloaked in terms of “reasonableness,” which means that a covered entity’s disaster recovery planning efforts should be commensurate with the amount of data and resources it has.  So, a practice of two physicians that sees 8,000 patient visits a year is not expected to have its data available in three DR hot sites.  But, if you are a major insurance carrier, three DR hot sites might not be enough for your operation.  However, in neither case is no plan an acceptable answer.  Nor is a plan that has never been tested.

Risk Assessment

So where do you start?  The logical starting point is a risk assessment of your existing systems and infrastructure (also required of covered entities under the HIPAA security rules in section 164.308(a)(1)).  A risk assessment will guide you through gathering an inventory of your existing systems, and help to identify known and potentially unknown risks, along with the likelihood that such a risk will be realized and what you are doing now (if anything) to mitigate that risk.  The risk assessment will also help you to categorize how critical a system is to your operations, and will also identify severe risks that remain unmitigated.  This resulting list helps you to come up with a starting place for the next step: doing something about it.

The Disaster Plan

In parallel, you can also use the inventory of your existing systems and risks to develop a disaster recovery plan.  First, you now have a list of your critical systems which are your highest priority to recover in the event of a failure.  Second, you also have a list of likely risks to those systems with the likelihood based in part on your past experience with a particular disaster.  These lists help you to identify what you need to protect and what you need to protect from.  The other two questions you need to ask for each system are: (a) how much data can I stand to lose in the event of a disaster? and (b) how long can I wait to have my system restored to normal operations?

This analysis of your existing systems, risks, and business requirements will help lead the practice to a plan that includes procedures for how to function when systems are unavailable, and how to go about restoring an unavailable system within the business requirements of the practice.  Once you have your plan, and have implemented the systems or policies required by the plan, your next step is to test the plan.  Table top exercises allow you, in a conference room, to walk through the staffing, procedures, and possible issues that may arise as a result of a particular disaster scenario.  Technical testing permits your IT staff to make sure that a disaster recovery system works according to the expected technical outcomes.  Full blown testing is to actually simulate a disaster, perhaps during non-business hours, and actually run through the disaster plan’s procedures for operations and IT.

Hypothetical

As an example, suppose that you have an electronic health record system.  This is a critical system based on the risk assessment.  In the last five years, you have had a virus that partially disabled your records system causing an outage for two business days, and you have had your database crash, causing you to lose a week’s worth of data.  You have implemented two mitigations.  The first is anti-virus software that regularly updates for definitions and regularly scans the system for viruses and removes them.  The second is a backup system that makes a backup of your system’s data on a weekly basis and stores the data in a separate storage system.

Based on interviews with the practice staff and owner, the records system is used as a part of patient care.  During normal business hours, an outage of the system can result in patients being re-scheduled, and also creates double work to document kept visits on paper and again in the record system when it becomes available.  The practice has indicated that the most it can be without the system is a single business, and the most data that it can lose from this system is the most recent 4 hours of data entry (which can be reconstructed by the clinical staff that day).

You then evaluate the mitigations in place today that allow for a system recovery in the event of a likely disaster (virus or database crash based on the past experience of the practice).  The backup system today only runs once per week, which means that a crash of virus that occurred later in the week would result in more than 4 hours of lost data.  Recovery from the backup device to a new server also appears to require more than a business day, because the practice has no spare server equipment available.  So you would have to start over with the existing server (installing the operating system, database software, and then restoring the data from the backup), or purchase a new server and have it delivered to complete the restore.

The conclusion here is that while there is an existing mitigation for recovery from a likely disaster, the mitigation does not meet the business requirements of the practice.

Budget for New Sufficient Mitigations

Once you have your list of unmitigated or insufficiently mitigated risks, the next step is to look for mitigations that you could implement on your network.  A mitigation might be a disaster recovery system or service, or it might be some other service or product that can be purchased (like anti-virus software, a hardware warranty, a staff person, etc.).  At this point, the help of a technical consultant may be required if you don’t have your own IT department.  The consultant’s role here is to advise you about what you can do and what the likely costs are to purchase and implement the solution which will meet your business requirements based on your likely risks for disasters.

Once sufficient solutions have been identified, the next step is to purchase a solution and implement it.  From there, testing is key as noted above.  An untested plan is not much of a plan.