Nearly six in 10 hospitals last year experienced an unplanned EHR disruption that made their EHR unavailable to hospital staff, but hospitals appeared to be mostly prepared to handle such disruptions, according to a report on hospitals' EHR contingency plans from HHS' Office of Inspector General.
The OIG administered an online questionnaire between May and July 2015 to 400 hospitals that receive Medicare payments. Investigators also visited six hospitals to further review EHR contingency plans and related documents.
The OIG found overall hospitals are highly prepared with contingency plans: 95 percent of hospitals said written policies and procedures in their contingency plans specify how to respond to EHR disruptions. Of the 5 percent of hospitals that did not have contingency plans, some of them said they were still developing them as they had only recently adopted their EHR. Others noted they had implemented practices related to contingency plans but did not have those documented in policies or procedures.
HIPAA requires four specific elements in a contingency plan: having a data backup plan, a disaster recovery plan, an emergency mode operations plan and testing and revision procedures. Sixty-eight percent of hospitals' contingency plans addressed all four of these requirements.
Of the hospitals that experienced an unplanned EHR disruption, 59 percent of the time it was related to a hardware malfunction or failure, 44 percent were related to an internet connectivity problem, 33 percent were due to a power failure, 4 percent came from a natural disaster and 1 percent came from a hacking incident. (Hospitals were permitted to identify more than one cause of an unplanned EHR disruption.)
When EHRs were disrupted, 24 percent of hospitals said the disruption resulted in delayed patient care, 15 percent said it resulted in rerouted patient care and 1 percent said it resulted in loss of records. No hospitals said unplanned EHR disruptions resulted in a data breach.
Hospitals generally had implemented contingency plan recommendations from the ONC and National Institute for Standards and Technology, such as maintaining backup copies of records (99 percent), storing backup data offsite (92 percent), determining how to replace damaged equipment (87 percent), having at least two internet paths (78 percent), supplying paper forms in emergency mode (100 percent), maintaining electric generator (98 percent) and continuously updating contingency plans to remain up-to-date with system enhancements (85 percent), among others.
The OIG suggests OCR implements a permanent audit program evaluating hospitals' compliance with HIPAA's contingency plan requirements, especially as cyber threats evolve. "Persistent and evolving threats to electronic health information reinforce the need for EHR contingency plans," according to the report.
More articles on EHRs:
The productivity paradox: EHRs need to be tough now to gain efficiencies later
74% of physicians say they haven't seen a return on EHR investment
Computer, math science workers in hospitals increased 18% to help with EHRs