Do you remember opening a gift, and being really excited to hear the electronic siren of your new fire truck or the booming bass of a new stereo? You’re ready for fun when you take a quick look over the packaging and sadly realize, no batteries are included. Ouch!
Are we trying to imply that Health and Human Services (HHS) and the Office of Civil Rights (OCR) require you to have batteries in your toys? NO
Are we telling you that the HHS and OCR have a secret connection to the battery manufacturers and want to force us all to buy batteries? NO (well we can’t say for certain, actually)
What we ARE saying is that in order to continue business operations and provide access to ePHI there is a HIPAA requirement that states a covered entity is required to have a security process in place even in the event of a power outage.
When it comes to HIPAA, much more is at stake than not being able to play with a new toy. In the event of a power outage, patient data can be at risk if there are not proper precautions and security measures in place. Therefore, these batteries are definitely required.
Backup Power and the HIPAA Security Rule
We do not always think “battery” when thinking about ePHI or HIPAA Security Rules. However, an Uninterruptible Power Supply (UPS) is of critical importance when considering how to structure your Contingency Plan and more specifically, when you are planning your Emergency Mode of Operation Plan.
Under HIPAA guidelines, there is an important subsection under the Contingency Planning section of the HIPAA Security Rule called the “Emergency Mode Operation Plan”, which states that compliant organizations must:
“Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.”
In other words, when experiencing an emergency such as a power outage, it is still the responsibility of the covered entity to have security safeguards and a process in place to maintain the availability and security of patient records. This remains true even during a power outage caused by a storm or natural disaster, such as flooding or wildfires. For example, a long term care facility or doctor’s office that must still be able to access patient records or ePHI in order to provide care.
Choosing an Uninterruptible Power Supply (Battery)
Having a reliable UPS is critical when planning the protection and availability of your ePHI in unforeseen and emergency circumstances. When considering a UPS, you will want to:
1. Consider the load that will be put on the UPS.
Some common UPS for desktops or laptops may last up to 30 – 45 minutes when under normal use.
2. Determine how many amp hours you will need.
Depending on the load, you can then determine how many amp hours are going to be required or in other words how large of a UPS will you need.
3. Consider your size and storage needs.
The size of a desktop or laptop UPS will also be much smaller and more likely to fit under a desk. However, if you are planning on running several servers you will need to look into a UPS that will provide enough power to last until your generator can be brought online or the power restored. A UPS of this size may be similar to a normal sized refrigerator.
For more information on batteries suitable for your organization, check out batteryboss.org!
- When preparing your Contingency Plan, keep in mind the importance of having a strategy to continue providing access to ePHI even during a power outage.
- Creating a contingency plan is important no matter the size of your business.
- Being prepared for a power outage and knowing how your ePHI will still be accessible with the use of a UPS will help to put your mind at ease, and keep you compliant with the HIPAA Security Rule.
- Keep in mind the kind of load that will be placed on your UPS. This will help you to determine the proper size UPS.
- Check out batteryboss.org for batteries suitable for your organization.
If you have specific questions concerning your Contingency Plan or Emergency Mode of Operation Plan, please contact Gazelle Consulting today!