LEADERSHIP ASSIGNMENT PART 2

31Journal of Health Care Compliance — September–October 2020 31

emergency response gerry Blass / dana Penny

Emergency Response Planning: If We Knew Then What We Know Now

Gerry Blass is the president and chief executive officer (CEO) at

ComplyAssistant and can be reached at [email protected] or

800/609-3414, ext. 700. LinkedIn: www.linkedin.com/in/

gerry-blass-917a482

How COVID-19 Changed Disaster Response in Health Care

D isaster preparedness and business continuity planning are not novel concepts. For decades, health care organizations have created and main-

tained emergency response plans to prepare for any type of disaster or crisis—from weather-related disasters to cyber incidents to active threat scenarios.

Yet even with all that preparation health care provid- ers across the nation scrambled to manage response dur- ing the COVID-19 pandemic. Why? What was different about this particular crisis? In this column, we discuss the need for emergency response, what we learned from COVID-19, and how to prepare differently in the future.

a Primer on emergency PreParedness The term “disaster preparedness” generally refers to the emergency preparedness plan that is created at the facility or system level of a provider organization. It is a broad, enterprise plan meant to address any type of disaster and how operations should react. For example, as part of its National Response Framework (NRF), the U.S. Department of Health and Human Services (HHS) offers guidance and support in 23 key areas for disas- ter planning, such as worker health and safety, hospital care, patient movement, medical equipment and sup- plies, recovery, and external communications.1

In addition, both the Health Insurance Portability and Accountability Act (HIPAA) security rule and the National Institute of Standards and Technology (NIST) Cybersecurity Framework support the need for an IT disaster preparedness and business continuity plan. The purpose of the HIPAA security rule is to “ensure that every covered entity has implemented safeguards to protect the confidentiality, integrity, and availabil- ity of electronic protected health information.”2 In the

Dana Penny is the chief compliance officer at The New Jewish Home and can be reached at DPenny@jewish-

home.org or 212/870-4752. LinkedIn: www.linkedin.com/in/

dana-penny-84786017

Journal of Health Care Compliance — September–October 202032

Emergency Response

case of emergency preparedness, we need to focus on the availability aspect of the security rule to ensure that our response plans do not unduly prohibit the ability to comply.

In preparing for any type of emergency, three plans are critical to the continuity of operations and restoration of capabilities: 1. Business continuity: designed to ensure

that critical business functions and pro- cesses are sustained during and follow- ing periods of degradation.

2. Disaster recovery: designed to ensure the restoration of target information systems, infrastructure, or other com- ponents as soon as possible following a contingency event.

3. Incident response: designed for infor- mation security personnel to identify, mitigate, and recover from malicious computer events or incidents.

Health care organizations frequently use the terms “business continuity” and “disaster recovery” interchangeably and often revert solely to disaster recovery when responding to an incident; how- ever, each of these three has a very spe- cific focus and is complementary with the others.

When creating an emergency response plan, NIST generally recommends seven progressive steps as contingency planning for information systems:3

1. Develop a contingency planning policy statement, which provides the author- ity and guidance necessary to develop an effective contingency plan.

2. Conduct a business impact analysis (BIA) to identify and prioritize informa- tion systems essential for the organiza- tion’s mission and business processes.

3. Identify preventive controls to reduce the impact of system disruptions and increase system availability.

4. Create thorough contingency strategies to ensure that systems can be recov- ered quickly and effectively.

5. Develop an information system con- tingency plan that includes detailed

guidance and procedures for restoring a damaged system.

6. Test, train, and perform exercises to identify gaps in the plan and improve the overall preparedness of the organization.

7. Update the plan regularly to remain current with system enhancements and organizational and environmental changes.

Within an enterprise emergency pre- paredness plan, each department or ser- vice line should also have a much more detailed and meticulous plan for specifi- cally dealing with various emergencies. For IT, security, and compliance leaders in health care, this means developing a plan that will enable the organization to continue the business of providing care.

The key to any good emergency response plan is making sure it is actually operational. It is one thing to have docu- mentation, but can the plan actually be put into practice when the time comes?

What We learned from covid-19 Though these types of emergency pre- paredness structures have historically been in place, COVID-19 completely shifted some of our thinking. Though we have experienced pandemics before, such as H1N1, health care providers by and large were not prepared for the types of scenar- ios that COVID-19 introduced.

Systems With the onset of COVID-19, it became clear that emergency response was less about the availability of networks and com- munications systems already in place. This was unlike a hurricane or a cyber incident where a system had gone down. Rather, health care organizations needed to enhance what they had, and they had to do it quickly to enable more staff than ever before to work remotely.

From a security standpoint, providers also needed to watch for different kinds of scams designed to break down your

Journal of Health Care Compliance — September–October 2020 33

Emergency Response

cybersecurity defenses, such as phishing scams exploiting the need for personal protective equipment (PPE). By far, when providers have so many people work- ing remotely, especially if they were not set up to scale that quickly, they opened an entirely new set of vulnerabilities. Providers now recognize that they have to be very conscious about enhanced network security for a largely remote workforce, including steps such as issu- ing remote laptops, monitoring network usage, and improving access via VPNs and multi-factor authentication.

Staffing and Manpower More than anything else, staffing was the most significant difference between COVID-19 and other disasters. In the begin- ning, we saw clinical staff getting sick because we didn’t know at the time what we were dealing with. Even the IT staff was impacted because they needed to quaran- tine and couldn’t come into work. Health care providers needed to quickly find alter- nate means of communication, which ele- vated the need for telecommuting and telehealth. Health care simply did not have the capacity to securely allow people to work from home and be productive.

Pandemic Response Plan In addition, some state health departments, following guidance from the Centers for Disease Control and Prevention (CDC), now require health care providers to develop an official pandemic response plan and post it on their websites. The posted plan must include provisions for staffing, infection control, and enhanced commu- nications. The pandemic response plan should answer questions such as:

■■ How will you enable families to commu- nicate with residents/patients? Do you have video conference technology avail- able to every resident?

■■ If a resident/patient is sick, how have you prepared to communicate with the family on a daily basis?

■■ If medical staff are in quarantine due to exposure, do they have the means to participate in patient care via teleconference?

■■ What communications and training do you have in place for staff, patients, and family?

■■ What steps are you taking for infection control? How are you limiting staff inter- action? How are you minimizing cross contamination between units?

■■ How are you ensuring that care provid- ers have easy access to patient records, especially when patients are moved to another unit or location?

■■ What is your process for staying updated with recommendations from state and local health departments? Do you have an assigned staffer who is checking for the latest information and guidance? In conjunction with an official writ-

ten and posted pandemic response plan, we recommend that health care provid- ers proactively conduct a self-assessment focused on infection control. If and when providers are surveyed by state health department surveyors who are following directives from the Centers for Medicare & Medicaid Services (CMS), providers will be prepared in advance for the survey. We also recommend using a governance, risk, and compliance (GRC) software to per- form a self-assessment so the responses are consolidated, thorough, and standard- ized to what the auditors will want to see.

Plan into Practice Health care providers typically include pandemics in their disaster recovery/busi- ness continuity (DR/BC) plans. Actually putting those plans into practice, however, is quite different. In the past, it came down to budgeting and priorities—when there is no pandemic, budgets are allocated to higher priority items. We see this chang- ing already. Health care facilities are docu- menting what happened during COVID-19, particularly the procedures and processes they put in place during the pandemic. In

Journal of Health Care Compliance — September–October 202034

Emergency Response

the future they will be able to react quickly without being taken off guard. They now have real-life, documented procedures for remote workers and the security proto- cols required. Even Departments of Health now require stockpiles of PPE as a result of COVID-19. In order to put a pandemic emergency response plan into practice, health care organizations should consider the following questions:

■■ How are you planning to invest in pre- paring for a pandemic scenario when other disasters such as weather-related incidents often take priority?

■■ Is your emergency response plan avail- able on both hard and soft copies? If your network or system goes down, do you have access to a hard copy of the plan to operationalize? Are both hard and soft copies updated to the latest process?

■■ Are you prepared for significant staffing shifts? Can you accommodate patient care when staff are not able, or are too concerned, to come into work? Have you cross-trained staff within your organiza- tion? Do you have a backup plan for every position within the organization? Where can staff be reallocated to other critical roles? For example, we found that staff who typically perform statistical analy- ses were fantastic in helping track down equipment and supplies, documenting how much inventory was needed, and tracking the movement of supplies from one department to another.

■■ What is your plan for ancillary staffing, such as sanitation, funeral home, and morgue staff? What about budgeting for ancillary equipment such as refrigerated trucks? Can you easily shift budget and manpower to operationalize the plan?

■■ If the emergency in play has not impacted your facility directly, have you considered the indirect impact? How can you prepare to assist other facilities in need?

■■ Have you engaged your marketing and communications team? Vital to creating and distributing materials required to educate staff on how to come into work, how to properly use PPE, and how to adhere to curfews, is this team prepared with materials in advance, so they can quickly be rolled out? Though health care organizations have

created emergency response plans for decades, nothing quite prepared us for COVID-19. This pandemic was unlike any- thing we had seen before, creating a para- digm shift in how we deliver health care today, and how we plan for future inci- dents. Changes to enable remote patient care, a remote workforce, and appropriate staffing during a pandemic must be con- sidered as providers document and update plans to be better prepared in the future, regardless of the type of disaster we face.

Endnotes 1. U.S. Department of Health & Human Services. Public

Health Emergency. HHS Response and Recovery Resources Compendium. Available at www.phe.gov/ emergency/hhscapabilities/Pages/default.aspx.

2. U.S. Department of Health & Human Services. Health Information Privacy. Why is the HIPAA Security Rule needed and what is the purpose of the security standards? Available at www.hhs.gov/hipaa/for-pro- fessionals/faq/2000/why-is-hipaa-needed-and-what- is-the-purpose-of-security-standards/index.html.

3. National Institute of Standards and Technology (NIST), Department of Commerce. Special Publication 800-34 Revision 1 – Contingency Planning Guide for Federal Information Systems. Available at nvlpubs.nist.gov/nistpubs/Legacy/SP/ nistspecialpublication800-34r1.pdf.

Copyright of Journal of Health Care Compliance is the property of Aspen Publishers Inc. and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.