Question

1) What is a Disaster Recovery Plan? Give an example of why a Health Care Provider might need one.

2)  According to the OCR, is it reasonable for a covered entity to charge a patient a $100 “records review fee” to obtain copies of his medical records? why or why not ?

3) What to Do When Your Medical Practice Data Is Breached," list and briefly discuss the four steps to take when your medical practice data is breached.

Answer 1

1) Disaster recovery plan- It is a business plan that describes how work can be resumed quickly and effectively after disaster. That is documented process or set of procedures to recover and protect a buissness IT infrastructure in event of disaster.

Disaster recovery plan is requirement for healthcare provider and it is essential for continuous patient care during potential down time.

For example- IT disaster recovery plan-

An IT disaster recovery plan provides a structured approach for responding to unplanned incident that threaten an IT infrastructure which includes hardware, software,Networks, processes and people.

2) The US department of health and human services office for civil rights (OCR) released new guidance clarifying an individuals right to access his or her medical record under HIPAA. OCR released cost based fees for copies of medical records so that under HIPAA, individuals have enforceable, legal right to request copies of their medical records maintained by covered entities.The purpose of guidance is to help remove barriers and resolve any misunderstanding related to individuals accessing their information.

4) The fallowing steps to take after a data breach-

a. Contain the leak and fix the underlying vulnerabilities-

If the organization Network was hacked for example-attackers point of entry is closed so that no to further information is stolen.

b.Notify customers, regulators and other parties as required by laws-

Doing so quickly helps not only with meeting compliance requirements but also any delay will make it harder to retain patients trust.

c.Set up call center-

Once patients are notified, the most important thing an organization can give them a person to contact with questions and concerns.A call center can set up with in-house resources or outside help.

d. Review federal and state legal requirements-

In addition to HITECH Act, healthcare organizations may subject to requirements from State laws for responding to data breach.