Speaker 1: Welcome to the Smart Business Great Medicine video cast on what is a business continuity plan and why does my medical practice need one? There are many unforeseen and uncontrollable incidents which can affect your medical practice. They range from fires and storms to cyber attacks. How you manage your business when these types of incidents arise can significantly impact your practice, maybe even its survival. A business continuity plan, known as a BCP, defines the who, what, when, and where for how your medical practice personnel are to respond to any disruption of their normal operations. More specifically, the BCP includes a predetermined set of procedures and documentation that defines the resources, actions, tasks, data, and processing priorities required to manage the business continuity of your practice and the processes needed for restoration in the event of an incident. An incident can come in many forms. A simple power outage due to a storm that only lasts several hours. A hurricane that knocks out all power in your region for a couple of days. A ransomware attack that takes hold of your entire computer system, including your EHRs, that will take days, if not weeks, to resolve. This article will discuss why a business continuity plan is important for your practice. When most medical practices think about a business continuity plan, the initial thought is, do I really need to spend the time and money to put together this document? The answer is an emphatic yes, and here's why. There are five primary reasons to have a continuity plan. Number one, it's required by law. Number two, to mitigate the impact on patient care. Number three, to affect your practice profit and losses. Number four, the increased reliance on computer systems. And number five, the potential risk of cyber attack. Let's discuss each of these five reasons in more detail. Legal Requirements. Business continuity in health care is now mandatory under the Health Insurance Portability and Accountability Act, HIPAA. Business continuity is reflected in the HIPAA security rules, where it states that an organization must, and I quote, conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization, end quote. Furthermore, it requires technology and protocols to back up data, be able to rapidly restore data, and to continue operating in an emergency mode after a critical event. Impact on Patient Care. While physicians have many patients that they see only once or twice a year, some patients have critical conditions that require much more frequent visits so that their condition can be closely managed and the appropriate medications can be prescribed. Imagine that your practice has to close for a day, or maybe a week, for a disaster. What will your critical patients do? How will your patients get their prescriptions renewed? Not being open can be a life-threatening event for some of your patients. Practice Financials. Most medical practices operate in a kind of frantic, controlled chaos, everyone in the office working tirelessly in scheduling, check-in, physician appointments, billing, etc. This process is repeated throughout the day, nonstop. If you and your staff are not in the office seeing patients because of an incident, then you're not generating revenue and thereby impacting the bottom line of your practice. Reliance on Digital Records. As a part of the American Recovery and Reinvestment Act, all public and private health care providers and other eligible professionals were required to adopt and demonstrate meaningful use of electronic medical records by January 1, 2014. Since that time, almost all medical practices have some form of electronic health record to manage patient records, prescriptions, and billing, eliminating most, if not all, paper copies. Computers are the lifeblood of a medical practice. To keep operations flowing, they have to be working. Without access to EHRs, a practice will come to a grinding halt. Cyber Threats. Five years ago, most medical practices had never heard of the terms cyber threat or ransomware. It's estimated that 1 in 4 health care organizations will be hit by a ransomware attack. Health organizations are an attractive target for cyber crime because of their valuable medical and billing information. The data can be sold for insurance fraud purposes, or it can be locked up and used to extort money from the affected medical practice. Smaller health care organizations are at greater risk because they generally don't have the resources for robust security tools and don't have a dedicated cybersecurity specialist to monitor their systems and network. If your practice is hit by a cyber attack, your practice will not have access to the EHR system, billing, email, and business and financial records. A business continuity plan is important for any smart business, and it's the law. The first step in getting started with a business continuity plan is to ensure that all of the leadership of the practice understands its importance and supports its implementation. Second, assign someone who will own the document. They must not only write the document, but also ensure that it is maintained. Now let's discuss what makes up a business continuity plan. There are several primary components for any business continuity plan, including number one, operation periods, number two, business impact analysis, number three, leadership, and number four, communications. Now let's discuss each of these components. Operations Period. A business continuity plan must be maintained at a high level of preparedness and be available for implementation without significant warning and no later than 12 hours after activation. A business continuity plan should provide guidance to sustain operations for up to 30 days. The broad objective of the business continuity plan for the medical practice is to provide for the safety and well-being of the employees and the patients. In addition, this plan will facilitate the performance of essential functions during any crisis or emergency in which one or more organization locations are threatened or inaccessible. Business Impact Analysis. A business impact analysis, BIA, is a process that identifies and evaluates the potential effects, whether they be financial, life, safety, regulatory, legal, contractual, reputation, and so forth, of a natural or man-made event on business operations. This will also include developing mitigation strategies if an incident happens for each of the key functions of the practice. Leadership. Defining the roles and responsibilities in a disaster incident is critical. Basically, this will define who is going to do what and when. If an incident happens, there will be a lot to do, very quickly, and no one person can manage everything. Also, a succession plan needs to be defined if someone is traveling or at another location. Communication. Often, if an incident occurs, the computers and phone systems will be inaccessible. This means that you will not have easy access to email and phone numbers for everyone who needs to be contacted. Having a paper copy of all the contacts is vital for a smooth recovery from a disaster. This contact list should also include the employees of the practice. Thank you for watching the Smart Business Great Medicine videocast. To download a free copy of our Business Continuity Plan that you can customize for your practice, please visit us at SmartBusinessGreatMedicine.com.