August 12, 2010
Disasters strike businesses every day. Some are big like pandemics, hurricanes and earthquakes. And some are small and go largely unnoticed by anyone outside the company, like lightning strikes, water leaks and server failures.
Gartner Research recently released a chilling statistic; two out of five companies that experience a disaster go out of business within five years. Contingency Planning and Management Magazine indicated that 40 percent of companies that shut down for three or more days failed within 36 months.
If a hurricane, flood or fire hit your medical billing or coding company, would you be able to resume normal business activity within a day? A week? A month? Have you thought about it?
It's not as overwhelming as it sounds. Let's look at 10 steps you can take now to create a disaster-recovery plan for the future of your business.
1. Build An Emergency Response Team (ERT). Identify a team of individuals in your company who can be called into action any time - day or night - if a disaster strikes. This team should be a cross-section of the company so that all aspects of restarting your business are considered during planning and execution. The team should also live close to the office. Assign back-up roles in case key players are unavailable or missing.
2. Define disaster. If your building floods, you would obviously realize a disaster has taken place. But, what if you're just experiencing high winds? What if the roads are blocked and you can't get to your office? During your planning, empower two or three of your ERT with the ability to declare a disaster based on input from your local authorities and other team members.
3. Make sure the plan will be followed. During the DR planning stage, you'll want to elect one person as ERT leader. You'll also want to determine the minimum number of staff needed to restart your company and give the leader the authority to start recovery when they deem appropriate. Someone should also be appointed to document damage with photos and descriptions for inventory and insurance purposes.
4. Figure out how to keep in contact. You'll need to keep in touch with all of your staff in the event of a disaster. During planning, create cards for everyone with ERT member home and cell phone numbers that will fit in purses or wallets. Try texting, instant messaging and even a teleconference bridge line (think GoToMeeting) if other communication methods aren't available. So, you'll want to set those lines up now.
You should also plan to keep in touch with your customers on a regular basis. Make sure your web site and phone can be updated remotely to keep notifications and instructions. Explaining to your customers that your office is temporarily unavailable in an e-mail or notice on the web site will go a long way toward reducing unhappy clients. Explain exactly what is going on in your blog, on your site and facebook page, if your company has them.
5. Identify basic recovery plans. Take a look at each department in your office. What will you need to do in each department to get things up and running again? E-mail? Computers? Communication with outside vendors? Write it all down. It may seem obvious, but having a list prepared in advance can definitely speed up the recovery process. Then, prioritize the list so the most critical tasks for the most forward-facing departments are handled first.
6. Develop processing alternatives. This means plan for the worst. If your building is inaccessible for days, where can you work? Where can your employees work? Do you have the tools you need at home to get your business back up and running?
"One benefit of an online computer application is that it can be accessed from any computer with an Internet connection," said Leslie Haywood, CEO of eBridge Solutions, a web-based document management company. "We had several insurance customers running their offices remotely in the aftermath of Hurricane Katrina. They were better able to serve their customers since they had policy information available to them, though their offices were blocked."
Do you have a customer or vendor near you who might be able to share an office or resources? You may also want to think about using temporary employees (if yours cannot work for an extended period) or relying on more manual processes to get you through the first days after disaster strikes.
7. Enact preventative measures. The loss of key information can be devastating if disaster strikes. Since you are creating your DR plan in ADVANCE of a real disaster, start thinking of ways you can minimize damage in the IT, facilities and recordkeeping areas if one occurs.
For medical billing companies, paper and electronic documents are a critical part of your daily business.
Recordkeeping preventative measures:
Centralize record storage.
Scan paper files.
Ensure back-up copies of data are stored off-site.
One way all of these preventative measures can easily be accomplished by adding a web-based document management system in your business. With a document management system, you can easily store paper and electronic documents together online for easy and secure retrieval from any computer with Internet access. And, once you've scanned a document into a document management system, you can legally shred the paperwork, which means there won't be paper to lose in the event of a disaster.
"We use a web-based document management system as part of our compliance and disaster recovery plan," explained Kevin Ewalt, president of RADMAX in Tyler, Texas. "We have all of our important documents scanned or printed into the system. We also scan physician documentation and even our accounts payables. This way we have a contingency plan in place in case our building is destroyed. We can easily retrieve important papers from anywhere that has an Internet connection."
You can also store and manage your Word, Excel and other software program files in your document management system as a back-up in the event of hard drive or laptop failure after a disaster.
8. Document the DR plan. Don't let all of your brainstorming about disasters and recovery plans remain in your head. Be sure to sit down and type up the details. Once you've written up your preliminary DR plan, share it with your staff and make sure everyone understands the role they would play should disaster strike.
Also make sure to store copies of your DR plan at your home, safety deposit box and/or online storage so it will be accessible.
9. Train ERT members. So, you've got your DR plan typed up and ready to go. At this point, you'll need to meet with your ERT members and ensure everyone knows what role they'll play during a disaster. Distribute paper and electronic copies of the plans and vital contact information.
10. Test your DR plan. According to an AT&T Survey of 100 Chicago firms (revenues <$10M), 81 have DR plans, but only 43% have fully tested their plans within the last 12 months and 12% admitted they have never tested their business continuity plans. Whether on paper, in a meeting or in a simulated disaster, test your DR plan with your entire ERT and select staff members. Continue to improve your plan based on input from your team. Without testing, you may find out too late that you missed a critical step in your road to disaster recovery.
No one ever thinks a disaster will strike their business. But, it happens every day. Having a disaster-recovery plan in place - even in its basest form - could mean the difference between the survival of your business or your competitor's in the next town should a disaster strike your area.
Take a few minutes to sketch out a plan over a staff retreat or long lunch and give your business insurance for its future success. A well-structured and coherent disaster recovery plan will enable companies to recover quickly and effectively from an unforeseen disaster or emergency, thus avoiding significant business interruption and loss.
HIPAA and disaster-recovery plans
Since medical billing and coding companies deal with confidential patient information, HIPAA (and other industry regulations) should be considered when writing your DR plan.
"Each entity needs to determine its own risk in the event of an emergency that would result in a loss of operations. A contingency plan may involve highly complex processes in one processing site, or simple manual processes in another. The contents of any given contingency plan will depend upon the nature and configuration of the entity devising it."
(From the Department of Health and Human Services, 45 CFR Parts 160, 162, and 164, Health Insurance Reform: Security Standards; Final Rule)
If this explanation of HIPAA compliance from a disaster-recovery perspective seems vague, it is. If you are subject to HIPAA requirements, there are three things you must be able to prove:
You've conducted a formal analysis of the risks to your data, including an assessment of the physical access and security in addition to technical threats.
You have produced a DR plan with policies and procedures in place that cover backup, storage and recovery.
Your plan adequately and reasonably addresses the risks identified in your analysis.
Stephanie L. Jones, MBA, is the Marketing Director for eBridge Solutions, an Internet-based document management provider. www.ebridgesolutions.com