We all know that we are supposed to have a plan in place in the event of an emergency like an imminent hurricane landfall. Most of our clients are Floridians, so our plan typically involves not really doing much until we see Mr. Jim Cantore reporting somewhere nearby. Once he shows up, it is time to get the shutters up and fill up the bathtubs with water. Then comes the part after the storm passes when we try to get back to our normal routines.

If you are like Accudata, the 2017 was the year when you experienced first-hand the challenges of running your business without an internet connection for an extended period. The roads were clear and we had power, but no internet. We also had phones and computer systems that required nothing except the internet connection. Some of our more unfortunate clients experienced first-hand the loss of entire computer systems due to electrical surges from the storm. These two situations very clearly illustrate the need for a Business Continuity Plan and a Disaster Recovery Plan.

Business Continuity Plan vs. Disaster Recovery Plan

A Business Continuity Plan is a plan that details how the business can and will operate anytime business critical systems are not available. For example, if a point of sale retail store is unable to use their credit card swipe because the device is not working or the internet is down, then they can pull out the manual credit card imprint machine and continue operating their business with a minor delay. In this case, there is no need to engage your disaster recovery plan since nothing was lost that needed to be recovered.

A Disaster Recovery Plan should be a part of any business continuity plan where you stand a chance of losing customer/patient data or critical systems. This is the plan that most of us have considered. We most likely have both a local and remote backup so that we can restore our most critical data even if the primary location is destroyed in the even of a fire or flood. The disaster recovery plan is really the last resort plans for a worst-case scenario.

Now that you know the subtle but important difference, we are going to review the four major steps to creating a Business Continuity Plan for your business. For each step, we will give an example of a workflow for a Medical Biller for a small medical practice.

Define Critical Workflows

Starting with the most critical functions of your business, begin documenting each process. This may already exist in your business as a documented process, policy and/or procedure. At the very least, we recommend that your documentation include a simple workflow description for how things should work when the business is operating normally. You should also identify the inventory, knowledge, and job roles necessary for each process.

For example, in a medical practice, the billing process may describe starting each day by receiving billing data from Medisoft Clinical and importing it into Medisoft Network Professional. After the billing data imports, then the biller reviews all the previous day's transactions for accuracy and automatically posts them into the system. The final step of the charge entry process would be to create claims to send via Revenue Management. This process will require access to Medisoft Clinical and Medisoft Network Professional. You will also require a trained medical biller who has knowledge of the two Medisoft products.

Identify Major and Minor Threats

Review the process and ask what could occur that could make your workflow unable to follow. Your HIPAA Security Risk Assessment is an excellent source for this type of information.

Continuing the Medical Billing example, we would say a minor threat is a temporary loss of access to the Medisoft systems due to a power outage, computer system failure, or network outage, This would become a major threat if the data was lost due to corruption or unrecoverable drive failure.

Identify Preventative Measures and Recovery Options

Determine what you can do to help prevent the threat or recover from the worst-case scenario. This part of the process should start with creative brainstorming where there are no bad ideas. This is an excellent way to come up with new ideas and it will help ensure that you have considered alternatives when you finalize your plan.

Below is an example of some risks and some ways to prevent or resolve them. The options listed include both high and low-cost solutions since everything should be considered. While having multiple office locations would be great, this is not going to be a reasonable solution for most small businesses due to cost and proximity to clients.

Risk

Prevention and Recovery Options

Power Loss in Office UPS/battery backup to avoid data loss and system damage from unexpected shutdown

Generator that runs on gas to provide power to critical systems during long power outages

Multiple office locations and cloud hosted Medisoft would allow us to move operations to another location outside of affected area.

Equipment Loss – Computer Purchase more fault tolerant workstations with RAID 5 hard drives and/or redundant power supplies more commonly found in server hardware

Purchase additional computers which are typically not used but ready as an on-hand system replacement

Equipment Loss – Server RAID hard drive configuration of at least RAID 5

Redundant power supplies

Redundant Network Interface Cards (NIC)

Dual Hyper-V hosts with a shared storage server configured to failover if one host should fail

Equipment Loss – Network Redundant Smart Gigabit Switches
Data Loss – Medisoft Local Image Backup to External Hard Drive

Data Backup to Remote or Cloud Storage

Backup Appliance with Failover to Cloud Server

Document Business Continuity Workflow

List how the normal workflow will be altered if we need to activate your business continuity plane. The continuity plan for our medical biller will be to alert management or IT to the issue, then simply assist with call handling during this downtime. Once the system is back up, the staff member will return to Medisoft and continue billing as normal.

If the downtime will last longer than 1 day, then we will consider alternatives like using another computer in the office.

If the data is lost, we will quickly recover data from the latest local backup. If the local backup has also been destroyed, then we will recover from the latest online backup.

Modify Regular Workflow

Do not be too rigid about your existing workflows and processes. Consider modifications to the existing process that will make the business continuity plan more reliable.

At the end of our Medisoft example, we may realize that our backup runs every night at 6:00 pm and if a data loss occurs at 4:00 pm on a workday, we will need to be able to reenter everything done that day. Our Doctor decides to keep superbills on a clipboard for purposes of jotting down notes and documenting what should have been billed for each visit. This paper superbill will be scanned into the medical record after the visit. Now if we need to enter information originally that morning, we will have some documentation available to match to the appointment list in Office Hours.

Once the plans are created, make sure tat your team understands how these processes work and when to use them. On slower days, you should perform a drill where the affected employees can practice the business continuity plan. When this eventually pops up, your team is ready to address it in a calm and organized way.