Go to AAD Home
Donate For Public and Patients Store Search
Go to AAD Home
Main menu
Membership
Meetings & Education
Practice management
Clinical & quality
Publications & apps
Career development
Advocacy
Back
Account
Pay dues
Member ID
Join the AAD
Member benefits
Find a member
AAD governance
Support AAD
Community Programs
AAD Help Center
2026 Annual Meeting
2026 Innovation Academy
Academy meetings archive
Professional education
Claim CME & view transcript
Upcoming events
Residents & medical students
Patient education materials
DataDerm
Coding Resource Center
MIPS & fee schedule
Teledermatology
EHR & health tech
Insurance & drugs
Compliance & practice scope
Managing your practice
Contact PM staff
Clinical guidelines
Quality measures
DataDerm
Quality & patient safety
Clinical Community
Clinical care resources
Position statements
JAAD
JAAD International
JAAD Case Reports
Dermatology World
DermWorld Insights & Inquiries
Derm Coding Consult
DermWorld Meeting News
Impact Report
Other publications
Academy Apps
Career launch
Job board
Burnout & wellness
Diversity
Awards, grants, and scholarships
Leadership Institute
Volunteer opportunities
Ethics & professionalism
Take action
Advocacy priorities
State advocacy resources
Legislative Conference
Position statements
Promote the specialty
Key Contacts
Patient advocate resources
SkinPAC
Advocacy Update
Welcome!
Facebook Twitter Instagram
Advertisement
Advertisement

Workplace Safety

Protecting Electronic Health Information During Disasters

Dermatology practices must protect all of the patient health information they store through their electronic health record (EHR), even if there is a disaster or emergency. Make sure that your staff and patients are compliant with the HIPAA Security Rule, as it requires medical practices to develop a contingency plan that cover emergency response where systems containing protected health information (PHI) can be damaged. This plan should be reviewed and updated at least annually.

The entire facility might be destroyed by a natural or manmade disaster that hits the area, but the practice must ensure that it has prompt access to an updated copy of all electronic health records.

Practices should address the following:

  • Backup data

  • Develop policies and procedures

  • Set up a provision

Backup data

Confirm that your dermatology practice has a data backup plan and an analysis of applications that can be critically conducted. Make sure to have an appropriate procedure in place for accessing backup data as well as recovery data and applications from your practice’s EHR system, which is located onsite or offsite, if a disaster hits the area.

Routinely back up the data. The general rule is to have at least three different copies stored on two different types of media and one offsite. The Security Rule requires a data backup plan, a disaster recovery plan, and an emergency mode operation plan. Be sure that backups are encrypted, to prevent reportable breaches should a backup be lost or stolen.

If the EHR is hosted in the cloud, check to see what precautions they take in regard to a disaster recovery plan. Explore back up and restoration capabilities with your vendor.

Even for server-based EHRs, cloud backup services may be an attractive option. Cloud services generally employ geo-redundancy, which means that data is stored at more than one server facility, preventing lost data if one facility goes down.

And finally, test your EHR backups on a regular basis. There are at least two kinds of tests: 1) examines backed up data to ensure it is identical to the source; and 2) involves restoring select data or the entire system, as if the practice is recovering from a disaster or loss of data. A practice cannot know whether its backups are effective without testing, and it could be devastating for the dermatologist and patient if backups are not operational.

Develop policies and procedures

Designate appropriate leaders the responsibility of overseeing any IT equipment and procedures during an impending disaster.

Have a contingency plan in place on what to do with all system devices prior to an impending disaster. Contingency plan must include the following: data backup plans, disaster recovery plans, emergency-mode operations plans, and test and revision procedures.

Make sure all staff understands what to do in an emergency, especially with the medical records and data. If the EHR is hosted in the cloud, each staff member involved should be trained on their role.

Create protocols for transferring electronic public health information (ePHI) without breaching HIPAA regulations. That is, the practice must determine which applications and data are needed for the practice to continue essential operations during an emergency or disaster.

Setting up a provision

Explore options for rapidly setting up operations in an alternate facility in case of disaster. If your dermatology practice is part of a larger organization, confirm that your EHR system is interoperable with other systems. Follow the organization’s enterprise-wide backup and disaster recovery policies. A large organization may be able to provide alternate facilities, hardware, and several other useful resources.

Take steps to protect hardware. For example, a server should not be located in a room that is prone to flooding. It should be secured by locks and other physical measures. If work stations store health information, they should be locked to prevent attempts of theft. But data on these devices should be encrypted, because even if equipment is illegally stolen, the practice is still responsible for breaches of unencrypted data.

Consider buying a backup generator that will restore power and have the capability to restore IT infrastructure, especially if the facility is prone to power failures. In fact, power failures are cited as the most common type of “disaster” that interrupts health care operations. The cost of such an investment should be weighed against the potential lost revenue and disruption caused by a sustained power outage.

Insurance

Consider purchasing cyber insurance, which can protect the practice from the costs associated with data loss and breaches. It represents an extra precaution towards mitigating risk exposure related to data breaches. It usually requires strict adherence to security protocols and backup policies. Violation of these terms may void the insurance and practices should carefully review and adhere to the terms of cyber insurance policies.

Resources

Health IT SAFER*: Self-assessments to optimize the safety of EHRs.

The Academy’s HIPAA compliance center: Data backup and recovery are required by the HIPAA Security Rule.

* The Academy is able to share these options on an informational basis only. It does not represent an endorsement by the Academy. Please compare, evaluate, and consider which ones best meet your needs.

Additional Academy Resources

Health information tech (HIT)

Access Academy resources on health information technology, exploring best practices and regulatory requirements.

Is your EHR high maintenance?

Read guidance on EHRs and cybersecurity, including best practices in backing up data.

Disaster strikes. Are you prepared?

Read extensive expert guidance on preparing for disaster and recovering in the aftermath.

EHR resources

Access resources to help streamline and optimize your workflow and improve efficiency.

Coronavirus Resource Center

Access the Academy's Coronavirus Resource Center to see updates on regulations and relief programs.

Advertisement
Advertisement
Advertisement