Disasters can happen when you least expect it and it is super important for your practice to have a plan in place that helps employees know what to do when and if a disaster occurs. The disaster recovery plan (DRP) and emergency action plan (EAP) are two of the most common policies that practices should have in place. If you are thinking to yourself ‘That sounds like two fancy names for the same thing’ you are right! The DRP and EAP are very similar in nature. In this blog, we’ll explore how a disaster recovery plan and an emergency action plan are similar but both meet different requirements for HIPAA and OSHA.
To set the stage let’s review the priorities of HIPAA and OSHA. HIPAA looks to protect the privacy and security of patient’s health information and OSHA is in place to protect the safety and health of your employees. Keeping this in mind, the disaster recovery plan relates to HIPAA and the emergency action plan relates to OSHA.
So first up, the disaster recovery plan and emergency action plan are designed to mitigate the impact of an unexpected event. As it relates to HIPAA, the disaster recovery plan outlines the steps your practice needs to take to restore its essential business functions after a disaster has occurred, such as a cyberattack or natural disaster. And the emergency action plan focuses on identifying potential hazards and what steps to prevent or minimize the impact of those said hazards from an OSHA perspective. As you can see already, both plans are intended to ensure that an organization can continue to operate in the face of an unexpected event.
Next, both of these plans involve identifying and assessing potential risks. The HHS, the agency that oversees HIPAA, wants your disaster recovery plan to identify the types of disasters that could impact your practice and assess the potential impact and likelihood of those disasters occuring. Similarly, OSHA wants your emergency action plan to help identify and plan for potential hazards that could impact your practice. Some examples include fires, chemical spills, or even workplace violence. Hopefully, you can see that there is an overall theme here for both plans, which is to identify and assess any risk so that your practice can take steps to reduce the impact of when those risks occur.
Last and certainly not least, have a plan for the plan! Okay, we know that sounds a little silly but making sure employees know the who, what, where, and when is key to ensuring these plans are effective and can be executed if the need arises. The HHS looks for your disaster recovery plan to include creating backups of critical data and systems, developing contingency plans for alternate locations, and establishing communication protocols for employees and stakeholders. Similarly, OSHA wants the emergency action plan to involve developing evacuation plans, creating emergency communication protocols, and providing first aid training to employees. In both cases, the goal is to develop strategies that will help the organization respond effectively to an unexpected event and include employees in that process.
Alright, let’s put a bow around these two plans! Both plans are designed to mitigate the impact of unexpected events, involve identifying and assessing risks, developing strategies to mitigate those risks and require ongoing maintenance and testing. By understanding the similarities between these two plans, practices can ensure that they have the necessary plans in place to respond effectively to any unexpected event, all while protecting their patient’s PHI and keeping their employees safe and healthy!