Hospitals Largely Reported Addressing Requirements for EHR Contingency Plans

Disruptions, such as natural disasters or technical malfunctions, can make electronic health records (EHRs) unavailable to hospital staff. Prior OIG work found, for example, that hospitals experienced substantial challenges responding to the effects of Superstorm Sandy, which included damage to health information systems and curtailed access to patient medical records. More recently, cyberattacks on hospitals have similarly prevented or limited access to EHRs. The Office for Civil Rights (OCR) enforces the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which requires all covered entities to have a contingency plan for responding to disruptions to electronic health information systems. Contingency plans specify processes to recover EHR systems and access backup copies of EHR data in the event of a disruption. This evaluation provides information about the status of hospitals' contingency plans in light of evolving threats to their electronic health information systems.