Business ContinuityDisaster Recovery

Are You Ready??

Definition of Crisis Management Planning

“The advance planning and preparations which are necessary to minimize loss and ensure continuity of the critical business functions of an organization in the event of a disaster.

Preparing for Disaster: A Toolkit to assist preparing to respond to a crisis

Today's Objectives: Identify and prioritize areas of risk for

your business Select a compilation of forms to start

your own plan Create an employee calling tree, key

contacts forms and critical patient list Prepare a “test” for your plan

Business Impact Analysis Financial risk (of loss) and what your

organization can withstand need to be defined separately. Consider a formula that extrapolates hours to days

How long is your average patient willing to wait for your business to be restored?

BIA includes a thorough stress test of back up, restoration and interdependency (V/D) processes for critical applications

BIA - more

You need to:

Identify points of failure in your network

Identify need for robust voice/data restoration

Identify how “Reputational loss” will affect your business

BIA – 10 top questions to ask

1. What are your most critical business processes?

2. If those systems were no longer available, how would you function?

3. How do you currently mitigate risk of compromised IT systems?

4. What is your recovery initiation process for compromised or destroyed systems?

5. How will employees respond to a catastrophic event if your business is evacuated?

Top 10 - continued

6. If you are no longer able to access your office, how will you restore critical functions?

7. If you face a disaster scenario, what is your communication process to employees, authorities, etc.?

8. Do you have policies/procedures established to keep your company in business post-disaster?

9. Do you have measurable benchmarks for effective response, recovery and restoration programs?

Top 10 – not the least

10. Do you test (and how often) your BCP? Do you know where to find those results?

TEST!!TEST!!

TEST!!TEST!!

Business Impact AnalysisKey Points

Clearly define critical business and restoration processes

Strategize BCP by reviewing current operational service levels

Identify personnel responsible for determining BCP launch

Confirm authorization and security access for launch and restore personnel

If a building is evacuated identify alternate site needs or telecommuting standards

Key Points BIA….. Can you service your patients from an

alternative location or a similar (non-competitive) business? Think out of the box

Utilize industry standards to guide decision to launch BCP or determine functional status

DO NOT SKIP TESTING!!! Study and repair routine test results and

deficiencies Disasters should not be used to fix known

problems

Testing Validation Define roles/ responsibilities by

abilities/skill Designate subject matter experts for

efficient recovery Plan testing is critical Use DR plan for small outages Be aware that some accrediting bodies

now require plan drills, i.e., Joint Commission

Testing identifies DR deficiencies

Your to-do list…

Assemble a small team of management from your organization

Review each of the six short chapters in the Toolkit and review the material within:

www.hmehurricane.com Download and print the Toolkit and complete

the worksheets Spend some time discussing your company’s

response to a prospective crisis

Risk Assessment Consider what kind of likelihood a risk

poses to your business or area Consider what severity level you feel that

risk would pose to your business Based on your analysis, determine which

risks merit a significant part of your focus/plan

Consider setting those priority items as risks that you’ve determined to be reasonably possible and which have a medium or high severity to your business

#1 - Insurance

Insurance Meet with your insurance provider

annually to review current coverage for such things as physical losses, flood coverage and business interruption.

Exception: If you are substantially growing, review coverage for property and liability more frequently.

Insurance Consider how you will pay employees

and creditors in the event of a business interruption

Business Income/Business Interruption/Loss of Income riders frequently are included in property policies (e.g. $25,000)

Additional increments may be purchased for relatively low amounts (e.g., $50K for $100)

Insurance Plan how you will provide for your

income if your business is interrupted About 1/3 of current VGM Insurance

Inc. customers carry business interruption/loss of income insurance

Actual Case: First Call Pharmacy (New Orleans) relocated operations to Houston. Moving, loss of income coverage: $100,000.

Insurance Find out what records your insurance

provider will want to see after an emergency and store them in a safe place

Keep a copy of your insurance policy/policies offsite and include a checklist for insurance coverage in place and a form to record insurance policy information

Understand what each policy covers and what it does not

Insurance – Things to think about

Standard Commercial Property Insurance policies cover fire and theft on premise. Various provisions restrict coverage in insurance policies. Read the entire policy carefully to determine your rights, duties and what is and is not covered.

Insurance – Things to think about

HME providers’ equipment that is out in patients homes is not usually covered under a Standard Commercial Property policy unless an Equipment Off Premise endorsement is purchased. Equipment off premise provides limited protection for insured property while temporarily at a location not owned, leased or operated by the insured.

Equipment Off Premise “Inland Marine”

Depending on the area, some insurance companies include the endorsement within the property policy

Some companies will not write the endorsement in flood plains

Check with your agent!

Perils normally excluded from Standard Policies

Flood – 75% of disaster declarations result from natural phenomena in which flooding was a major component. If you are unsure, you can find out if you live/operate in a flood prone area from your state emergency management office or Red Cross chapter

Perils normally excluded fromStandard Policies

Individuals and business owners can protect themselves from flood losses by purchasing flood insurance through the National Flood Insurance Program (there is normally a thirty day waiting period before a new policy becomes effective). Most commercial property policies exclude flood.

Don’t “Under-insure” Review your buildings and contents

coverage

Penalties were applied to many HME providers affected by the disaster for “under-insuring”. Generally, most policies required the providers to purchase property coverage at 80% of “in-house” assets (inventory, furniture, fixtures, office equipment, etc).

Other Perils Earthquake – Coverage for earthquake

damage is excluded in most property insurance policies. If you are located in an earthquake-prone area, you’ll need a special insurance policy or commercial property earthquake endorsement

Wind/Hail – Coverage for wind and hail is typically excluded in the coastal regions. If coverage exists, usually a deductable applies; this will be explained in your policy wording.

Conclusion Every policy has different variations of

coverage Get educated regarding your insurance

policies. Don’t wait to find out if you are adequately covered…it may be too late!

John Spragle, President, VGM Insurance:“Read your Dec (declaration) Page! If you don’t understand what’s covered and what isn’t, call your agent!”

# 2 – Ongoing Operations

Triage of Critical Patients Of course, one of the most important

functions of the HME recovery process is providing ongoing care to your critical patients

Identifying these patients by category (e.g., patients on ventilators, mobility challenged patients, oxygen patients) should be done before an emergency happens.

In a follow up with HME providers, virtually 100% of them maintained patient lists, which included emergency contact, diagnosis, physician/contact information, HME equipment, settings and back-up equipment information.

However, less than half were up to date…many inaccuracies especially in current addresses were noted.

As you identify patients by diagnosis category, you need to assess what resources you need to have to provide ongoing support. Also, it is important where these resources are. Perhaps the most important is…

Your Gas Supplier: Ensure that your oxygen supplier has

a generator! Have emergency numbers to contact

them (cell phone, pager, answering service, home numbers).

From a VGM member: “This saved us because cell phones,

answering services and pagers were done. I was able to reach the General Manager at his home. He was able to contact his employees to help us with liquid base units. In our case, our gas supplier did not have a generator and could not transfill. He did give us all of his liquid base units and “H” cylinders (used as backups). An “H” cylinder full lasts approximately 57 hours on 2 liters.”

Have a backup gas supplier Ensure that the backup supplier has a

generator and will come to your aid in a crisis situation.

From another member: “ I happened to know a supplier in our area and he was ready if we needed him. It is very important to requote your business when your contract is up. You truly do make contacts and during a crisis this will separate the best from the average companies.”

Generator:

Ensure your generator can power your facility.

“We had lights and phones within 1-2 minutes after the blackout. This saved us because our answering service could not handle our calls. We ended up spending the night to ensure our patients were taken care of.”

Generator

Even though your HME has a generator, it may not power your computer (e.g., surges, etc). Have a current hard-copy list of oxygen patients, and prioritize contacting those patients without backup oxygen cylinders.

Gasoline Supplier: Ensure that your gas supplier can

manually pump gasoline.

Many diesel suppliers will be OK, but most HME vans run on gas.

New Policies: All trucks must fill up at then end of

the day (versus in the morning) Locate a gas station that can manually

pump gas in an emergency Contact the city that your company

resides in, trucking firms, oxygen suppliers, apartment complexes and see if they have a gas pump on the site that you could utilize during an emergency.

Miscellaneous: Bottled water and snacks on site for your staff Flash lights Extension cords From another member – “Most importantly,

have someone in charge that can direct and keep people calm. It was truly a challenge when it was not long after 911 and without notice our communication to the world stopped. Someone needs to take control and have a calming affect until you really know what you are dealing with.”

Billing Capability An HME’s ability to continue as an

ongoing business is usually contingent upon the ability to bill Medicare and other payer sources.

As part of your planning process you must evaluate how you’re going to continue billing in the event of a disaster.

We found that HME’s using Internet based billing systems or billing services were better prepared to continue billing.

What percentage of members of audience use Internet-based systems? Outside billing services. Input on advantages or disadvantages?

Billing Capability CMS has created the following new

condition codes and modifier (effective 8/12/2005): “DR (Disaster Related)” and “CR (Catastrophe/Disaster Related)”.

For more detailed billing information and FAQs go to: http://www.hmehurricane.com/

Payroll

Payroll continuity is key to continued loyalty of your employees, so make sure your planning addresses your on-going ability to pay employees. It helps them handle disaster-related problems at home and meet their personal financial obligations.

Disaster Bonus “At the time we did not have a bonus structure

in place for emergencies. Our employees rose to the occasion. I was extremely proud of them for going above and beyond. After the blackout, we instituted a bonus plan and paid employees a bonus. We had a luncheon meeting and presented all employees with the bonus. It went over so well. I really have to say it was one of the most moving moments for me. These people love and care for our patients. We even serviced patients that were not ours, just because we are who we are.”

#3: Internal & ExternalCommunications/Public Relations

Internal Communication

One of your most valuable assets is your employees. In the event a disaster occurs, you need to protect yourself and your staff. You also have to consider the possible impact a disaster will have on your employees ability or desire to return to work.

Advanced Planning Steps Create and maintain an employee

contact list with current address and phone numbers for each person on staff.

Create a “calling tree”. Use your employees contact list to fill out a calling tree. Maintain and keep this in an accessible location. Also make sure a copy is offsite. The person designated as “primary” on the tree should be the one responsible for the tree and for calls by fellow employees.

Actual Scenario: Virtually 100% of HME providers had

developed call tree procedures. Copies were in offices, vans, homes, on-call vehicles, etc.

When asked the last time the “calling tree” procedure was tested, responses ranged from “never..we made one for JACHO”, to “a few months ago”.

Select a day in the near future and TEST!

Transportation and Housing Have you considered the need for

alternative forms of transportation for employees? Rental vehicles?

You need to be prepared if a disaster occurs and your employees don’t want to return to the area. You may need to consider issues such as alternative housing options and ways to replace the knowledge base lost if employees don’t return to work.

Store a hard copy of your vital information such as your employee data and payroll in a fire-proof box off-site. Some experts recommend at least 50 miles away. Make it a critical part of your routine to regularly back up your personnel and payroll files

More companies are using internet based back up companies who routinely back up critical information. Then the information is readily available from any internet ready source.

External Communication

Planning is required so that when a disaster or emergency occurs, inquiries from the news media, patients, referral sources and staff can be handled effectively. It is easier to compose communications in advance, with time to think, than it is in the face of a crisis.

In our follow-up, we asked HME providers what they would have done differently with regard to external communications and suggestions for advance planning. They replied….

Identify a Spokesperson. Within the HME communication team, there should be an individual who is authorized to speak for the company. That person should be an effective communicator.

Anticipate and prepare universal talking points. You need to make sure the facts presented to the public are accurate and positive. Be proactive and prepared for a crisis. Hold a Communication Team meeting and identify possible crises that can occur. Think in advance about “canned” responses to different situations.

This is a good example:

“We have implemented our crisis plan, which places high priority on our patients and employees. For additional information we can be contacted at…”

Always make sure contact information is included. Your patients, employees, referral sources, etc, need to know how to contact you. You cannot tell them too often during a time of crisis.

To Do List: Prepare an updated external key contact list! You will need to develop a list of key contacts who may be critical to the operation of your business.

Special Web Sites Activated in time of crisis (or as a

follow-up to an emergency situation) with the purpose to keep patients informed.

Toll free emergency call in numbers, contact information, FAQs with regard to equipment, etc

Other appropriate information Discuss with your web

hosting/development company

#4: Data Protection & Recovery and

Document Retention

Data Protection and Recovery

In this electronic-age, you rely more than ever on your computers to supply you with the information you need. Chances are every piece of data you might ever rely on to make an important decision has been reduced to a digital format and resides somewhere on a computer hard drive.

Improved functionality and productivity are the benefits of technology, however on the flipside, one wrong click, one nasty virus, one untimely power surge, one unhappy employee or one natural disaster and that data can be gone forever!

Data Back-Up Having hard copies of data important to

your company is crucial to recovery. Data is located in many places throughout your business, even if you are “computerized”. Use the Data Backup Worksheet to help you identify what data you need and determine if it’s backed up and where. Then use the Risk Assessment worksheet. These two worksheets will help you determine where your data backups need to reside for the greatest level of protection for your business.

Many disaster providers wished they had subscribed to a business data storage/replication service.

All agreed that storage some place outside of the HME facility offered the best protection.

On-line backup services are a good choice with reasonable costs.

Test your backups!!!!! You need to make sure that your

backup process is working before you need it. A simple way to test the effectiveness of your backup procedures is to create a test file that is backed up during your normal backup process. Delete this file from your computer and attempt a restore from your backup media. We suggest doing this at least twice a year.

Keep a current list of hardware and software

Actual Scenario: “This helped us with our insurance claim and aided in replacing the computer equipment”.

Make sure this list includes the hardware for the tape or disk backup method you use.

See the Essential Equipment worksheet.

Document Retention As you are well aware, certain

documents are extremely important to an HME business, including patient medical records and CMN’s. In the planning process you must consider how you would deal with the potential loss of these important documents. Consider the purchase of scanning capabilities to “image” patient CMN’s and other papers that are crucial to your business.

#5 HME Physical Plant

Advance Planning Steps Contact Information. Make sure a list of

all contact information for utilities, contractors, building maintenance, any company that is involved in physical building is kept offsite.

Included in this list will be all account numbers, any contractual information or any other pertinent information. Make sure you also have a telephone list for all employees that would be involved with fire, police and emergency personnel.

Advance Planning Steps Setup Building Safe Area. Identify safe

areas in building if disaster occurs during business hours.

Identify these areas with appropriate signage, e.g., Tornado Shelter

In case of fire, designate an area outside the building where employees should meet. If building is unavailable, have predetermined location for personnel to meet after a disaster. Have two alternates, just in case disaster is wide spread.

Advance Planning Steps Office Equipment Inventory. Keep an inventory of

all office equipment, copiers, office machines, desks, chairs, fixtures, etc, and whether you own or lease.

You should explore rental options to replace damaged equipment during the time it is being repaired or replaced and request written estimates of rental, set-up, shipping costs and delivery times. This is particularly important if you rely on equipment that is highly specialized or difficult to replace. Be sure to add the rental companies you have contacted to your Suppliers/Vendors form.

Advanced Planning Steps Transportation Needs. Don’t forget your

cars/delivery vans. Plan to protect them, but also have alternate plans to meet your essential transportation needs.

Essential Equipment List. After a disaster a building might not be entered for more than a few minutes. Have predetermined list of critical items (if salvageable) that you would need to retrieve. Items such as computers, computer disks, certain paper files and work in progress.

#6: Phones and Internet

Advance Planning Determining how your patients,

referral sources and employees reach you during an incident is critical. Whether it is by voice, email, fax or snail mail, you need to pre-plan how you will be contacted!

Advance Planning Arrange for programmable call

forwarding for your main business number.

If you cannot physically access your business, you can call into your local phone service provider and have the calls to your local phone number reprogrammed to ring elsewhere.

Advance Planning Consider alternative forms of

communications. Should your phone system not be working, it is necessary to keep in touch with your employees and patients. In anticipation of a break in all phone service, including cell phones, some alternatives would be simple two-way radios, satellite phones and pagers that send signals to each other.

Actual Scenarios from HME providers

Many communicated by email. Those with websites posted an

emergency messaging system after power was restored.

Check with your answering service to arrange a voicemail box that can record messages for your employees. They can then check this one location for information on the business.

More Advanced Planning Recovery Location. As you think about

your voice communication needs at your recovery location, determine whether you will need speakerphones, voice mail capacity or the ability to record conversations. Also decide if you will need conference calling capability in order to have conference calls with employees, key contacts and/or patients to assess disaster damage and to make recovery decisions.

Actual Scenario:

During a power failure, the HME telephone system did not work since it relied on external power.

Suggestions: If your fax machine is directly

connected to a telephone line, you should be able to plug a plain telephone into the connection the fax uses and make phone calls. This is because the local phone company has extensive back up power.

Consider purchasing back-up “Plain Old Telephone” sets(very inexpensive!)

Importance Communications Records(Keep Offsite) & To Do..

Local phone service-get “Customer Service Record”, all contact information, discuss emergency options

Answering service-get contact information; ask what services they offer

Telephone system-updated inventory list, contact info, replacement procedures discussed

Long distance-contact info, ask to repoint your toll-free # to answering service or alternative

And, most importantly

Assign Accountability!!! It is essential that senior leadership of

the HME organization sponsors and takes responsibility for creating, maintaining, testing and implementing these steps. This will insure that management and staff at all levels understand that preparedness is a critical top management priority.

Then……….

TESTTESTTESTTESTTEST

Update: Pandemic?? “The fact of the matter is, when it

comes to pandemics, we are overdue and we are under-prepared,” warned U.S. Health and Human Services Secretary Mike Leavitt at a forum at the National Press Club in Washington D.C.

HHS’s Home Health Care Services Pandemic Influenza Planning Checklist is now available!

Go to http://www.pandemicflu.gov/plan/healthcare.html

Please download, review and complete this document carefully!

Establish policies to be implemented during a pandemic:

Establish policies for employee compensation and sick-leave absences unique to a pandemic (e.g. non-punitive, liberal leave), including policies on when a previously ill person is no longer infectious and can return to work after illness.

Establish policies for flexible worksite (e.g. telecommuting) and flexible work hours (e.g. staggered shifts).

Establish policies for preventing influenza spread at the worksite e.g., promoting respiratory hygiene/cough etiquette, and prompt exclusion of people with influenza systems.

More policies…. Establish policies for employees who have

been exposed to pandemic influenza, are suspected to be ill or become ill at the worksite (e.g. infection control response, immediate mandatory sick leave).

Establish policies for restricting travel to affected geographic areas, evacuating employees working in or near an affected area when an outbreak begins, and guidance for employees returning from affected areas (refer to CDC travel recommendations).

One more…. Set up authorities, triggers and

procedures for activating and terminating the company’s response plan, altering business operations (e.g. shutting down operations in affected areas), and transferring business knowledge to key employees.

Additional Resources US Department of Homeland Security

www.ready.gov Federal Emergency Management Agency

www.fema.gov International Risk Management Institute

www.irmi.com VGM Insurance

www.vgminsurance.com VGM Technologies

www.vgmt.com

Other possible resources: Your State Association

www.mhha.org State and/or local government Department of Public Health