SlideShare a Scribd company logo

Disaster Recovery planning within HIPAA framework

David Sweigert
David Sweigert

Disaster Recovery planning within HIPAA framework

Data & Analytics
1 of 42
Contingency Planning: Addressing Critical Business Processes That Support Implementation of HIPAA Transactions Marie Margiottiello, CMS Henry Chao, CMS February 12, 2003 New Orleans
Overview � Definitions � Risk Analysis � Analyzing Risk Relative to HIPAA Impact � Identification of Critical Business Processes � Identification of Potential Failures � Business Impact Analysis � Minimum Acceptable Levels � Identification of Alternatives/Contingency � Develop The COOP � Testing � Training & Updating the Plan � Examples
Definitions �DISASTER RECOVERY PLAN: The document that defines the resources, actions, tasks and data required to manage the business recovery process in the event of a business interruption. The plan is designed to assist in restoring the business process within the stated disaster recovery goals. Source: Disaster Recovery Journal
Definitions �CONTINGENCY PLAN: A plan used by an organization or business unit to respond to a specific systems failure or disruption of operations. A contingency plan may use any number of resources including workaround procedures, an alternate work area, a reciprocal agreement, or replacement resources. Source: Disaster Recovery Journal
Definitions �DISASTER RECOVERY PLANNING: The technological aspect of business continuity planning. The advance planning and preparations that are necessary to minimize loss and ensure continuity of the critical business functions of an organization in the event of disaster. SIMILAR TERMS: Contingency Planning; Business Resumption Planning; Corporate Contingency Planning; Business Interruption Planning; Disaster Preparedness. Source: Disaster Recovery Journal
Definitions �CONTINGENCY PLANNING: Process of developing advance arrangements and procedures that enable an organization to respond to an event that could occur by chance or unforeseen circumstances. Source: Disaster Recovery Journal
Definitions � CONTINUITY OF OPERATIONS PLAN (COOP): A COOP provides guidance on the system restoration for emergencies, disasters, mobilization, and for maintaining a state of readiness to provide the necessary level of information processing support commensurate with the mission requirements/priorities identified by the respective functional proponent. This term traditionally is used by the Federal Government and its supporting agencies to describe activities otherwise known as Disaster Recovery, Business Continuity, Business Resumption, or Contingency Planning. Source: Disaster Recovery Journal
Definitions � For consistency, use Continuity Of Operations Plan (COOP) � COOP can be inclusive of all activities associated with previous terms � Organizational readiness begins with clear recognition, understanding, and commitment to the scope of your COOP � You get what you pay for
Risk Analysis �How likely is it to occur ? ~ and ~ � What impact would it have ?
Risk Analysis � Specify probability and criticality � Product of: (probability) x (criticality) � Probability: chance that the future event will occur (if present, it’s a problem, not a risk) � Criticality: the impact of a future event (no impact = no risk)
Risk Analysis � Degrees of probability � High – nearly certain (80 – 99%) � Moderate – probable, possible (20 – 80%) � Low – improbable (< 20%) � More ranges may be appropriate
Risk Analysis � Degrees of Criticality � High – total failure or serious degrading of business function � Moderate – impaired performance � Low – little impact, but more than none � More ranges may be appropriate
Analyze Risk Relative to HIPAA �Use accurate stats for your operations �Number of beneficiaries �Number of providers �Volume of transactions (by provider type, if possible) �$ value of transactions �MCOs �Helpline/Hotline call volume �Payment cycles �Waiver programs �Contractors’ roles �Are there state-level coordination issues?
Identification of Critical Business Processes � Identify events with potential to degrade ability to do business � Eligibility - Inquiry & Response � Beneficiary Enrollment / Disenrollment � Authorization – Request & Response � Claim / Encounter � Remittance / Payment � Claims Status - Inquiry & Response
� � Identification of Potential Failures Describe expected outcome of each event: � Eligibility Inquiry not possible (receipt, validation, processing) � Response not possible (generation, translation, transmission) � Enrollment / Disenrollment Enrollment not possible (generation, translation, transmission) � Disenrollment not possible ( generation, translation, transmission) � Authorization � Request not possible (receipt, validation, processing) � Response not possible (generation, translation, transmission)
Identification of Potential Failures � Claim � Claim receipt not possible (receipt, translation) � Claim processing not possible (validation, adjudication) � Remittance / Payment � RA not possible (generation, translation, transmission) � Claim Status � Status inquiry not possible ( receipt, validation, processing ) � Status response not possible ( generation, translation, transmission)
Identification of Potential Failures � Identify users and areas likely and seriously affected � System areas modified but not tested thoroughly � System areas tested only internally (not tested via actual B-2-B) � Areas of end-user unfamiliarity (new processes, new outputs, new interfaces) � Trading partner issues (process, product) � Multiple degradations/failures, source of problem not easily determined � Trickle down effect, identify other business associates affected
Business Impact Analysis � Identify business process affected � Determine tolerance level if function(s) are degraded, disrupted, or completely unavailable
Business Impact Analysis � Analyze process and ask “how BAD is it (really), if:” � Providers can’t determine if patients are eligible, or what they’re eligible for ? � Recipients can’t get enrolled into a health plan ? � Medical services can’t be authorized ? � Claims aren’t received electronically ? � Claims can’t be processed ? (validated, adjudicated, rejected, archived, etc.) � Providers can’t be paid ? � Providers can’t tell what the status of a claim is ?
What Is The Tolerance? � Determine risk actions to be taken based on varying levels of tolerances for critical processes � Accept risk (do nothing) � Watch it (monitor) � Mitigate (reduce criticality and/or probability) � Plan for contingencies
Business Impact Analysis � Document risk analysis (description and rationale) � Prioritized listing of critical business processes � Business processes should be identified, evaluated, and then ranked in order of importance
Business Impact Analysis Business Process: Dependency Probability Duration Criticality Impact Total Risk Score Dep #1 Dep #2 Dep #3
Business Impact Analysis Business processes #ofbeneficiaries impacted #ofproviders impacted %costsofthis businessprocess comparedwith totalenterprise %ofmonthly transactions Politicalsensitivity What’stheadverse impacton beneficiaries What’stheadverse impacton providers Totalscore BP #1 BP #2 BP #3 And so on
Minimum Acceptable Levels � Eligibility – inquiries & responses � Enrollments & Disenrollments � Authorization – requests & responses � Claims – receipt & adjudication of EDI and paper � Remittance � Claims Status – inquiries & responses
Identification of Alternatives Selection of Contingency � For each critical business process, identify all the possible alternatives (workarounds) � Select ONE alternative for each business process / scenario
Develop The COOP � Each contingency needs to specify: � Assumptions (baseline parameters for planning) � Triggers (indication of failure) � Notification (who to tell) � Resource Assignments (who does what) ERT � Procedures (the work-around) � Duration (for how long) � Monitoring (see how it goes)
Develop The COOP � Analyze and document required resources to support the plan � Establish command, communication, and control procedures for executing the plan; Includes: � Timely recognition of trigger of disruption � Designated plan invoker � Organized, responsive, and accessible emergency response team (ERT)
Develop The COOP � Does your Incident Reporting mechanism work like this: …or slightly faster… � Require tested and operational Incident Reporting mechanism to support all communication channels
Develop The COOP � Minimum Acceptable Level of Service: This is some predetermined level of service. It may be a percent of volume or length of time, etc. � Triggers: cause a COOP to be invoked. separated from triggers by a period of time before These are the specific failure points that Events may be the contingency is invoked � Concept of Operations: The concept of operations is a short summary paragraph providing a macro level view of how the workaround will unfold
Develop The COOP � Emergency Response Teams � ERTs are tailored for each business process � The information should include positions, names of “who” is assigned, function, and telephone numbers [work, home, cell, pager], etc. � Contact procedures for ERT members: This section should indicate “what” method will be used to contact the ERT members: e.g. phone trees with home/cell/work numbers, ‘code’ announcements for state employees, email, other alternate means
Develop The COOP � Escalation of Problems and Reporting Procedures: This is the information that is conveyed in the execution of the COOPs…verbal, written, frequency � Training Plan: This section explains the “why” training is conducted, “when” it will be done, “who” conducts and receives training, and “how”. (Prep for doing the CPs, periodic, and just-in-time.) � Validation Plan: This section describes a process for testing and validating the COOP.
Develop The COOP � Outreach Plan: This section explains “how” and “when” the Medicaid enterprise will communicate to beneficiaries and providers that contingency operations have started and ended � Plan Maintenance Procedures: describes “how” the COOP will be reviewed, This section changed, updated and “who”is responsible � Day One Strategy: Procedures for the initial transition to the COOP � Distribution: This section lists “who” and “where” copies of the COOP are located
Develop The COOP � Disaster Recovery Plan: This section may be where a copy of the DRP (May be your F/A) is located for reference (IT and infrastructure) � Alternative Strategies: identification of all possible workarounds from which one is selected (with justification) This section provides for the Example: Provider Claims � hold all claims until system is recovered � pay percentage of historical (previous month, quarter, year) � pay prioritized list of providers most significantly impacted if not paid � first in – first out
Develop The COOP � Business partners affected: This section should identify all the business partners / other agencies affected by the implementation of the COOP -- “who” � Resources and cost estimates to implement the COOP: This is a list of those things necessary to execute the COOP -- “what” � Restore to normal ops: This section contains procedures for transitioning back to normal operations after a contingency is no longer required
COOP Organization Public Relations Crisis Coordination Enterprise Management Team (XMT) Emergency Management Team (EMT) Emergency Response Team (ERT) Contractors Financial Institutions Other Stakeholders Other Federal Agencies Other State Agencies Providers Media Governor CMS Beneficiaries
COOP Testing � Exercise COOP to ensure: � Adequacy of assumptions � Staff comprehension of COOP procedures � Under duress, staff can accomplish in expected timeframes, produce expected outcomes (for example, MALS) � Assigned COOP resources (alternate site, equipment, lines, ERT, etc.) are functional, available
� Training � Raise Awareness Periodic presentations to team members, management, new employees � Offer external COOP training, conference opportunities, create library of publications � Conduct Validation Exercises � Desktop walk-thru or more realistic simulation “fire drill” � Pre-exercise brief, audit the process, document progress, allow participant feedback, and debrief � Establish change control procedures � Establish uniform distribution of plan; version control
Updating the COOP � As personnel change � As situations change � Cycle of continuous improvement TestingTesting RevisingRevising TrainingTraining
Table of Contents From Actual State BCCP/COOP Plan � I. Introduction – Current Business Process Overview � II. Assumptions � III. Concept of Contingency Operations � a. – Rapid Response Organization: – i. Executive Team – ii. Operating Team – iii. Business Contingency Plan Managers � b. � c. Phone Trees � IV. Eligibility Verification � V. Claims Processing/Reimbursement Services � VI. Systems Management � VII. General Administration � VIII. Managed Care � IX. Chronic Care � X. Acute Care Responsibilities Incident Management Guide � XI. Legal and Regulatory � XII. [Fiscal Agent] Disaster Recovery Plan
Disruption to State Payment and Eligibility Function Notify ERT Alternate and/or Co-Leader Begin Assessment of Impact to State Functions Decide Initial Response Procedure Notify all ERT Members Notify Select Members of ERT Go to Page 2 Estimate impact requires significant resources Only need subset of ERT No response required Go to 2 Disaster Event Affecting State- Level Medicaid Operations Start Event Log Entries Verify with Respective RO Staff (Preferably the RA or ARA) CMS Central Office Response Process for State-Level Disaster/Disruption-Page 1 Notification may come from a variety of sources including, but not limited to: CMS Senior Staff CMS Regional Office(s) Press Office Public Media ERT Leader or Designee Exit point will be determined by the ERT Leader. emergency response is required, ERT leader may designate a monitoring function complete exit. Is the RO Affected? Go to Page 4 Decide if disruption affects RO's ability to operate normally Yes Page 4 lists the steps required to address disruption to the RO from the perspective of the CO. Each RO may invoke individual procedures, i.e., shift operations to another RO No SMA Invoked Contingency Plan? RO Request copy of BCCP Forward to 018D ERT Leader RO Contact SMA Staff to Asess Intention to Invoke BCCP ERT Leader should be made aully aware of the situation 018D indicates the use of a "Plan Invoker"--This is either a senior-level manager or a RMS designated contact Yes No Communicate SMA Intention to ERT Leader It is possible that the SMA invoked a systems disaster recovery plan rather than a business continuity plan-­ which is much more comprehensive. Determine the kind of plan invoked and compare the appropriateness of the response versus the disruption. Page Although no formal prior to a
HIPAA Transaction and supporting business process assessed for HIPAA impact Completedasof HIPAA Transaction and supporting system functions renovated Completedasof HIPAA Transaction with Associated Supporting Business and System Functions Tested End- to-End Start Date of End-To- End Testing for HIPAA Transaction Completedasof HIPAA Transaction with Associated Supporting Business and System Functions Implemented Start Date of Implementa­ tion of HIPAA Transaction Completedasof COOP Updated for HIPAA Transaction Completedasof Unable to Meet 10/16/2003 Deadline for HIPAA Transaction, Prioritze for COOP Y/N Date or Expected Date Y/N Date or Expected Date Y/N Date or Expected Date Date or Expected Date Y/N Date or Expected Date Date or Expected Date Y/N Date or Expected Date Indicate Priority Professional Claim/ Encounter [837P] Inpatient Claim/ Encounter [837I] Dental Claim/ Encounter [837D] Pharmacy Claim/ Encounter [NCPDP] Claim Receipt and Translation Claim Adjudication/Pricing/Calculation Capitation Payment Managed Care Administration Fee Payment Institutional LTC Payment Premium Payment [820] Medicare Buy-in Premium Payment Private Health Insurance Premium Payment Non-Standard Claim Payment Mass Claim Adjustment Transaction Claim, Encounter, and Payment Communications Remittance Advice [835] Claims Payment Check/Warrant Processing Claim Status Request, Voice/Fax/Electronic Claim Status Response [277] Claim Status Response, Voice/Fax/Electronic Eligibility Verification Request [270] Processing Request, Voice/Fax/Electronic Eligibility Verification Response [271] Processing Response, Voice/Fax/Electronic Eligibility and Enrollment Notices and ID Documents Recipient Maintenance, Communication/TPL/Appeals/Lock-in Eligibility Data Exchange Enrollment Transaction [834] Enrollment Rosters to MCO Request for Auth. of Service [278] Response for Auth. of Service [278] Prior Authorization Receipt, Voice/Fax/Paper/Electronic Messages, Receipt/Acknowledge/Accept/Reject Continuity of OperationsTestingGap Analysis Renovation Implementation and Transition For each phase from Gap Analysis through COOP, fill in the corresponding cells for each HIPAA transaction. business processes are listed as prompters to ensure these have been addressed in each phase of HIPAA implementation. guideline and is not an exhaustive list of processes that is necessary to be addressed for HIPAA implementation. Italicized, indented The list serves as a
Utilization Review Review, Medical/Peer/Administrative Generate and Distribute EOMBs Catastrophic Case Management SURS – Establish System Parameters SUR Case Referrals for Investigation Provider Prepayment Review Retro DUR Fraud Detection Processing, Data Mining Quality Assurance, Medicaid/MCO/Enrollment Broker Rate Setting Rate Setting, Fee For Service/Managed Care/Co-Payment/Capitation Rates/Waiver Rates Rate Calculation, Institutional/Outpatient/Pharmacy/Clinic/Encounter/Non-Institutional Practitioner DME and Supplies Rates and Clinical Lab Fee Schedule Fees, Case Management/Administration Management Reporting Reporting, EPSDT/MSIS/HEDIS Decision Support Claims History Inquiry 1099 Production Public Health and Vital Statistics Reporting Financial Management Accounts Receivable/Payable/TPL Collection/Drug Rebate/Recoveries/Bank Reconcilliation Drug Rebate Drug Rebate Claim Selection Drug Rebate Invoicing Drug Manufacturer Response Processing Auditing Pharmacy Fill Fee Audit Cost Settlement Audits Quality Control Medicaid Eligibility Quality Control Claims Processing Quality Audits Translator Administration Translator Contract Management Mapping to Adjudication System Translator Maintenance Trading Partner Administration Data Exchange Information Acquisition Data Exchange Information Maintenance The following business processes are from Medicaid Administration and Utilization Management areas, which are impacted in varying degrees by some oralloftheHIPAAtransactionsandwouldhavetobeaddressedinallphasesofHIPAAimplementationfromGapAnalysisthroughContinuityof OperationsPlanning.

Recommended

Equipment Criticality Analysis
Equipment Criticality AnalysisEquipment Criticality Analysis
Equipment Criticality AnalysisRicky Smith CMRP, CMRT
 
Criticality Analysis WIRAM Webinar Nov 17
Criticality Analysis WIRAM Webinar Nov 17 Criticality Analysis WIRAM Webinar Nov 17
Criticality Analysis WIRAM Webinar Nov 17 Jennifer Zach
 
Tool Box Talk - Developing Equipment Criticality
Tool Box Talk - Developing Equipment CriticalityTool Box Talk - Developing Equipment Criticality
Tool Box Talk - Developing Equipment CriticalityRicky Smith CMRP, CMRT
 
Risk analysis
Risk analysisRisk analysis
Risk analysisIndu Sharma Bhardwaj
 
Risk assessment tools and techniques
Risk assessment tools and techniquesRisk assessment tools and techniques
Risk assessment tools and techniquesAhmad Azwang Aisram Omar
 
Risk Analysis
Risk AnalysisRisk Analysis
Risk AnalysisNishodh Saxena Ph. D.
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
Risk analysis
Risk analysis Risk analysis
Risk analysis Arvind Kumar
 

Recommended

Equipment Criticality Analysis
Equipment Criticality AnalysisEquipment Criticality Analysis
Equipment Criticality AnalysisRicky Smith CMRP, CMRT
 
Criticality Analysis WIRAM Webinar Nov 17
Criticality Analysis WIRAM Webinar Nov 17 Criticality Analysis WIRAM Webinar Nov 17
Criticality Analysis WIRAM Webinar Nov 17 Jennifer Zach
 
Tool Box Talk - Developing Equipment Criticality
Tool Box Talk - Developing Equipment CriticalityTool Box Talk - Developing Equipment Criticality
Tool Box Talk - Developing Equipment CriticalityRicky Smith CMRP, CMRT
 
Risk analysis
Risk analysisRisk analysis
Risk analysisIndu Sharma Bhardwaj
 
Risk assessment tools and techniques
Risk assessment tools and techniquesRisk assessment tools and techniques
Risk assessment tools and techniquesAhmad Azwang Aisram Omar
 
Risk Analysis
Risk AnalysisRisk Analysis
Risk AnalysisNishodh Saxena Ph. D.
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
Risk analysis
Risk analysis Risk analysis
Risk analysis Arvind Kumar
 
Disaster Recovery Planning
Disaster Recovery PlanningDisaster Recovery Planning
Disaster Recovery PlanningKathy Pelletier
 
Risk Adjusted Estimating Techniques
Risk Adjusted Estimating TechniquesRisk Adjusted Estimating Techniques
Risk Adjusted Estimating TechniquesGovernment Contract Pricing Summit
 
Don’t wait for Disaster to Strike! Be Prepared with Business Continuity Plans
Don’t wait for Disaster to Strike! Be Prepared with Business Continuity Plans Don’t wait for Disaster to Strike! Be Prepared with Business Continuity Plans
Don’t wait for Disaster to Strike! Be Prepared with Business Continuity Plans SRIIA Technologies, Inc.
 
Risk analysis
Risk analysisRisk analysis
Risk analysissaurabhshertukde
 
Project risk management: Techniques and strategies
Project risk management: Techniques and strategiesProject risk management: Techniques and strategies
Project risk management: Techniques and strategiesDebashishDas49
 
2010; Risk Management Workshop Rev.1.1
2010; Risk Management Workshop Rev.1.12010; Risk Management Workshop Rev.1.1
2010; Risk Management Workshop Rev.1.1Muhammad Ector Prasetyo
 
Quality management specialist
Quality management specialistQuality management specialist
Quality management specialistselinasimpson1001
 
Risk Management
Risk ManagementRisk Management
Risk Managementysshah
 
Contingency%20planning%20lecture%205
Contingency%20planning%20lecture%205Contingency%20planning%20lecture%205
Contingency%20planning%20lecture%205Magdalena Anna Fas
 
risk analysis
risk analysis risk analysis
risk analysisArvind Kumar
 
Operational Risk Management System with Statistical Control
Operational Risk Management System with Statistical ControlOperational Risk Management System with Statistical Control
Operational Risk Management System with Statistical ControlAlex Liang
 
Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides SlideTeam
 
Risk Management
Risk ManagementRisk Management
Risk ManagementUrban League of Greater Atlanta
 
Business Continuity Detailed Plan
Business Continuity Detailed PlanBusiness Continuity Detailed Plan
Business Continuity Detailed PlanWissam Abdel Baki
 
Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)Glen Alleman
 
ITIL Incident Management Workflow - Process Guide
ITIL Incident Management Workflow - Process Guide ITIL Incident Management Workflow - Process Guide
ITIL Incident Management Workflow - Process GuideFlevy.com Best Practices
 
Increasing the Probability of Project Success
Increasing the Probability of Project SuccessIncreasing the Probability of Project Success
Increasing the Probability of Project SuccessGlen Alleman
 
Bcp
BcpBcp
Bcpmadunix
 
Business Continuity - Business Risk &amp; Management
Business Continuity - Business Risk &amp; ManagementBusiness Continuity - Business Risk &amp; Management
Business Continuity - Business Risk &amp; ManagementAndrew Styles
 
Oil Spill Crisis Action Team Back Up, Relief 052410
Oil Spill Crisis Action Team Back Up, Relief 052410Oil Spill Crisis Action Team Back Up, Relief 052410
Oil Spill Crisis Action Team Back Up, Relief 052410arainold
 
Wireless Disassociation and Deauthentication Attacks
Wireless Disassociation and Deauthentication AttacksWireless Disassociation and Deauthentication Attacks
Wireless Disassociation and Deauthentication AttacksDavid Sweigert
 
HIPAA HHS OCR Audit Questions
HIPAA HHS OCR Audit QuestionsHIPAA HHS OCR Audit Questions
HIPAA HHS OCR Audit QuestionsDavid Sweigert
 

More Related Content

What's hot

Disaster Recovery Planning
Disaster Recovery PlanningDisaster Recovery Planning
Disaster Recovery PlanningKathy Pelletier
 
Don’t wait for Disaster to Strike! Be Prepared with Business Continuity Plans
Don’t wait for Disaster to Strike! Be Prepared with Business Continuity Plans Don’t wait for Disaster to Strike! Be Prepared with Business Continuity Plans
Don’t wait for Disaster to Strike! Be Prepared with Business Continuity Plans SRIIA Technologies, Inc.
 
Project risk management: Techniques and strategies
Project risk management: Techniques and strategiesProject risk management: Techniques and strategies
Project risk management: Techniques and strategiesDebashishDas49
 
Quality management specialist
Quality management specialistQuality management specialist
Quality management specialistselinasimpson1001
 
Risk Management
Risk ManagementRisk Management
Risk Managementysshah
 
Contingency%20planning%20lecture%205
Contingency%20planning%20lecture%205Contingency%20planning%20lecture%205
Contingency%20planning%20lecture%205Magdalena Anna Fas
 
Operational Risk Management System with Statistical Control
Operational Risk Management System with Statistical ControlOperational Risk Management System with Statistical Control
Operational Risk Management System with Statistical ControlAlex Liang
 
Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides SlideTeam
 
Business Continuity Detailed Plan
Business Continuity Detailed PlanBusiness Continuity Detailed Plan
Business Continuity Detailed PlanWissam Abdel Baki
 
Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)Glen Alleman
 
ITIL Incident Management Workflow - Process Guide
ITIL Incident Management Workflow - Process Guide ITIL Incident Management Workflow - Process Guide
ITIL Incident Management Workflow - Process GuideFlevy.com Best Practices
 
Increasing the Probability of Project Success
Increasing the Probability of Project SuccessIncreasing the Probability of Project Success
Increasing the Probability of Project SuccessGlen Alleman
 
Business Continuity - Business Risk &amp; Management
Business Continuity - Business Risk &amp; ManagementBusiness Continuity - Business Risk &amp; Management
Business Continuity - Business Risk &amp; ManagementAndrew Styles
 
Oil Spill Crisis Action Team Back Up, Relief 052410
Oil Spill Crisis Action Team Back Up, Relief 052410Oil Spill Crisis Action Team Back Up, Relief 052410
Oil Spill Crisis Action Team Back Up, Relief 052410arainold
 

What's hot (20)

Disaster Recovery Planning
Disaster Recovery PlanningDisaster Recovery Planning
Disaster Recovery Planning
 
Risk Adjusted Estimating Techniques
Risk Adjusted Estimating TechniquesRisk Adjusted Estimating Techniques
Risk Adjusted Estimating Techniques
 
Don’t wait for Disaster to Strike! Be Prepared with Business Continuity Plans
Don’t wait for Disaster to Strike! Be Prepared with Business Continuity Plans Don’t wait for Disaster to Strike! Be Prepared with Business Continuity Plans
Don’t wait for Disaster to Strike! Be Prepared with Business Continuity Plans
 
Risk analysis
Risk analysisRisk analysis
Risk analysis
 
Project risk management: Techniques and strategies
Project risk management: Techniques and strategiesProject risk management: Techniques and strategies
Project risk management: Techniques and strategies
 
2010; Risk Management Workshop Rev.1.1
2010; Risk Management Workshop Rev.1.12010; Risk Management Workshop Rev.1.1
2010; Risk Management Workshop Rev.1.1
 
Quality management specialist
Quality management specialistQuality management specialist
Quality management specialist
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Contingency%20planning%20lecture%205
Contingency%20planning%20lecture%205Contingency%20planning%20lecture%205
Contingency%20planning%20lecture%205
 
risk analysis
risk analysis risk analysis
risk analysis
 
Operational Risk Management System with Statistical Control
Operational Risk Management System with Statistical ControlOperational Risk Management System with Statistical Control
Operational Risk Management System with Statistical Control
 
Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Business Continuity Detailed Plan
Business Continuity Detailed PlanBusiness Continuity Detailed Plan
Business Continuity Detailed Plan
 
Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)
 
ITIL Incident Management Workflow - Process Guide
ITIL Incident Management Workflow - Process Guide ITIL Incident Management Workflow - Process Guide
ITIL Incident Management Workflow - Process Guide
 
Increasing the Probability of Project Success
Increasing the Probability of Project SuccessIncreasing the Probability of Project Success
Increasing the Probability of Project Success
 
Bcp
BcpBcp
Bcp
 
Business Continuity - Business Risk &amp; Management
Business Continuity - Business Risk &amp; ManagementBusiness Continuity - Business Risk &amp; Management
Business Continuity - Business Risk &amp; Management
 
Oil Spill Crisis Action Team Back Up, Relief 052410
Oil Spill Crisis Action Team Back Up, Relief 052410Oil Spill Crisis Action Team Back Up, Relief 052410
Oil Spill Crisis Action Team Back Up, Relief 052410
 

Viewers also liked

Wireless Disassociation and Deauthentication Attacks
Wireless Disassociation and Deauthentication AttacksWireless Disassociation and Deauthentication Attacks
Wireless Disassociation and Deauthentication AttacksDavid Sweigert
 
HIPAA HHS OCR Audit Questions
HIPAA HHS OCR Audit QuestionsHIPAA HHS OCR Audit Questions
HIPAA HHS OCR Audit QuestionsDavid Sweigert
 
NIST Patch Management SP 800-40 Rev 3
NIST Patch Management SP 800-40 Rev 3NIST Patch Management SP 800-40 Rev 3
NIST Patch Management SP 800-40 Rev 3David Sweigert
 
Emergency Services Sector Cybersecurity Initiative UASI briefing
Emergency Services Sector Cybersecurity Initiative UASI briefingEmergency Services Sector Cybersecurity Initiative UASI briefing
Emergency Services Sector Cybersecurity Initiative UASI briefingDavid Sweigert
 
Use of reverse proxies to counter attacks -- TCP flow analysis
Use of reverse proxies to counter attacks -- TCP flow analysisUse of reverse proxies to counter attacks -- TCP flow analysis
Use of reverse proxies to counter attacks -- TCP flow analysisDavid Sweigert
 
Example of Security Awareness Training -- Department of Aging
Example of Security Awareness Training -- Department of AgingExample of Security Awareness Training -- Department of Aging
Example of Security Awareness Training -- Department of AgingDavid Sweigert
 
Cyber TTX Training Opportunity for mid-January 2017
Cyber TTX Training Opportunity for mid-January 2017Cyber TTX Training Opportunity for mid-January 2017
Cyber TTX Training Opportunity for mid-January 2017David Sweigert
 
TDL3 Rootkit Background
TDL3 Rootkit BackgroundTDL3 Rootkit Background
TDL3 Rootkit BackgroundDavid Sweigert
 
Russian Hacker Cyber Threats to US Voting Infrastructure
Russian Hacker Cyber Threats to US Voting InfrastructureRussian Hacker Cyber Threats to US Voting Infrastructure
Russian Hacker Cyber Threats to US Voting InfrastructureDavid Sweigert
 
Overview of SMB, NetBIOS and other network attacks
Overview of SMB, NetBIOS and other network attacksOverview of SMB, NetBIOS and other network attacks
Overview of SMB, NetBIOS and other network attacksDavid Sweigert
 
Intrusion Detection and Discovery via Log Correlation to support HIPAA Securi...
Intrusion Detection and Discovery via Log Correlation to support HIPAA Securi...Intrusion Detection and Discovery via Log Correlation to support HIPAA Securi...
Intrusion Detection and Discovery via Log Correlation to support HIPAA Securi...David Sweigert
 
Psychology of the Insider Threat
Psychology of the Insider ThreatPsychology of the Insider Threat
Psychology of the Insider ThreatDavid Sweigert
 
NIST Malware Attack Prevention SP 800-83
NIST Malware Attack Prevention SP 800-83NIST Malware Attack Prevention SP 800-83
NIST Malware Attack Prevention SP 800-83David Sweigert
 
Use of Cyber Proxy Forces in Unconventional Warfare
Use of Cyber Proxy Forces in Unconventional WarfareUse of Cyber Proxy Forces in Unconventional Warfare
Use of Cyber Proxy Forces in Unconventional WarfareDavid Sweigert
 
Cyber Threats that impact the US Energy Infrastructure
Cyber Threats that impact the US Energy InfrastructureCyber Threats that impact the US Energy Infrastructure
Cyber Threats that impact the US Energy InfrastructureDavid Sweigert
 
Cyber war netwar and the future of cyberdefense
Cyber war netwar and the future of cyberdefense Cyber war netwar and the future of cyberdefense
Cyber war netwar and the future of cyberdefense David Sweigert
 
Developing Transistion Planning from Cyber Incident Response to Recovery
Developing Transistion Planning from Cyber Incident Response to RecoveryDeveloping Transistion Planning from Cyber Incident Response to Recovery
Developing Transistion Planning from Cyber Incident Response to RecoveryDavid Sweigert
 
Healthcare Contingency Operations by DHHS ASPR
Healthcare Contingency Operations by DHHS ASPRHealthcare Contingency Operations by DHHS ASPR
Healthcare Contingency Operations by DHHS ASPRDavid Sweigert
 
HIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRHIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRDavid Sweigert
 
FBI Memo on How to Protect Yourself from Ransomware
FBI Memo on How to Protect Yourself from RansomwareFBI Memo on How to Protect Yourself from Ransomware
FBI Memo on How to Protect Yourself from RansomwareDavid Sweigert
 

Viewers also liked (20)

Wireless Disassociation and Deauthentication Attacks
Wireless Disassociation and Deauthentication AttacksWireless Disassociation and Deauthentication Attacks
Wireless Disassociation and Deauthentication Attacks
 
HIPAA HHS OCR Audit Questions
HIPAA HHS OCR Audit QuestionsHIPAA HHS OCR Audit Questions
HIPAA HHS OCR Audit Questions
 
NIST Patch Management SP 800-40 Rev 3
NIST Patch Management SP 800-40 Rev 3NIST Patch Management SP 800-40 Rev 3
NIST Patch Management SP 800-40 Rev 3
 
Emergency Services Sector Cybersecurity Initiative UASI briefing
Emergency Services Sector Cybersecurity Initiative UASI briefingEmergency Services Sector Cybersecurity Initiative UASI briefing
Emergency Services Sector Cybersecurity Initiative UASI briefing
 
Use of reverse proxies to counter attacks -- TCP flow analysis
Use of reverse proxies to counter attacks -- TCP flow analysisUse of reverse proxies to counter attacks -- TCP flow analysis
Use of reverse proxies to counter attacks -- TCP flow analysis
 
Example of Security Awareness Training -- Department of Aging
Example of Security Awareness Training -- Department of AgingExample of Security Awareness Training -- Department of Aging
Example of Security Awareness Training -- Department of Aging
 
Cyber TTX Training Opportunity for mid-January 2017
Cyber TTX Training Opportunity for mid-January 2017Cyber TTX Training Opportunity for mid-January 2017
Cyber TTX Training Opportunity for mid-January 2017
 
TDL3 Rootkit Background
TDL3 Rootkit BackgroundTDL3 Rootkit Background
TDL3 Rootkit Background
 
Russian Hacker Cyber Threats to US Voting Infrastructure
Russian Hacker Cyber Threats to US Voting InfrastructureRussian Hacker Cyber Threats to US Voting Infrastructure
Russian Hacker Cyber Threats to US Voting Infrastructure
 
Overview of SMB, NetBIOS and other network attacks
Overview of SMB, NetBIOS and other network attacksOverview of SMB, NetBIOS and other network attacks
Overview of SMB, NetBIOS and other network attacks
 
Intrusion Detection and Discovery via Log Correlation to support HIPAA Securi...
Intrusion Detection and Discovery via Log Correlation to support HIPAA Securi...Intrusion Detection and Discovery via Log Correlation to support HIPAA Securi...
Intrusion Detection and Discovery via Log Correlation to support HIPAA Securi...
 
Psychology of the Insider Threat
Psychology of the Insider ThreatPsychology of the Insider Threat
Psychology of the Insider Threat
 
NIST Malware Attack Prevention SP 800-83
NIST Malware Attack Prevention SP 800-83NIST Malware Attack Prevention SP 800-83
NIST Malware Attack Prevention SP 800-83
 
Use of Cyber Proxy Forces in Unconventional Warfare
Use of Cyber Proxy Forces in Unconventional WarfareUse of Cyber Proxy Forces in Unconventional Warfare
Use of Cyber Proxy Forces in Unconventional Warfare
 
Cyber Threats that impact the US Energy Infrastructure
Cyber Threats that impact the US Energy InfrastructureCyber Threats that impact the US Energy Infrastructure
Cyber Threats that impact the US Energy Infrastructure
 
Cyber war netwar and the future of cyberdefense
Cyber war netwar and the future of cyberdefense Cyber war netwar and the future of cyberdefense
Cyber war netwar and the future of cyberdefense
 
Developing Transistion Planning from Cyber Incident Response to Recovery
Developing Transistion Planning from Cyber Incident Response to RecoveryDeveloping Transistion Planning from Cyber Incident Response to Recovery
Developing Transistion Planning from Cyber Incident Response to Recovery
 
Healthcare Contingency Operations by DHHS ASPR
Healthcare Contingency Operations by DHHS ASPRHealthcare Contingency Operations by DHHS ASPR
Healthcare Contingency Operations by DHHS ASPR
 
HIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRHIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCR
 
FBI Memo on How to Protect Yourself from Ransomware
FBI Memo on How to Protect Yourself from RansomwareFBI Memo on How to Protect Yourself from Ransomware
FBI Memo on How to Protect Yourself from Ransomware
 

Similar to Disaster Recovery planning within HIPAA framework

Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop FinalBill Lisse
 
Buisness contingency plan
Buisness contingency planBuisness contingency plan
Buisness contingency planRMC
 
Business Continuity & Disaster Recovery
Business Continuity & Disaster RecoveryBusiness Continuity & Disaster Recovery
Business Continuity & Disaster RecoveryEC-Council
 
Business continuity in general
Business continuity in generalBusiness continuity in general
Business continuity in generalJohn Johari
 
Risk Management -- Business Continuity Planning and Management.pptx
Risk Management -- Business Continuity Planning and Management.pptxRisk Management -- Business Continuity Planning and Management.pptx
Risk Management -- Business Continuity Planning and Management.pptxCody Shive
 
Business Continuity Plan
Business Continuity PlanBusiness Continuity Plan
Business Continuity PlanBizPlanss
 
A laypersons guide to business continuity management richard (2)
A laypersons guide to business continuity management richard (2)A laypersons guide to business continuity management richard (2)
A laypersons guide to business continuity management richard (2)leemond25
 
5 forces incident problem mgmt-presentation
5 forces incident problem mgmt-presentation5 forces incident problem mgmt-presentation
5 forces incident problem mgmt-presentationAnna Sadokhina
 
Bcm Roadmap
Bcm RoadmapBcm Roadmap
Bcm Roadmapbtrmuray
 
BCM Roadmap
BCM RoadmapBCM Roadmap
BCM Roadmapbtrmuray
 
Corporate Disaster Prevention And Preparedness PowerPoint Presentation Slides
Corporate Disaster Prevention And Preparedness PowerPoint Presentation Slides Corporate Disaster Prevention And Preparedness PowerPoint Presentation Slides
Corporate Disaster Prevention And Preparedness PowerPoint Presentation Slides SlideTeam
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Narudom Roongsiriwong, CISSP
 
Business Continuity Management-The Case for Return on Investment-white paper
Business Continuity Management-The Case for Return on Investment-white paperBusiness Continuity Management-The Case for Return on Investment-white paper
Business Continuity Management-The Case for Return on Investment-white paperGreg Cybulski, CBCP, ARM
 
Continuity Planning 101
Continuity Planning 101Continuity Planning 101
Continuity Planning 101tjrettig
 
Adverse Event or Near Miss Analysis DetailsAt.docx
Adverse Event or Near Miss Analysis DetailsAt.docxAdverse Event or Near Miss Analysis DetailsAt.docx
Adverse Event or Near Miss Analysis DetailsAt.docxcoubroughcosta
 
Risk Assessment Framework
Risk Assessment FrameworkRisk Assessment Framework
Risk Assessment FrameworkJhurt7103
 

Similar to Disaster Recovery planning within HIPAA framework (20)

Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop Final
 
Buisness contingency plan
Buisness contingency planBuisness contingency plan
Buisness contingency plan
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
Business Continuity & Disaster Recovery
Business Continuity & Disaster RecoveryBusiness Continuity & Disaster Recovery
Business Continuity & Disaster Recovery
 
Business continuity in general
Business continuity in generalBusiness continuity in general
Business continuity in general
 
Risk Management -- Business Continuity Planning and Management.pptx
Risk Management -- Business Continuity Planning and Management.pptxRisk Management -- Business Continuity Planning and Management.pptx
Risk Management -- Business Continuity Planning and Management.pptx
 
Rapid Response Community
Rapid Response Community Rapid Response Community
Rapid Response Community
 
Business Continuity Plan
Business Continuity PlanBusiness Continuity Plan
Business Continuity Plan
 
Risk Management Training
Risk Management TrainingRisk Management Training
Risk Management Training
 
A laypersons guide to business continuity management richard (2)
A laypersons guide to business continuity management richard (2)A laypersons guide to business continuity management richard (2)
A laypersons guide to business continuity management richard (2)
 
5 forces incident problem mgmt-presentation
5 forces incident problem mgmt-presentation5 forces incident problem mgmt-presentation
5 forces incident problem mgmt-presentation
 
Bcm Roadmap
Bcm RoadmapBcm Roadmap
Bcm Roadmap
 
BCM Roadmap
BCM RoadmapBCM Roadmap
BCM Roadmap
 
Corporate Disaster Prevention And Preparedness PowerPoint Presentation Slides
Corporate Disaster Prevention And Preparedness PowerPoint Presentation Slides Corporate Disaster Prevention And Preparedness PowerPoint Presentation Slides
Corporate Disaster Prevention And Preparedness PowerPoint Presentation Slides
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)
 
Business Continuity Management-The Case for Return on Investment-white paper
Business Continuity Management-The Case for Return on Investment-white paperBusiness Continuity Management-The Case for Return on Investment-white paper
Business Continuity Management-The Case for Return on Investment-white paper
 
BUSINESS CONTINUITY PLANNING
BUSINESS CONTINUITY PLANNINGBUSINESS CONTINUITY PLANNING
BUSINESS CONTINUITY PLANNING
 
Continuity Planning 101
Continuity Planning 101Continuity Planning 101
Continuity Planning 101
 
Adverse Event or Near Miss Analysis DetailsAt.docx
Adverse Event or Near Miss Analysis DetailsAt.docxAdverse Event or Near Miss Analysis DetailsAt.docx
Adverse Event or Near Miss Analysis DetailsAt.docx
 
Risk Assessment Framework
Risk Assessment FrameworkRisk Assessment Framework
Risk Assessment Framework
 

More from David Sweigert

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)David Sweigert
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting David Sweigert
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisDavid Sweigert
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterDavid Sweigert
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner David Sweigert
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017David Sweigert
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9David Sweigert
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityDavid Sweigert
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)David Sweigert
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsDavid Sweigert
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartDavid Sweigert
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...David Sweigert
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentCyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentDavid Sweigert
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentDavid Sweigert
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTDavid Sweigert
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackDavid Sweigert
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTDavid Sweigert
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionNational Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionDavid Sweigert
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanDavid Sweigert
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSCyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSDavid Sweigert
 

More from David Sweigert (20)

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark Analysis
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month poster
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber Security
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking Threats
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector Chart
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentCyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public Comment
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public Comment
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFT
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public Feedback
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionNational Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd edition
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness Plan
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSCyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHS
 

Recently uploaded

GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]📊 Markus Baersch
 
MK KOMUNIKASI DATA (TI)komdat komdat.docx
MK KOMUNIKASI DATA (TI)komdat komdat.docxMK KOMUNIKASI DATA (TI)komdat komdat.docx
MK KOMUNIKASI DATA (TI)komdat komdat.docxUnduhUnggah1
 
20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdfHuman37
 
IMA MSN - Medical Students Network (2).pptx
IMA MSN - Medical Students Network (2).pptxIMA MSN - Medical Students Network (2).pptx
IMA MSN - Medical Students Network (2).pptxdolaknnilon
 
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSINGmarianagonzalez07
 
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝DelhiRS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhijennyeacort
 
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdfPredicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdfBoston Institute of Analytics
 
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTDINTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTDRafezzaman
 
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort servicejennyeacort
 
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Sapana Sha
 
Heart Disease Classification Report: A Data Analysis Project
Heart Disease Classification Report: A Data Analysis ProjectHeart Disease Classification Report: A Data Analysis Project
Heart Disease Classification Report: A Data Analysis ProjectBoston Institute of Analytics
 
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Jack DiGiovanna
 
PKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptxPKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptxPramod Kumar Srivastava
 
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改yuu sss
 
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...limedy534
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfSocial Samosa
 
RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.natarajan8993
 
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...Boston Institute of Analytics
 
9654467111 Call Girls In Munirka Hotel And Home Service
9654467111 Call Girls In Munirka Hotel And Home Service9654467111 Call Girls In Munirka Hotel And Home Service
9654467111 Call Girls In Munirka Hotel And Home ServiceSapana Sha
 

Recently uploaded (20)

GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]
 
MK KOMUNIKASI DATA (TI)komdat komdat.docx
MK KOMUNIKASI DATA (TI)komdat komdat.docxMK KOMUNIKASI DATA (TI)komdat komdat.docx
MK KOMUNIKASI DATA (TI)komdat komdat.docx
 
20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf
 
IMA MSN - Medical Students Network (2).pptx
IMA MSN - Medical Students Network (2).pptxIMA MSN - Medical Students Network (2).pptx
IMA MSN - Medical Students Network (2).pptx
 
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
 
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
 
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝DelhiRS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
 
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdfPredicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
 
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTDINTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
 
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
 
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
 
Heart Disease Classification Report: A Data Analysis Project
Heart Disease Classification Report: A Data Analysis ProjectHeart Disease Classification Report: A Data Analysis Project
Heart Disease Classification Report: A Data Analysis Project
 
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
 
PKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptxPKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptx
 
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改
 
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
 
RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.
 
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
 
9654467111 Call Girls In Munirka Hotel And Home Service
9654467111 Call Girls In Munirka Hotel And Home Service9654467111 Call Girls In Munirka Hotel And Home Service
9654467111 Call Girls In Munirka Hotel And Home Service
 

Disaster Recovery planning within HIPAA framework

  • 1. Contingency Planning: Addressing Critical Business Processes That Support Implementation of HIPAA Transactions Marie Margiottiello, CMS Henry Chao, CMS February 12, 2003 New Orleans
  • 2. Overview � Definitions � Risk Analysis � Analyzing Risk Relative to HIPAA Impact � Identification of Critical Business Processes � Identification of Potential Failures � Business Impact Analysis � Minimum Acceptable Levels � Identification of Alternatives/Contingency � Develop The COOP � Testing � Training & Updating the Plan � Examples
  • 3. Definitions �DISASTER RECOVERY PLAN: The document that defines the resources, actions, tasks and data required to manage the business recovery process in the event of a business interruption. The plan is designed to assist in restoring the business process within the stated disaster recovery goals. Source: Disaster Recovery Journal
  • 4. Definitions �CONTINGENCY PLAN: A plan used by an organization or business unit to respond to a specific systems failure or disruption of operations. A contingency plan may use any number of resources including workaround procedures, an alternate work area, a reciprocal agreement, or replacement resources. Source: Disaster Recovery Journal
  • 5. Definitions �DISASTER RECOVERY PLANNING: The technological aspect of business continuity planning. The advance planning and preparations that are necessary to minimize loss and ensure continuity of the critical business functions of an organization in the event of disaster. SIMILAR TERMS: Contingency Planning; Business Resumption Planning; Corporate Contingency Planning; Business Interruption Planning; Disaster Preparedness. Source: Disaster Recovery Journal
  • 6. Definitions �CONTINGENCY PLANNING: Process of developing advance arrangements and procedures that enable an organization to respond to an event that could occur by chance or unforeseen circumstances. Source: Disaster Recovery Journal
  • 7. Definitions � CONTINUITY OF OPERATIONS PLAN (COOP): A COOP provides guidance on the system restoration for emergencies, disasters, mobilization, and for maintaining a state of readiness to provide the necessary level of information processing support commensurate with the mission requirements/priorities identified by the respective functional proponent. This term traditionally is used by the Federal Government and its supporting agencies to describe activities otherwise known as Disaster Recovery, Business Continuity, Business Resumption, or Contingency Planning. Source: Disaster Recovery Journal
  • 8. Definitions � For consistency, use Continuity Of Operations Plan (COOP) � COOP can be inclusive of all activities associated with previous terms � Organizational readiness begins with clear recognition, understanding, and commitment to the scope of your COOP � You get what you pay for
  • 9. Risk Analysis �How likely is it to occur ? ~ and ~ � What impact would it have ?
  • 10. Risk Analysis � Specify probability and criticality � Product of: (probability) x (criticality) � Probability: chance that the future event will occur (if present, it’s a problem, not a risk) � Criticality: the impact of a future event (no impact = no risk)
  • 11. Risk Analysis � Degrees of probability � High – nearly certain (80 – 99%) � Moderate – probable, possible (20 – 80%) � Low – improbable (< 20%) � More ranges may be appropriate
  • 12. Risk Analysis � Degrees of Criticality � High – total failure or serious degrading of business function � Moderate – impaired performance � Low – little impact, but more than none � More ranges may be appropriate
  • 13. Analyze Risk Relative to HIPAA �Use accurate stats for your operations �Number of beneficiaries �Number of providers �Volume of transactions (by provider type, if possible) �$ value of transactions �MCOs �Helpline/Hotline call volume �Payment cycles �Waiver programs �Contractors’ roles �Are there state-level coordination issues?
  • 14. Identification of Critical Business Processes � Identify events with potential to degrade ability to do business � Eligibility - Inquiry & Response � Beneficiary Enrollment / Disenrollment � Authorization – Request & Response � Claim / Encounter � Remittance / Payment � Claims Status - Inquiry & Response
  • 15. � � Identification of Potential Failures Describe expected outcome of each event: � Eligibility Inquiry not possible (receipt, validation, processing) � Response not possible (generation, translation, transmission) � Enrollment / Disenrollment Enrollment not possible (generation, translation, transmission) � Disenrollment not possible ( generation, translation, transmission) � Authorization � Request not possible (receipt, validation, processing) � Response not possible (generation, translation, transmission)
  • 16. Identification of Potential Failures � Claim � Claim receipt not possible (receipt, translation) � Claim processing not possible (validation, adjudication) � Remittance / Payment � RA not possible (generation, translation, transmission) � Claim Status � Status inquiry not possible ( receipt, validation, processing ) � Status response not possible ( generation, translation, transmission)
  • 17. Identification of Potential Failures � Identify users and areas likely and seriously affected � System areas modified but not tested thoroughly � System areas tested only internally (not tested via actual B-2-B) � Areas of end-user unfamiliarity (new processes, new outputs, new interfaces) � Trading partner issues (process, product) � Multiple degradations/failures, source of problem not easily determined � Trickle down effect, identify other business associates affected
  • 18. Business Impact Analysis � Identify business process affected � Determine tolerance level if function(s) are degraded, disrupted, or completely unavailable
  • 19. Business Impact Analysis � Analyze process and ask “how BAD is it (really), if:” � Providers can’t determine if patients are eligible, or what they’re eligible for ? � Recipients can’t get enrolled into a health plan ? � Medical services can’t be authorized ? � Claims aren’t received electronically ? � Claims can’t be processed ? (validated, adjudicated, rejected, archived, etc.) � Providers can’t be paid ? � Providers can’t tell what the status of a claim is ?
  • 20. What Is The Tolerance? � Determine risk actions to be taken based on varying levels of tolerances for critical processes � Accept risk (do nothing) � Watch it (monitor) � Mitigate (reduce criticality and/or probability) � Plan for contingencies
  • 21. Business Impact Analysis � Document risk analysis (description and rationale) � Prioritized listing of critical business processes � Business processes should be identified, evaluated, and then ranked in order of importance
  • 22. Business Impact Analysis Business Process: Dependency Probability Duration Criticality Impact Total Risk Score Dep #1 Dep #2 Dep #3
  • 24. Minimum Acceptable Levels � Eligibility – inquiries & responses � Enrollments & Disenrollments � Authorization – requests & responses � Claims – receipt & adjudication of EDI and paper � Remittance � Claims Status – inquiries & responses
  • 25. Identification of Alternatives Selection of Contingency � For each critical business process, identify all the possible alternatives (workarounds) � Select ONE alternative for each business process / scenario
  • 26. Develop The COOP � Each contingency needs to specify: � Assumptions (baseline parameters for planning) � Triggers (indication of failure) � Notification (who to tell) � Resource Assignments (who does what) ERT � Procedures (the work-around) � Duration (for how long) � Monitoring (see how it goes)
  • 27. Develop The COOP � Analyze and document required resources to support the plan � Establish command, communication, and control procedures for executing the plan; Includes: � Timely recognition of trigger of disruption � Designated plan invoker � Organized, responsive, and accessible emergency response team (ERT)
  • 28. Develop The COOP � Does your Incident Reporting mechanism work like this: …or slightly faster… � Require tested and operational Incident Reporting mechanism to support all communication channels
  • 29. Develop The COOP � Minimum Acceptable Level of Service: This is some predetermined level of service. It may be a percent of volume or length of time, etc. � Triggers: cause a COOP to be invoked. separated from triggers by a period of time before These are the specific failure points that Events may be the contingency is invoked � Concept of Operations: The concept of operations is a short summary paragraph providing a macro level view of how the workaround will unfold
  • 30. Develop The COOP � Emergency Response Teams � ERTs are tailored for each business process � The information should include positions, names of “who” is assigned, function, and telephone numbers [work, home, cell, pager], etc. � Contact procedures for ERT members: This section should indicate “what” method will be used to contact the ERT members: e.g. phone trees with home/cell/work numbers, ‘code’ announcements for state employees, email, other alternate means
  • 31. Develop The COOP � Escalation of Problems and Reporting Procedures: This is the information that is conveyed in the execution of the COOPs…verbal, written, frequency � Training Plan: This section explains the “why” training is conducted, “when” it will be done, “who” conducts and receives training, and “how”. (Prep for doing the CPs, periodic, and just-in-time.) � Validation Plan: This section describes a process for testing and validating the COOP.
  • 32. Develop The COOP � Outreach Plan: This section explains “how” and “when” the Medicaid enterprise will communicate to beneficiaries and providers that contingency operations have started and ended � Plan Maintenance Procedures: describes “how” the COOP will be reviewed, This section changed, updated and “who”is responsible � Day One Strategy: Procedures for the initial transition to the COOP � Distribution: This section lists “who” and “where” copies of the COOP are located
  • 33. Develop The COOP � Disaster Recovery Plan: This section may be where a copy of the DRP (May be your F/A) is located for reference (IT and infrastructure) � Alternative Strategies: identification of all possible workarounds from which one is selected (with justification) This section provides for the Example: Provider Claims � hold all claims until system is recovered � pay percentage of historical (previous month, quarter, year) � pay prioritized list of providers most significantly impacted if not paid � first in – first out
  • 34. Develop The COOP � Business partners affected: This section should identify all the business partners / other agencies affected by the implementation of the COOP -- “who” � Resources and cost estimates to implement the COOP: This is a list of those things necessary to execute the COOP -- “what” � Restore to normal ops: This section contains procedures for transitioning back to normal operations after a contingency is no longer required
  • 35. COOP Organization Public Relations Crisis Coordination Enterprise Management Team (XMT) Emergency Management Team (EMT) Emergency Response Team (ERT) Contractors Financial Institutions Other Stakeholders Other Federal Agencies Other State Agencies Providers Media Governor CMS Beneficiaries
  • 36. COOP Testing � Exercise COOP to ensure: � Adequacy of assumptions � Staff comprehension of COOP procedures � Under duress, staff can accomplish in expected timeframes, produce expected outcomes (for example, MALS) � Assigned COOP resources (alternate site, equipment, lines, ERT, etc.) are functional, available
  • 37. � Training � Raise Awareness Periodic presentations to team members, management, new employees � Offer external COOP training, conference opportunities, create library of publications � Conduct Validation Exercises � Desktop walk-thru or more realistic simulation “fire drill” � Pre-exercise brief, audit the process, document progress, allow participant feedback, and debrief � Establish change control procedures � Establish uniform distribution of plan; version control
  • 38. Updating the COOP � As personnel change � As situations change � Cycle of continuous improvement TestingTesting RevisingRevising TrainingTraining
  • 39. Table of Contents From Actual State BCCP/COOP Plan � I. Introduction – Current Business Process Overview � II. Assumptions � III. Concept of Contingency Operations � a. – Rapid Response Organization: – i. Executive Team – ii. Operating Team – iii. Business Contingency Plan Managers � b. � c. Phone Trees � IV. Eligibility Verification � V. Claims Processing/Reimbursement Services � VI. Systems Management � VII. General Administration � VIII. Managed Care � IX. Chronic Care � X. Acute Care Responsibilities Incident Management Guide � XI. Legal and Regulatory � XII. [Fiscal Agent] Disaster Recovery Plan
  • 40. Disruption to State Payment and Eligibility Function Notify ERT Alternate and/or Co-Leader Begin Assessment of Impact to State Functions Decide Initial Response Procedure Notify all ERT Members Notify Select Members of ERT Go to Page 2 Estimate impact requires significant resources Only need subset of ERT No response required Go to 2 Disaster Event Affecting State- Level Medicaid Operations Start Event Log Entries Verify with Respective RO Staff (Preferably the RA or ARA) CMS Central Office Response Process for State-Level Disaster/Disruption-Page 1 Notification may come from a variety of sources including, but not limited to: CMS Senior Staff CMS Regional Office(s) Press Office Public Media ERT Leader or Designee Exit point will be determined by the ERT Leader. emergency response is required, ERT leader may designate a monitoring function complete exit. Is the RO Affected? Go to Page 4 Decide if disruption affects RO's ability to operate normally Yes Page 4 lists the steps required to address disruption to the RO from the perspective of the CO. Each RO may invoke individual procedures, i.e., shift operations to another RO No SMA Invoked Contingency Plan? RO Request copy of BCCP Forward to 018D ERT Leader RO Contact SMA Staff to Asess Intention to Invoke BCCP ERT Leader should be made aully aware of the situation 018D indicates the use of a "Plan Invoker"--This is either a senior-level manager or a RMS designated contact Yes No Communicate SMA Intention to ERT Leader It is possible that the SMA invoked a systems disaster recovery plan rather than a business continuity plan-­ which is much more comprehensive. Determine the kind of plan invoked and compare the appropriateness of the response versus the disruption. Page Although no formal prior to a
  • 41. HIPAA Transaction and supporting business process assessed for HIPAA impact Completedasof HIPAA Transaction and supporting system functions renovated Completedasof HIPAA Transaction with Associated Supporting Business and System Functions Tested End- to-End Start Date of End-To- End Testing for HIPAA Transaction Completedasof HIPAA Transaction with Associated Supporting Business and System Functions Implemented Start Date of Implementa­ tion of HIPAA Transaction Completedasof COOP Updated for HIPAA Transaction Completedasof Unable to Meet 10/16/2003 Deadline for HIPAA Transaction, Prioritze for COOP Y/N Date or Expected Date Y/N Date or Expected Date Y/N Date or Expected Date Date or Expected Date Y/N Date or Expected Date Date or Expected Date Y/N Date or Expected Date Indicate Priority Professional Claim/ Encounter [837P] Inpatient Claim/ Encounter [837I] Dental Claim/ Encounter [837D] Pharmacy Claim/ Encounter [NCPDP] Claim Receipt and Translation Claim Adjudication/Pricing/Calculation Capitation Payment Managed Care Administration Fee Payment Institutional LTC Payment Premium Payment [820] Medicare Buy-in Premium Payment Private Health Insurance Premium Payment Non-Standard Claim Payment Mass Claim Adjustment Transaction Claim, Encounter, and Payment Communications Remittance Advice [835] Claims Payment Check/Warrant Processing Claim Status Request, Voice/Fax/Electronic Claim Status Response [277] Claim Status Response, Voice/Fax/Electronic Eligibility Verification Request [270] Processing Request, Voice/Fax/Electronic Eligibility Verification Response [271] Processing Response, Voice/Fax/Electronic Eligibility and Enrollment Notices and ID Documents Recipient Maintenance, Communication/TPL/Appeals/Lock-in Eligibility Data Exchange Enrollment Transaction [834] Enrollment Rosters to MCO Request for Auth. of Service [278] Response for Auth. of Service [278] Prior Authorization Receipt, Voice/Fax/Paper/Electronic Messages, Receipt/Acknowledge/Accept/Reject Continuity of OperationsTestingGap Analysis Renovation Implementation and Transition For each phase from Gap Analysis through COOP, fill in the corresponding cells for each HIPAA transaction. business processes are listed as prompters to ensure these have been addressed in each phase of HIPAA implementation. guideline and is not an exhaustive list of processes that is necessary to be addressed for HIPAA implementation. Italicized, indented The list serves as a
  • 42. Utilization Review Review, Medical/Peer/Administrative Generate and Distribute EOMBs Catastrophic Case Management SURS – Establish System Parameters SUR Case Referrals for Investigation Provider Prepayment Review Retro DUR Fraud Detection Processing, Data Mining Quality Assurance, Medicaid/MCO/Enrollment Broker Rate Setting Rate Setting, Fee For Service/Managed Care/Co-Payment/Capitation Rates/Waiver Rates Rate Calculation, Institutional/Outpatient/Pharmacy/Clinic/Encounter/Non-Institutional Practitioner DME and Supplies Rates and Clinical Lab Fee Schedule Fees, Case Management/Administration Management Reporting Reporting, EPSDT/MSIS/HEDIS Decision Support Claims History Inquiry 1099 Production Public Health and Vital Statistics Reporting Financial Management Accounts Receivable/Payable/TPL Collection/Drug Rebate/Recoveries/Bank Reconcilliation Drug Rebate Drug Rebate Claim Selection Drug Rebate Invoicing Drug Manufacturer Response Processing Auditing Pharmacy Fill Fee Audit Cost Settlement Audits Quality Control Medicaid Eligibility Quality Control Claims Processing Quality Audits Translator Administration Translator Contract Management Mapping to Adjudication System Translator Maintenance Trading Partner Administration Data Exchange Information Acquisition Data Exchange Information Maintenance The following business processes are from Medicaid Administration and Utilization Management areas, which are impacted in varying degrees by some oralloftheHIPAAtransactionsandwouldhavetobeaddressedinallphasesofHIPAAimplementationfromGapAnalysisthroughContinuityof OperationsPlanning.