How one practice dealt with a flood, power outage, theft, and a potential HIPAA breach ... all in the same day.
By: SHARON ALAMALHODAEI, COMT
Ophthalmic Professional November 1, 2015Vol 4, Issue November 2015Page(s): 20, 21
Case study
A lesson in crisis management
How one practice dealt with a flood, power outage, theft, and a potential HIPAA breach ... all in the same day.
BY SHARON ALAMALHODAEI, COMT
I pulled into the parking lot of my office on a Monday morning in 2011 and saw my staff members standing outside the office. Then, I noticed water pouring out of the doors — the office had flooded.
My staff member, Marsha, the first person to arrive that morning, found water spraying from a detached plumbing pipe in the bathroom. She said she shut off the main water line and had tried to reach me (it was the wrong day to forget my cell phone). Water got into electrical outlets and wicked four feet up the walls, so our power, computer network, and telephone system did not function.
As the manager of the busy practice, I took my shoes off, rolled up my pant legs, and went into crisis management mode.
The response
We had a full clinic day scheduled, so my first concern was our patients. I told my staff to immediately call patients to let them know about the flood. With the phone system inoperable, staff used their cell phones. They told the patients not to come in for their appointment that day and that we would call back to reschedule their appointments. We provided patients with urgent eye problems the name and number of the doctor on call.
My next concern was the building and facilities. Using a staff member’s cell phone, I notified our insurance agent of the situation. By 10:30 a.m., insurance adjusters, IT and networking staff, water restoration workers, electricians, telephone technicians, plumbers, and ophthalmic equipment repairmen were all on site.
As the water restoration workers suctioned water from one exam lane, the water sloshed through to adjacent rooms. This caused the workers to repeatedly suction water out of the same rooms over and over. All interior insulation was removed and replaced. Holes were drilled every 18 inches in every interior and exterior wall, and dehumidifiers and fans were inserted in to dry walls from the inside out.
By late morning, my staff contacted all the patients they could. I told them I would place an outgoing message on my cell phone each evening by 5 p.m. reporting on the status of the office for the following day, and I asked my team to call each evening to find out whether to report to work. I divided appointment lists amongst staff members and told them to take them home so they could confirm or cancel the appointments depending on when we re-opened.
More problems
By noon, the last staff member, Marsha, who had discovered the flood, was leaving. Because we still had no power, the office was completely dark except for the front reception area because of its windows. I stood in the reception area and watched a new scene unfold. As Marsha pulled her car to the front of the office, she saw a woman step out of her car, open up her walker and head toward the entrance. Marsha stopped her car and helped this patient enter the building.
After assisting the patient, Marsha returned to the parking lot to find her car was stolen. Even worse, inside the car were appointment lists containing 300 patient names, social security numbers, protected patient health information, and all of our office keys. Now, in addition to everything else, I needed to talk to police, deal with a HIPAA breach, and get new keys for the entire office. The workers and I stayed in the office all night until we restored our utilities, replaced the equipment, and evacuated water. We had the office up and running the very next day.
Lessons learned
Good crisis management is both proactive and reactive, helping an organization avert a crisis or successfully manage one after it occurs. A crisis management team must make plans before a crisis occurs so they can think clearly to make timely, sound decisions based on facts during an emergency.
Remember the following:
1. Train each person who will play a role in the action plan. Emergencies happen when you least expect them.
2. Have a HIPAA privacy officer who would report a breach. Train the HIPAA privacy officer on what to do before an emergency occurs. In the case of an emergency, the privacy officer won’t have time to learn, as you and your staff will be so busy handling the emergency.
3. Limit extraneous information on reports. To minimize the chance of HIPAA violations, include the least amount of a patient’s information necessary for someone to do their job. For example, our staff members who confirmed appointments didn’t need the patient’s date of birth, social security number or diagnosis. That information was placed on the appointment report by our software vendor who included more than just the required fields. If we had limited the information on that report to only the information we actually needed, our patients’ exposure would have been much less when the breach occurred.
4. Keep your insurance documents in one secure place, such as a locked fireproof container. This allows you to access them quickly in case of emergency. Only the doctor(s) and CEO or practice administrator should have access to this container and know its location.
5. Document the emergency. Take pictures of damage. Also, keep receipts of major purchases and a list of associated serial numbers.
But wait … there’s more
Four days later, one of my staff members driving in our town saw someone driving Marsha’s car. She called Marsha, who notified the police while my other staff member followed the car. The police responded and a car chase ensued, during which Marsha’s car was wrecked. Two teenagers, 13 and 15, ran from the police but were caught.
When Marsha’s car was recovered, the appointment lists were not found. As the HIPAA privacy officer, I had to contact the patients whose names were on the stolen appointment lists — 300 in all — via certified mail and notify them that their information was breached. I offered to pay for credit monitoring services for them for one year, an offer that only two patients accepted.
Due to the number of patients whose information was breached, I also knew that I had to notify the government of the breach. The Breach Notification Rule requires that entities provide the Secretary of Health and Human Services with notice of large breaches of unsecured protected health information (45 CFR 164.408).
After the flood, we reevaluated all of our computer reports to limit the risk of another HIPAA breach.
Follow up
Following an investigation by the insurance company as to the flood’s cause, it was determined that a 50-cent plastic nut broke, which ultimately caused more than $100,000 worth of damage to our office. The restoration of our office took four months to complete. I scheduled the major components of the renovation, such as new flooring, for nights and weekends so that the office didn’t have to experience any other more closures.
I never imagined I’d face a day with a flood, a large HIPAA breach, a stolen car, and stolen office keys, but I did, and my team and I worked through it. OP
Sharon Alamalhodaei, COMT, owner and instructor at Eye Tech Training, is a former practice and personnel manager and author of “10 Steps To a Phenomenal Patient Experience,” published in 2014.
![]({"src":"/media/efmjzfts/112015.jpg","focalPoint":null,"crops":[{"alias":"thumbnail","width":1110,"height":700,"coordinates":null}]})