Protecting personal health information: Do you have a disaster recovery plan?

November 8, 2013

Do you have a disaster recovery plan for your servers?

On October 24, the Office of the Information and Privacy Commissioner (OIPC) released its investigation report into the outage that resulted from a fire at the Shaw Court building in Calgary. The report provides findings and recommendations on business continuity and disaster recovery planning.

On July 11, 2012, an electrical breaker in the Shaw Court building failed causing a fire in the main transformer room. Servers damaged by the sprinkler system included those storing personal and health information for Service Alberta, Alberta Treasury Branches, Alberta Health and Alberta Health Services.

Of these, only three respondents had business continuity and disaster recovery plans in place. The fourth was found to be "in contravention of the Health Information Act."

The OIPC has made the following recommendations to all public bodies, organizations and custodians in Alberta regarding business continuity and disaster recovery planning as a component of protecting personal and health information:

  1. Establish a planning process with identified teams, resources and executive support.
  2. Perform a business impact analysis to identify which systems and business processes are critical to continued operations. This analysis should include consideration of the sensitivity and amount of personal or health information involved.
  3. Review the business impact analysis regularly to assess whether priorities need to change to reflect changing requirements.
  4. Prepare plans to continue operations and recover from a disaster, based on criticality of systems. Assign priority to more critical systems, which means that critical systems will have faster recovery time objectives and more resources will be spent on recovery.
  5. Approve and distribute plans.
  6. Train those directly involved in the plan. Make all employees aware of what to do in case of a disaster and what their role may be in ensuring continuous operations. Test plans regularly.
  7. Revise and refine plans, based on test results and changing business requirements.

Read the complete report on the OIPC website.

The AMA advances patient-centered, quality care by advocating for and supporting physician leadership and wellness.