Continuity of Operations (COOP)/ Business Continuity Planning Topic Collection October 10, 2022
Topic Collection: Continuity of Operations (COOP)/ Business Continuity Planning
- Technical Resources
- Recovery and COOP
- Continuity of Operations (COOP)/ Business Continuity Planning
Disasters and public health emergencies can have a significant impact on healthcare personnel and facilities. Plans and mitigation efforts that allow medical facilities and providers to sustain their mission, core essential functions, and services for patients already receiving care, as well as respond to potential surges in patients with space, staffing (including leadership), and equipment/supply issues are required. The goal is to ensure continuity of operations and facilitate operational and financial recovery.
Continuity of Operations Planning (COOP) is the term favored by public and government entities for mitigation and planning strategies that create resilience and allow services to continue to be provided in the face of a range of challenges. Business Continuity Planning (BCP) is a similar term more often used in the private sector that focuses on both maintaining service delivery and receiving payment for those services provided. BCP in the past often referred to computer systems but now applies to all vulnerable resources. The resources that follow highlight selected plans and planning guidance, lessons learned, tools, and promising practices for healthcare facility BCP. Additional related resources may be found in the Hazard Vulnerability/Risk Assessment , Cybersecurity , Electronic Health Records , Recovery , and Utility Failures Topic Collections.
Each resource in this Topic Collection is placed into one or more of the following categories (click on the category name to be taken directly to that set of resources). Resources marked with an asterisk (*) appear in more than one category.
Sections Navigation
Section navigation.
- This item doesn't have any comments
- Emma Poon This is a better link for FEMA's most current continuity guidance: https://www.fema.gov/continuity-resource-toolkit 7/1/2020 9:33:51 AM
- J Warren Billett This link is broken. 7/11/2022 2:29:15 PM
Education and Training
Event-specific lessons learned, general information, guidance/guidelines, information technology (it) and utility issues.
- bob johnson This response missed RPO as part of the discussion and cost factor. 11/26/2019 1:26:39 AM
Non-Hospital Setting Continuity Planning
Plans, tools, and templates.
- Mike Staley Template not available 4/27/2017 2:04:00 PM
Agencies and Organizations
This ASPR TRACIE Topic Collection was refreshed and comprehensively reviewed in August 2019 by the following subject matter experts (listed in alphabetical order): Eric Alberts , EM, CHS-V, FPEM, FPEM-HC, CDP-1, CHPP, CHEP, SEM, CFRP, FABCHS, Manager, Emergency Preparedness, Orlando Health, Inc. (Hospital System); Peter Brewster , U.S. Department of Veterans Affairs, Program Manager, Education and Training; John Hick , MD, HHS ASPR and Hennepin County Medical Center; Onora Lien , Executive Director, Northwest Healthcare Response Network; Mary Massey , BSN, MA, PHN, VP, Emergency Management, California Hospital Association; and Mary Russell , EdD, MSN, Healthcare Emergency Response Coalition, Palm Beach County Florida.
I t was comprehensively reviewed in August 2015 by the following subject matter experts (listed in alphabetical order): Eric Alberts , BS, FPEM, CHS-V, CDP-1, CHPP, CHEP, SEM, CFRP, FABCHS, Manager, Emergency Preparedness, Orlando Health, Inc. (Hospital System); Peter Brewster , U.S. Department of Veterans Affairs, Director, Education and Training; Benjamin Dauksewicz , MA, CEM, Mount Sinai St. Luke’s–Roosevelt; Natalie N. Grant , MPH, Program Analyst, HHS ASPR, Office of Emergency Management (OEM), Recovery, and Hurricane Sandy Health & Social Services Recovery Support Function Field Coordinator; John Hick , MD, U.S. Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response (HHS ASPR) and Hennepin County Medical Center; Carol Jacobsen , RN, Director, Public Health Programs, Ohio Hospital Association; Bill Mangieri , CBCP, CHEP, Field Project Officer Region VI, National Healthcare Preparedness Program, HHS ASPR, OEM; Mary Russell , EdD, MSN, Emergency Services, Boca Raton Regional Hospital; and Matthew L. Smith , Chief, Continuity of Operations Branch, HHS ASPR, OEM, Division of Resilience.
Featured Resources
The Disaster Available Supplies in Hospitals (DASH) Tool
Monkeypox Resources
COVID-19 Resources Page
COVID-19 Workforce Virtual Toolkit
CDC's Coronavirus (COVID-19) Page
ASPR's 2019 Novel Coronavirus Disease Page
Subscribe to the ASPR TRACIE Listserv.
Enter your email address to receive important announcements and updates through the ASPR TRACIE Listserv.
The Ultimate Guide to Business Continuity in Healthcare
Everything you need to know about business continuity in the healthcare industry, including a blueprint to ensure a holistic hospital preparedness program.
While hospitals are well-equipped to respond to certain disasters, oftentimes healthcare organizations are missing a critical ingredient in the recipe for preparedness: business continuity.
This guide looks at hospital preparedness in terms of what hospitals do well, what’s missing, and how to achieve a wholistic program to ensure hospitals can continue to perform critical functions (like saving lives!) in the face of any disruptive event.
Before we dive in, let’s define a few key terms that we will further explore in this article:
- Business Continuity (BC) – responsible for developing and implementing department-specific recovery requirements, strategies, and plans in order to successfully respond to and recover from a disruptive event impacting required resources (facility, technology, supplier, personnel, equipment, etc.).
- Emergency Management / Hospital Incident Command System (HICS) – responsible for the overall, hospital-wide management of an event, including decision making and objective/priority setting.
- Information Security (InfoSec) – responsible for developing and implementing security around IT systems and data and responding to events that may impact the confidentiality of information or availability due to compromised environments.
- IT Disaster Recovery (IT DR) – responsible for developing and implementing infrastructure and application-specific recovery strategies and plans in order to successfully respond to and recover from an interruption to the hospital’s data center or other technology assets.
Requirements for Hospitals
The number one priority for hospitals is to provide continuous, superior care to patients, regardless of circumstance. This principle results in the need to invest time and resources in preparing for disruptive events. In addition, a number of external parties require hospitals to invest in preparedness measures, specifically the following:
- The Joint Commission (the group that evaluates hospitals to ensure high-quality care), and other accreditation bodies, require hospitals to implement emergency preparedness programs.
- Risk Assessment and Emergency Planning – Requires the development of an emergency plan based on an “all-hazards” risk assessment, focusing on capacities and capabilities.
- Policies and Procedures – Requires the development and implementation of policies and procedures that support the execution of the emergency plan, including evacuation and shelter-in-place plans, tracking patients and staff during an incident, and ensuring the confidentiality of patient data.
- Communications Planning – Requires hospitals to maintain updated contact information for staff and third-party resources and identify means to communicate with patients and other key stakeholders.
- Training and Testing – Requires providers to conduct two exercises: one that is community-based, which can include responding to an actual event, and the other at the provider’s choice (e.g. an exercise for one facility).
- Hospitals that receive federal preparedness and response grants are required to implement an incident response framework that aligns with the National Incident Management System (NIMS; a FEMA initiative designed to achieve holistic community response to various threats and hazards).
- Government regulations (such as HIPAA) require hospitals to protect all medical information, including electronic medical records (EMRs), which requires a robust information security program.
To achieve these goals, most hospitals implement a Hospital Incident Command System (HICS).
Get The Business Continuity Business Case Template
Hospital Incident Command System (HICS)
What is a Hospital Incident Command System (HICS)? Per the HICS Guidebook (Fifth Edition, 2014), HICS is an incident management system that can be used by any hospital to manage threats, planned events, or emergency incidents. HICS is not a singular activity or plan; it is an overarching program or framework that helps to design, implement, maintain, and improve an emergency preparedness program. HICS is closely related to the National Incident Management System (NIMS) Incident Command System (ICS) mentioned above; however, HICS is specially adapted to meet the needs of hospitals, while ICS can be applied broadly to almost any public and private organization.
To implement HICS or find out more about the specific HICS framework and requirements, check out the HICS Guidebook and HICS forms. Per the HICS Guidebook, HICS forms are intended to “provide guidance for incident documentation, resource tracking, safety information, cost collection, and other critical activities within the Hospital Command Center.” The forms alone are not the solution to implement an emergency management program, but they are an excellent resource.
Most hospitals frequently use their HICS frameworks to effectively respond to emergency situations and continue delivering patient care. Ideally, HICS programs incorporate related disciplines, such as IT disaster recovery, information security, and business continuity. However, most organizations have implemented HICS with a focus on dealing with external disasters and mass casualty events, thus investing little time into planning for other events that could occur.
Increasing Focus on IT Disaster Recovery and Information Security
In addition to HICS, hospitals are focusing increasingly on IT disaster recovery capabilities and information security preparedness. Since hospitals are becoming more reliant on IT applications to store patients’ medical information, robust IT disaster recovery programs are needed to ensure applications are available to support medical professionals in treating patients. Technology is so engrained in providing patient care that oftentimes any amount of downtime for key systems would result in impacts to patient care. Therefore, hospitals focus on IT disaster recovery strategies to reduce downtime of systems and data loss. Furthermore, hospitals put in place “downtime procedures,” or manual workarounds, for critical systems where possible. This includes storing some patient information locally so that providers can access the information if the primary data source were unavailable. Additionally, hospitals have retained paper procedures, such as patient charting and ordering prescriptions, as backups to critical systems. Of note, although these workarounds are typically available at hospitals, oftentimes younger staff and day-shift staff are not adequately trained on these manual processes due to never having to use them. (Night-shift staff are typically required to use manual processes during system upgrades and older staff typically used the manual processes before the systems were installed.) Therefore, it is critical that hospitals’ IT disaster recovery programs encompass downtime procedure development and training .
Hospitals and healthcare providers are also focusing heavily on information security for several reasons:
- The Health Insurance Portability and Accountability Act (HIPPA; 1996) requires patient data to be confidential. Information security is responsible for ensuring this confidentiality.
- Information security incidents, such as ransomware, can cause system downtime and can directly result in patient harm. Hospitals continue to be a target for ransomware attacks, as hospitals are greatly impacted by system downtime.
To address information security, most hospitals have established information security programs. These programs implement and manage preventative measures, such as policies, training, and “hardening” environments, and response plans.
What’s Missing?
Until recently, the focus of many hospitals has solely been on establishing and maintaining a robust HICS program. In the past several years, hospitals have put significant efforts towards IT disaster recovery and information security programs. With these programs in place, are hospitals fully prepared to respond to any type of disruption? Oftentimes not.
The gap in preparedness comes from hospitals tending to use a narrow lens when considering the areas that should be in scope for preparedness efforts and the types of disruptions that could occur. HICS does a great job preparing for natural disasters and other community-wide events. IT disaster recovery and information security both reduce downtime of technology and prepare to respond and recover from these events. So, what’s missing?
Current hospital preparedness efforts neglect a few key disruptions that could occur. For example, HICS plans typically do not address strategies for a loss of third-party suppliers. The typical hospital preparedness measures and programs also tend to focus exclusively on patient care departments and neglect back-office or support departments. In doing so, support departments, such as Call Centers, Payroll, and Accounts Receivable, may have significant risks of downtime with no plans to recover. Sometimes these departments, if unavailable, can impact patient care. For example, downtime of the Call Center could prevent patients from scheduling appointments.
To address these gaps and ensure a complete preparedness program, hospitals implement a business continuity program that is integrated with existing efforts. The business continuity program should focus on:
- Properly scoping program efforts to include departments supporting high-priority activities,
- Assessing risks for in-scope departments in terms of likelihood and impact of resource downtime, and
- Preparing in-scope departments to respond to any event impacting the availability of resources by documenting resource loss-based plans. Resources include facilities, technology, suppliers, equipment, personnel, and internal departments.
The HICS framework is flexible and can incorporate business continuity program elements, while serving as the overarching incident response framework. In fact, HICS has pre-defined roles for business continuity, which means integrating the two can be a natural evolution. The following section describes how to implement business continuity and integrate with current efforts to achieve a holistic hospital preparedness program.
How to Build Business Continuity in Healthcare
When creating your hospital’s business continuity program, ensure that it is properly integrated with existing HICS, IT disaster recovery, and information security planning processes by following the 6-step model below:
Create a Cross-Functional Steering Committee The first key to successfully implementing an integrated preparedness program is to create an integrated, cross-functional group of management (i.e. steering committee) to oversee the preparedness effort of the hospital. Typically, the emergency management program will already have a management group that it reports to, so it may make sense to first look at this group to oversee the overall preparedness program. However, it is important to keep in mind that this group should truly be cross-functional, meaning it should have representation from emergency management, business continuity (clinical and support areas), IT disaster recovery, and information security.
Set Program Scope and Objectives After the cross-functional steering committee is created, this group should set hospital-wide program objectives and priorities. These priorities may include:
- Protect employees and patients (emergency management)
- Provide care for patients in residence (e.g. hospitals, rehab, long-term care)
- Provide centralized, patient-facing activities
- Deliver outpatient services
- Execute critical back-office activities
Note: The priorities established by the steering committee can easily serve as the scoping mechanism for the business continuity business impact analysis (see next bullet).
Execute Business Impact Analysis After the steering committee determines the program’s scope and objectives, the business continuity team should perform a business impact analysis (BIA) and risk assessment for in-scope departments throughout the hospital (see Ultimate Guide to the Business Impact Analysis for more information on how to properly scope your BIA). The BIA and risk assessment determine the department’s critical activities and the impact of a disruption on them. In addition, the BIA identifies all dependencies relevant to critical activities, including technology, personnel, suppliers, equipment, and facilities. For all dependencies, the BIA/risk assessment identifies likely sources of risk, current-state controls to mitigate risk, and risk treatment options. The key outcome of the BIA is to set recovery time objectives for the resumption of critical activities to ensure the hospital’s capabilities align to requirements.
Develop Response and Recovery Strategies Following the BIA and risk assessment, all teams should determine/review capabilities and strategies that enable the hospital to recover its critical activities and resources (including technology) within the recovery time objectives identified in the BIA.
Develop and Update Plans Following the identification and implementation of strategies, all teams should use analysis outputs to develop/update emergency response, business continuity, IT disaster recovery, and information security plans. Together, these plans should ensure the hospital can respond and recover to the following scenarios:
- Facility Inaccessibility
- Personnel Unavailability
- Technology Outage
- Equipment Outage
- Patient Surge
- Supplier/Vendor Loss
- Information Security Event
Test and Exercise Plans After all plans have been developed/updated, an integrated method should be used to test the plans. Since there is likely already a testing cycle in place for the emergency management team/plan, a key success factor for breaking down the silos between the preparedness programs is to integrate the business continuity exercises into the existing emergency management exercises. If possible, the hospital should also consider including IT disaster recovery tests and information security exercises within the scope of the emergency management tests.
Hospitals are experts at planning for and responding to community and facility emergency events using the HICS framework. Additionally, in recent years, hospitals have built increasingly mature IT disaster recovery and information security programs. However, most hospitals and healthcare providers do not account for business continuity in their preparedness programs, which can be a recipe for disaster. To ensure a holistic hospital preparedness program inclusive of business continuity, healthcare providers should use the following recipe:
Blueprint For Preparedness
Components:
- Emergency Management / Hospital Incident Command System (HICS)
- IT Disaster Recovery (IT DR)
- Business Continuity (BC)
- Information Security (InfoSec)
How to build a hospital business continuity program:
- Create cross-functional steering committee
- Set program scope and objectives
- Execute business impact analysis
- Develop response and recovery strategies
- Develop/update plans
- Test/exercise plans
Develop and quantify your organization’s unique business case for investing in a business continuity and operational resilience capability. Worksheet included.
Emergency Preparedness
Hospital continuity resources a toolkit for healthcare providers.
CHA Hospital Continuity Program Checklist
- Download CHA’s Hospital Contiuity Program Checklist (.doc)
Business Continuity Planning Toolkit
- Download Word document (.doc)
- Download PDF document (.pdf)
VI. Appendixes
- Download Appendix D: Business Continuity Plan Tool (.xls)
- Download Appendix D1: Technical Documentation for Maintaining Business Continuity Plan Tool (.doc)
- Download Appendix E: Department Status Forms/Summary (.doc)
- Download Appendix F: Business Continuity Planning PowerPoint to Management (.ppt)
- Download Appendix G: Utilizing Your Business Continuity Plan (.ppt)
VII. Additional Example Plans/Resources
- Download Sample Business Continuity Planning Presentation (.ppt)
- Good Samaritan Hospital: Sample Continuity Plan (.pdf)
Other Continuity Resources
- How to Conduct a Hospital Business Impact Analysis (.pdf)
- Business Impact Analysis tool (.pdf)
- EOP/Continuity Plan Table (.pdf)
- Print-friendly
- Continuity Planning
- Support portal
- Request new password
IMAGES
VIDEO
COMMENTS
Hospital Continuity Planning Toolkit. (Accessed 7/9/2019.) This toolkit provides examples for hospitals to follow when developing their continuity plans. It is a companion document to the California Hospital Association's Hospital Continuity Program Checklist. Rate: Favorite: 3 Login to rate, favorite, and comment on the article Comments 0
These Business Continuity Plan (BCP) templates and instruction manuals are provided by the Los Angeles County Emergency Medical Services (EMS) Agency as a resource to assist healthcare facilities develop their business continuity plans and meet the Hospital Preparedness Program’s Healthcare Preparedness Capability 2: Healthcare System Recovery, …
Business Continuity (BC) – responsible for developing and implementing department-specific recovery requirements, strategies, and plans in order to successfully respond to and recover from a disruptive event impacting required resources (facility, technology, supplier, personnel, equipment, etc.).
The Business Continuity Plan is accessible in paper format via the EPLO for the Trust or electronically via the intranet. Figure 3. The Business Continuity Planning Process 1.7 Identify Critical services To develop a complete Business Continuity plan it is very important that the business is fully understood with an all-inclusive list of critical
Download Appendix G: Utilizing Your Business Continuity Plan (.ppt) VII. Additional Example Plans/Resources Download Sample Business Continuity Planning Presentation (.ppt) Good Samaritan Hospital: Sample Continuity Plan (.pdf) Other Continuity Resources How to Conduct a Hospital Business Impact Analysis (.pdf)
The purpose of the Business Continuity Plan is to assist the organization with ensuring that mission critical services and process are maintained, restored or augmented to meet the designated Recovery Time Objectives (RTO). Following the command/HICS structure, the Business Continuity Operations Branch will lead BCP activities to: a.