• Member Statistics

    • 835,836 Colleagues-to-Date [Sponsored by a generous R&D grant from iMBA, Inc.]
  • David E. Marcinko [Editor-in-Chief]

    As a former Dean and appointed University Professor and Endowed Department Chair, Dr. David Edward Marcinko MBA was a NYSE broker and investment banker for a decade who was respected for his unique perspectives, balanced contrarian thinking and measured judgment to influence key decision makers in strategic education, health economics, finance, investing and public policy management.

    Dr. Marcinko is originally from Loyola University MD, Temple University in Philadelphia and the Milton S. Hershey Medical Center in PA; as well as Oglethorpe University and Emory University in Georgia, the Atlanta Hospital & Medical Center; Kellogg-Keller Graduate School of Business and Management in Chicago, and the Aachen City University Hospital, Koln-Germany. He became one of the most innovative global thought leaders in medical business entrepreneurship today by leveraging and adding value with strategies to grow revenues and EBITDA while reducing non-essential expenditures and improving dated operational in-efficiencies.

    Professor David Marcinko was a board certified surgical fellow, hospital medical staff President, public and population health advocate, and Chief Executive & Education Officer with more than 425 published papers; 5,150 op-ed pieces and over 135+ domestic / international presentations to his credit; including the top ten [10] biggest drug, DME and pharmaceutical companies and financial services firms in the nation. He is also a best-selling Amazon author with 30 published academic text books in four languages [National Institute of Health, Library of Congress and Library of Medicine].

    Dr. David E. Marcinko is past Editor-in-Chief of the prestigious “Journal of Health Care Finance”, and a former Certified Financial Planner® who was named “Health Economist of the Year” in 2010. He is a Federal and State court approved expert witness featured in hundreds of peer reviewed medical, business, economics trade journals and publications [AMA, ADA, APMA, AAOS, Physicians Practice, Investment Advisor, Physician’s Money Digest and MD News] etc.

    Later, Dr. Marcinko was a vital and recruited BOD  member of several innovative companies like Physicians Nexus, First Global Financial Advisors and the Physician Services Group Inc; as well as mentor and coach for Deloitte-Touche and other start-up firms in Silicon Valley, CA.

    As a state licensed life, P&C and health insurance agent; and dual SEC registered investment advisor and representative, Marcinko was Founding Dean of the fiduciary and niche focused CERTIFIED MEDICAL PLANNER® chartered professional designation education program; as well as Chief Editor of the three print format HEALTH DICTIONARY SERIES® and online Wiki Project.

    Dr. David E. Marcinko’s professional memberships included: ASHE, AHIMA, ACHE, ACME, ACPE, MGMA, FMMA, FPA and HIMSS. He was a MSFT Beta tester, Google Scholar, “H” Index favorite and one of LinkedIn’s “Top Cited Voices”.

    Marcinko is “ex-officio” and R&D Scholar-on-Sabbatical for iMBA, Inc. who was recently appointed to the MedBlob® [military encrypted medical data warehouse and health information exchange] Advisory Board.



  • ME-P Information & Content Channels

  • ME-P Archives Silo [2006 – 2020]

  • Ann Miller RN MHA [Managing Editor]

    USNews.com, Reuters.com,
    News Alloy.com,
    and Congress.org

    Comprehensive Financial Planning Strategies for Doctors and Advisors: Best Practices from Leading Consultants and Certified Medical Planners(TM)

    Product Details

    Product Details

    Product Details


    New "Self-Directed" Study Option SinceJanuary 1st, 2020
  • Most Recent ME-Ps

  • PodiatryPrep.org

    Lower Extremity Trauma
    [Click on Image to Enlarge]

  • ME-P Free Advertising Consultation

    The “Medical Executive-Post” is about connecting doctors, health care executives and modern consulting advisors. It’s about free-enterprise, business, practice, policy, personal financial planning and wealth building capitalism. We have an attitude that’s independent, outspoken, intelligent and so Next-Gen; often edgy, usually controversial. And, our consultants “got fly”, just like U. Read it! Write it! Post it! “Medical Executive-Post”. Call or email us for your FREE advertising and sales consultation TODAY [770.448.0769]

    Product Details

    Product Details

  • Medical & Surgical e-Consent Forms

  • iMBA R&D Services

    Commission a Subject Matter Expert Report [$2500-$9999]January 1st, 2020
    Medical Clinic Valuations * Endowment Fund Management * Health Capital Formation * Investment Policy Statement Analysis * Provider Contracting & Negotiations * Marketplace Competition * Revenue Cycle Enhancements; and more! HEALTHCARE FINANCIAL INDUSTRIAL COMPLEX
  • iMBA Inc., OFFICES

    Suite #5901 Wilbanks Drive, Norcross, Georgia, 30092 USA [1.770.448.0769]. Our location is real and we are now virtually enabled to assist new long distance clients and out-of-town colleagues.

  • ME-P Publishing


    If you want the opportunity to work with leading health care industry insiders, innovators and watchers, the “ME-P” may be right for you? We are unbiased and operate at the nexus of theoretical and applied R&D. Collaborate with us and you’ll put your brand in front of a smart & tightly focused demographic; one at the forefront of our emerging healthcare free marketplace of informed and professional “movers and shakers.” Our Ad Rate Card is available upon request [770-448-0769].

  • Reader Comments, Quips, Opinions, News & Updates

  • Start-Up Advice for Businesses, DRs and Entrepreneurs

    ImageProxy “Providing Management, Financial and Business Solutions for Modernity”
  • Up-Trending ME-Ps

  • Capitalism and Free Enterprise Advocacy

    Whether you’re a mature CXO, physician or start-up entrepreneur in need of management, financial, HR or business planning information on free markets and competition, the "Medical Executive-Post” is the online place to meet for Capitalism 2.0 collaboration. Support our online development, and advance our onground research initiatives in free market economics, as we seek to showcase the brightest Next-Gen minds. THE ME-P DISCLAIMER: Posts, comments and opinions do not necessarily represent iMBA, Inc., but become our property after submission. Copyright © 2006 to-date. iMBA, Inc allows colleges, universities, medical and financial professionals and related clinics, hospitals and non-profit healthcare organizations to distribute our proprietary essays, photos, videos, audios and other documents; etc. However, please review copyright and usage information for each individual asset before submission to us, and/or placement on your publication or web site. Attestation references, citations and/or back-links are required. All other assets are property of the individual copyright holder.
  • OIG Fraud Warnings

    Beware of health insurance marketplace scams OIG's Most Wanted Fugitives at oig.hhs.gov


Join Our Mailing List 


Risk Management, Liability Insurance, and Asset Protection Strategies for Doctors and Advisors: Best Practices from Leading Consultants and Certified Medical Planners™

Mitigations for the Digital Health Era

Shahid N. Shah MS

[By Shahid N. Shah MS]

There has been a tremendous explosion of information technology (IT) in healthcare caused by billions of dollars of government incentives for usage of digital healthcare tools.

But, IT systems face threats with significant adverse impacts on institutional assets, patients, and partners if sensitive data is ever compromised. Every health enterprise is required to confidentiality, integrity and availability of its information assets (this is called “information assurance” or IA). Confidentiality means private or confidential information must not be disclosed to unauthorized persons. Integrity means that the information can be changed only in an authorized manner so as to maintain the correctness of the information. Availability defines the characteristic that information systems work as intended and all services are available to its users whenever necessary.

It is well known that healthcare organizations face and have been mitigating many risks such as investment risk, budgetary risk, program management risk, safety risk, and inventory risk for many years. What’s new in the last decade or so is that organizations must now manage information assurance risks related to operating its information systems because information systems. IT is now just as a critical an asset as most other infrastructure managed by health systems. It is important that information security risks are given the same or more importance and priority as given to other organizational risks.

As health records move from paper native to digital native, it’s vital that organizations have information risk management programs and security procedures that woven into the culture of the organization. For this to happen, basic requirements of information security must be defined and implemented as part of both the operational and management processes. A framework that provides guidance on how to perform these activities, and the co-ordination required between these activities is needed.



[Black Hat Medical Hacker]



The Risk Management Framework (RMF), supported by the National Institute of Standards and Technology (NIST) provides this framework. The NIST 800 series publications provide a structured approach to achieve risk management. It provides broad guidance and not necessarily all the prescriptions, which means it can be tailored to meet the organization’s specific needs and providing the flexibility needed for the different organizations. Using the NIST RMF helps organizations with risk management not only in a repeatable manner, but also with greater efficiency and effectiveness. Healthcare information assurance is complex and without a framework that takes into account a broad risk management approach, it is difficult to consider all the intricacies involved.

The NIST Risk Management Framework consists of a six step process designed to guide organizations in managing the risks in their information systems.

The various steps as defined in the NIST specifications are the following:

  • Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.
  • Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions
  • Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
  • Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
  • Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.
  • Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.

All information systems process, store and transmit information. What is the possible impact if a worst case scenario occurs that causes endangers this information? A structured way to find out the potential impact on the confidentiality, integrity and availability of information can be done through the first step of NIST RMP, the categorization of information systems.



[Triple Redundant Passwords and Encryption]


The NIST SP 800-60 [1, 2, 3 4] provides such guidance. The potential impact is assigned qualitative values – low, moderate, or high. Based on these impact levels for each of the information type contained in the system, the high water mark level is calculated, that helps in selecting the appropriate controls in the subsequent steps.

Organizations need to mitigate risks adequately by selecting an appropriate set of controls that would work effectively. In the selection of security controls step, the set of controls are chosen based on the categorization of the information system, the high water mark and the goals of the organizations.

These baseline controls are selected from NIST SP 800-53 [5] specification, one of three sets of baseline controls, corresponding to low, moderate, high impact rating of the information system. These baseline controls can be modified to meet specific business needs and organization goals. These tailored controls can be supplemented with additional controls, if needed, to meet unique organizational policies and environment factors and its security requirements and its risk appetite. The minimum assurance requirements need to be specified here.

All the activities necessary for having the selected controls in place, is done in the implementation of security controls step. The implementation of the selected security controls will have an impact on the organization risks and its effects. NIST SP 800-70 [6, 7] can be used as guidance for the implementation. An implementation strategy has to be planned and the actions have to be defined and the implementation plan needs to be reviewed and approved, before the implementation is done.

Once the controls are implemented, then the assessment of security controls is done to find out whether the controls have been correctly implemented, working as intended, and giving the desired output with respect to the security requirements. In short, whether the applied security controls are indeed the right ones, done in the right way, giving the right outcome. NIST SP 800-53 [5], NIST 800-53A [6], NIST 800-115 [8-11] can provide the necessary guidance, here. 



[Frustrated Physician]


The authorization of information systems is an official management decision, authorizing that the information system can be made operational, with the identified risks mitigated and the residual risks accepted, and is accountable for any adverse impacts on the confidentiality, integrity and availability of information systems. If the authorizing personnel find that the risks are not mitigated and hence can compromise the sensitive information, they can deny authorizing the information system. NIST SP 800-37 [2] provides guidance on authorization. The authorizing personnel are to be involved actively throughout the risk management process.

Risk management is not one-time process, that once it is done, it is forgotten. It is a continuous process, to be integrated with day-to-day activities. One of the key aspects of any risk management is the monitoring of security controls to check whether the controls are performing as intended. The main focus of monitoring security controls is to know whether the controls are still effective over a period time, given the changes that occur in the information systems — the changes in hardware, software and firmware, the changes in environment factors, operating conditions etc. NIST SP 800-37 [2] provides guidance about this. And, if the security controls are found to be ineffective, the cycle starts again, with either re-categorization or selecting another set of baseline controls, or assessing the effectiveness of the controls once more etc.

Regardless, in all the steps in risk management framework, one of the important aspects is communication. Appropriate documents needed to be generated in all the steps, reviewed and kept up-to-date.

Organizational risk management provides great benefits to the organization because it helps to prioritize the resources, increase interoperability, and reduce costs incurred due to the adverse effects. It helps to prevent unauthorized access to personally identifiable information which will lead to security breaches. 

Channel Surfing

Have you visited our other topic channels? Established to facilitate idea exchange and link our community together, the value of these topics is dependent upon your input. Please take a minute to visit. And, to prevent that annoying spam, we ask that you register.

Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos


Mr. Shahid N. Shah is an internationally recognized healthcare thought-leader across the Internet. He is a consultant to various federal agencies on technology matters and winner of Federal Computer Week’s coveted “Fed 100″ Award, in 2009. Over a twenty year career, he built multiple clinical solutions and helped design-deploy an electronic health record solution for the American Red Cross and two web-based eMRs used by hundreds of physicians with many large groupware and collaboration sites. As ex-CTO for a billion dollar division of CardinalHealth, he helped design advanced clinical interfaces for medical devices and hospitals. Mr. Shah is senior technology strategy advisor to NIH’s SBIR/STTR program helping small businesses commercialize healthcare applications. He runs four successful blogs: At http://shahid.shah.org he writes about architecture issues; at http://www.healthcareguy.com he provides valuable insights on applying technology in health care; at http://www.federalarchitect.com he advises senior federal technologists; and at http://www.hitsphere.com he gives a glimpse of HIT as an aggregator. Mr. Shah is a Microsoft MVP (Solutions Architect) Award Winner for 2007, and a Microsoft MVP (Solutions Architect) Award Winner for 2006. He also served as a HIMSS Enterprise IT Committee Member. Mr. Shah received a BS in computer science from the Pennsylvania State University and MS in Technology Management from the University of Maryland. 


Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.


Risk Management, Liability Insurance, and Asset Protection Strategies for Doctors and Advisors: Best Practices from Leading Consultants and Certified Medical Planners™



[1] National Institute of Standards and Technology Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

[2] National Institute of Standards and Technology Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

[3] National Institute of Standards and Technology Special Publication 800-60 Volume I Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf

[4] National Institute of Standards and Technology Special Publication 800-60 Volume II Revision 1,  Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol2-Rev1.pdf

[5] National Institute of Standards and Technology Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

[6] National Institute of Standards and Technology Special Publication 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf

[7] National Institute of Standards and Technology Special Publication 800-70 Revision 2, National Checklist Program – Guidelines for Checklist Users and Developers Recommendations of the National Institute of Standards and Technology for IT Products, http://csrc.nist.gov/publications/nistpubs/800-70-rev2/SP800-70-rev2.pdf

[8] National Institute of Standards and Technology Special Publication 800-115, Technical Guide to Information Security Testing and Assessment, http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

[9] National Institute of Standards and Technology Special Publication 800-137, Information Security, http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf

[10] U.S. Department of Health and Human Services, HIPAA Security Series, Security Standards: Technical Safeguards, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

[11] U.S. Department of Health and Human Services, HIPAA Security Series, Security Standards: Physical Safeguards, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com


Risk Management, Liability Insurance, and Asset Protection Strategies for Doctors and Advisors: Best Practices from Leading Consultants and Certified Medical Planners™8Comprehensive Financial Planning Strategies for Doctors and Advisors: Best Practices from Leading Consultants and Certified Medical Planners™

On the Notice of Privacy Practices

Join Our Mailing List 

Encryption and HHS are Taking Hits

[By D. Kellus Pruitt DDS]

1-darrellpruittIt is bad politics for the President’s Department of Health and Human Services to get caught deceiving voters.

Word gets around much faster than it did before transparency sucked the power from the entrenched.

The NoPP

You know those Notice of Privacy Practices (NoPP) forms we are asked to sign in doctors’ offices? Since it makes no difference to anyone whether patients sign them or not, why needlessly waste everyone’s time? The NoPP is not an agreement, and just because virtually everyone is tricked into signing it, does not mean anyone reads it. HIPAA has become a source of danger to patients, with no redeeming value.

HHS Estimates 

According to the US Department of Health and Human Services own recent estimate:

“… many centuries of time—nearly 35 centuries, in fact, or just short of 30.7 million hours—will be devoted each year by healthcare providers and patients for the dissemination to patients and their acknowledgement of HIPAA notices of privacy practices [NoPP] for protected healthcare information, HHS estimates. Even at just 3 minutes apiece, with 613 million of these routine privacy notices to be delivered, signed and stored, the time adds up…”

-Joseph Conn

… “HHS estimates 32.8 million hours of interaction required to comply with privacy, security rules” …

-ModernHealtcare.com [September 5, 2013]


Censorship Concerns? 

I tried to bring attention to this absurdity over a year ago – back when HHS was still keeping unfavorable news about EHRs hidden from voters using censorship:

… “Put another way, the ONLY reason for a doctor to ask patients if they feel like signing the NoPP is to protect already busy doctors from a HIPAA fine. How is that not senseless, yet admittedly humorous bureaucratic waste?” …

On July 3, 2012, my opinion of the waste that HHS recently confirmed was censored by an HHS employee from the taxpayer-supported Linkedin site, Health IT and Electronic Health Records. If that is not against federal law, it damn sure should be.


Among the items that HHS requires providers include in Notices of Privacy Practice is a one-sentence statement addressing data breaches:

…“We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information [unless it is encrypted]”…


Now that it is widely known that encryption is no longer acceptably secure, protection from accountability is encryption vendors’ only remaining selling point. HIPAA stipulates that if breached patient information is encrypted according to standards set forth by the National Institute of Standards and Technology (NIST), doctors are freed from the tremendous cost of notifying (former) patients – even though patients’ privacy and security have been nevertheless compromised.

For example, two weeks ago, the NIST abandoned the very encryption standards that HIPAA demands. Oops! (See: “Government Standards Agency ‘Strongly’ Suggests Dropping its Own Encryption Standard,” by Jeff Larson and Justin Elliott, ProPublica, September 13, 2013).



eMR Privacy


NSA Secrets 

US spy agency NSA’s secret success at decrypting previously impenetrable codes – which was revealed by former NSA contractor Edward Snowden – proves that today’s best encryption is tomorrow’s crossword puzzle. What’s more, once an individual’s medical identity is lost in the cloud, it can never be reeled back in.

And, when DNA records are included, a breach today could put the welfare of generations of Americans at risk.

A Gut-Check 

The ultimate gut-check: If your encrypted identity were fumbled, wouldn’t you want to be notified? Of course you would.


In my opinion, the HIPAA Rule should be immediately amended to demand notification of all individuals involved in all data breaches unless they allow opt out. Who knows? Some might prefer not to be bothered.

What is your opinion; doctor, patient and/or consultant?


Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com


Product DetailsProduct Details

Clarifying Some NPI Number Mis-Understandings

The NPI Number: What is is – How it works?

By Carol S. Miller RN, MBA

The National Provider Identifier (NPI) is a HIPAA Administrative Simplification Standard that provides a unique identification for covered health care providers, all health plans and health care clearinghouses.  The NPI must be used in administrative and financial transactions adopted under HIPAA and with one identifying number will simplify security and allow greater protection or encryption of the provider number.  The NPI can be used to identify the health care provider on prescriptions, COB between health care plans, inpatient medical record systems, program integrity files, and other areas.

Dependent on his/her medical practice, the provider can obtain an individual or group NPI; however, there are situations where an individual NPI number is required such as with the submission of pharmacy and lab claims.  The NPI remains with the provider regardless of job or location change.  NPI will eventually be the standard identifier for all e-prescribing under Medicare Part D.

A Ten Digit Number

The NPI is a ten digit, intelligence-free numeric identifier with a check digit in the last position to help detect keying errors.  If there is a security breach, the number in itself cannot identify the protected health organization.  The use of one identifier with a check digit simplifies encryption of this number when transmitted electronically and thereby enhances security.


HIPAA also requires that employers have standard national numbers that identify them on standard transactions.  The Employer Identification Number (EIN), issued by the Internal Revenue Service (IRS) was selected as the identifier for employers.  This number is used as a Federal tax identification number for the means of identifying any business entity and for the purpose of reporting employment taxes.  The EIN number should be protected as a social security number is.


Both the Information Technology Laboratory (ITL) and the National Institute of Standards and Technology (NIST) are involved in the development of technical, physical, administrative, and management standards and guidelines for cost-effective security and privacy of sensitive unclassified information in federal computer systems.  These standards and guidelines can be applied to the management of medical IT.


Additional reference material for NPI can be found at: www.cms.gov/nationalprovidentstand.


And so, your thoughts and comments on this ME-P are appreciated. Please review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

Our Other Print Books and Related Information Sources:

Health Dictionary Series: http://www.springerpub.com/Search/marcinko

Practice Management: http://www.springerpub.com/product/9780826105752

Physician Financial Planning: http://www.jbpub.com/catalog/0763745790

Medical Risk Management: http://www.jbpub.com/catalog/9780763733421

Healthcare Organizations: www.HealthcareFinancials.com

Physician Advisors: www.CertifiedMedicalPlanner.com

Subscribe Now: Did you like this Medical Executive-Post, or find it helpful, interesting and informative? Want to get the latest ME-Ps delivered to your email box each morning? Just subscribe using the link below. You can unsubscribe at any time. Security is assured.

Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos

Sponsors Welcomed: And, credible sponsors and like-minded advertisers are always welcomed.

Link: https://healthcarefinancials.wordpress.com/2007/11/11/advertise



On HIT Continuity Planning

Join Our Mailing List

Setting Up Your HIT Security System

Dr. MataBy Richard J. Mata, MD, CIS, CMP™ [Hon]

In order for a healthcare organization to thrive, it must be able to continue to function no matter what the circumstances are.

When disaster strikes, the organization must mobilize all the talent and resources needed to continue their operations and return to a normal state as soon as possible.

Time is money, and in today’s economy, an hour could be worth thousands of dollars.  Every department in an organization has responsibilities during a disaster.  Planning for a disaster and then dealing with it is a team effort by all parts of an organization.

Phases of Healthcare Business Continuity Planning

A system is required to realize this objective, and part of this system is healthcare entity business continuity planning (BCP).

Phase One: Set up a BCP Project

The first step is to set up a BCP project, which includes feedback from key members from all departments.  Appoint a project manager who has a solid background in the clinical and financial systems and functions that the organization deploys or services it provides.  The project manager can work with business and system analysts to document business flow and interactions with computerized systems that may go down, and how the organization will function on a manual system until service returns.

Phase Two: Review Emergencies and Assess Business Risk

The second phase involves reviewing the different types of emergencies that can arise and assessing the risks to the various business processes already documented.  This is accomplished following a system or service function.

Phase Three: Prepare for Emergencies

The third phase includes identifying of back-ups and recovery strategies to mitigate the effects of an emergency.  A storage area network (SAN) or redundant server could be used as back-ups.

Phase Four: Plan for Disaster Recovery

The fourth phase involves the development of procedures to be followed by a Disaster Recovery Team where human life may be at risk.  A disaster might be caused by weather, sabotage, or electrical power and be specific to the particular organization and its business and IT infrastructure.

Phase Five: Plan for Business Recovery

The fifth phase is critical, and involves developing detailed procedures for the recovery of the business.  Again, the BCP project manager could use each business or service procedure that was documented in phase two and detail which financial or clinical systems are involved, what would be done if the systems were down, and what the plan for recovering the system might be.

Phase Six: Test Business Recovery Procedures

The sixth phase involves simulating authentic emergencies and testing of the business recovery phase.  For example, how would business processes or services be affected by an electrical outage?  How fast can a power generator pick up the outage – and what might happen after a timely pause?  How would patients who were receiving mechanical support be affected?  What would happen to the clinical laboratory?

Phase Seven: Train the Staff

Phase seven covers the training of all employees in the procedures necessary to manage the business recovery process.  These are the procedures tested in phase six, which may require modification.

Phase Eight: Maintain the Currency of the Plan

Phase eight includes treating BCP as a dynamic project to be kept up to date to reflect all changes to business processes and employee structure.


Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com


Product DetailsProduct Details

%d bloggers like this: