6.5 Disaster Recovery and Downtime Readiness

Plan for Records During Disruption

Disaster recovery is not abstract technology for HIM — it is the ability to keep health information available, accurate, controlled, and recoverable when systems or facilities are disrupted by cyber incidents, power loss, network outage, severe weather, facility damage, interface failure, vendor outage, or planned EHR downtime. The HIPAA Security Rule makes a contingency plan a required administrative safeguard, and it has named components the exam tests: a data backup plan, a disaster recovery plan, an emergency mode operation plan, plus addressable testing/revision procedures and applications/data criticality analysis.

Two recovery metrics anchor planning. The Recovery Time Objective (RTO) is the maximum acceptable time a system can be down before unacceptable harm occurs — it answers “how fast must the EHR be back?” The Recovery Point Objective (RPO) is the maximum acceptable amount of data loss measured in time — it answers “how much recent documentation can we afford to lose?” If backups run nightly, the RPO is roughly 24 hours; if the EHR must be restored within 4 hours, the RTO is 4 hours. A business impact analysis sets these targets by ranking systems by criticality.

Recovery planning must identify critical systems and dependencies. The EHR may depend on identity management, network services, document imaging, dictation, lab and pharmacy interfaces, the patient portal, HIE connections, coding tools, claims systems, and reporting platforms. If one dependency fails, the workflow breaks even though the main application is running — a nuance the exam uses to discredit “the EHR is up, so we are fine” answers.

Backups are only useful if restoration works. HIM leaders should ask whether backups cover the right systems, whether restore tests are performed against the RTO and RPO, whether recovered data is validated, and whether downtime documentation merges into the legal record without gaps. A backup that has never been restore-tested is an assumption, not a control.

Downtime Readiness Checklist

• Current downtime forms and job aids are stored where staff can reach them without the network.
• Staff know when downtime begins, who announces it, and how updates flow.
• Patient identity and encounter controls continue during downtime.
• Paper is tracked from creation through scanning and reconciliation with batch control.
• ROI, portal, HIE, coding, quality, and billing teams know hold and restart rules.
• Backups, restoration, and data validation are tested against RTO/RPO targets.
• An after-action review captures record gaps, delays, duplicate entries, and fixes.

Common trap: scenarios where staff document on scrap paper, scan without batch control, release records while downtime documents are missing, or resume coding before reconciliation. These are not mere inconveniences — they create patient-safety, compliance, revenue, and data-integrity problems. A strong RHIA answer protects the record across the full lifecycle: before the event define and train, during the event preserve documentation and communicate status, and after restoration reconcile, validate, scan, index, update queues, monitor backlogs, and document lessons learned.

Recovery is successful only when the organization can trust the restored legal health record.

Backup Strategy, Emergency Mode, and the Legal Health Record

A defensible backup strategy is often summarized as the 3-2-1 rule: keep 3 copies of data, on 2 different media types, with 1 copy stored off-site (and increasingly one copy offline or immutable to survive ransomware that targets connected backups). The off-site or air-gapped copy is what makes recovery possible after a site-wide event or an attack that encrypts production and network-attached backups together.

The emergency mode operation plan — a required Security Rule contingency component — governs how critical business processes continue while systems are down so PHI remains protected. For HIM this means downtime forms are authorized, registration assigns or verifies the correct medical record number to prevent duplicates and overlays, and a clear announcement protocol tells the organization when downtime starts and ends.

Reconciliation protects the legal health record (LHR) — the documentation an organization will produce on legal request. After restoration, every downtime document must be scanned, indexed to the correct patient and encounter, and verified so the LHR is complete; gaps, duplicates, and overlays must be corrected before the record is trusted for release, coding, or litigation. A late or mis-indexed downtime note can become a patient-safety event or a disclosure error months later.

The exam rewards candidates who connect these mechanics to outcomes: availability is meaningless if the restored record is incomplete, and a tested backup with sound reconciliation is the only way to prove the organization can both recover and trust its health information.