Risk Assessment and Response

Low

High

Access to HPSM’s facility is not possible due to unsafe conditions of the building or unsafe conditions surrounding the area.

1. Incident Commander or other Administrator of Alert Media to notify all staff of incident using Alert Media.
2. Determine essential functions that are needed to provide services and retain necessary staff.
3. Determine if IT systems are available or need to be shut down.
4. Redirect phones to vendor/answering service, or recorded announcement explaining the issue.
5. If systems are available, instruct staff to work remotely if possible.
6. If systems are not available, enable access to DR site in Reno.
7. Implement the Communication Plan for members, providers, regulatory agencies and others as appropriate.
8. Waive prior authorization requirements, if necessary, to ensure pharmacy, dental and medical services are provided to members.

Medium

High

Access to a critical system which is widely used throughout the organization (such as HEALTHsuite, Service Desk Plus or MedHOK) is unavailable for an extended period of time and would affect business operations.

1. If the system affected is on-premises at HPSM, IT provides a projection of how long the system will be unavailable.
2. If the anticipated downtime is longer than 48 hours, enable access to DR site in Reno.
3. If system is a cloud/SaaS system, IT and/or business owner works with vendor to determine the possible duration of the outage.
4. IT notifies Incident Commander.
5. If system is projected to be unavailable for more than three hours, the Incident Commander notifies department teams to activate downtime procedures.
6. Business departments will operate according to their procedures until notified by the Incident Commander or department head that the system is available.
7. Once the system is returned, potential loss of data is identified.
8. Data is restored from back-ups if needed.

Low

High

Loss of critical data could significantly impact business operations, resulting either in lost time for restoration from back-ups or the need for manual reentry of data from paper (such as authorizations or claims) or reloading of data files (such as member enrollment data).

IT to notify Leadership about the data loss and if there is backup available.

If there is backup available:

• Determine the impact to staff, members and providers.
• Compliance to notify regulatory agencies if required.
• Strategize recovery efforts.
• Communicate/coordinate recovery plan and length of downtime with leadership/staff.
• Execute data recovery plan using most recent data backup.
• Notify staff, regulatory agencies and partners that data has been restored.

If there is no backup available:

• Determine the impact to staff, members and providers.
• Compliance to notify regulatory agencies if required.
• Depending on type of data loss, determine if data can be restored or reloaded from membership files, claims files, authorization files or other information source.
• Communicate/coordinate recovery plan and length of downtime with leadership/staff.
• Execute data recovery plan based on type of data loss.
• Notify staff, regulatory agencies and partners that data has been restored.

Low

Low

HPSM utilizes cloud-based phone services so that, in an event there is an emergency, the phone system and call center would not be impacted.

All HPSM phone services, including the call-center, are now fully functioning cloud services, which will remain active in the event that other HPSM systems are impacted by disaster and/or any man-made emergency.

Low

High

Loss of utilities, such as power, potable water, adequate ventilation, etc. at the HPSM office building, which has a direct impact on the ability of the employees to safely and sufficiently perform their duties.

1. Facilities and Engineering/Vendor to assess the problem and determine how long to expect the loss of utility.
2. Facilities to notify Leadership of issue and estimated downtime. Mobilize Incident Command Center if necessary.
3. Notification of utility outage will go to HPSM and County staff.
4. Depending on the utility that is down, the appropriate vendor will be called to assist in restoration.
5. Facilities and Engineering/Vendor to identify possible continuity options to help compensate for loss of utility service, if necessary.
6. Once restored, Facilities and Engineering/Vendor will assess any additional damage.
7. Facilities to notify Leadership and staff that utility service has been restored.

Low

High

Loss of key staff due to illness, accident or natural disaster can have a detrimental impact on the functions and performance of HPSM. Key personnel are those in vital leadership roles, those with important institutional knowledge and those who perform critical operational functions.

1. Identify key position impacted.
2. Identify contingency personnel.
3. Ensure contingency personnel have sufficient information to carry through on a limited basis.
4. Enact Communication Plan as appropriate.

Low

High

An incident such as a pandemic or major transportation event which results in employees not being able to get to work and leaves HPSM with critically low staffing levels.

1. Identify the minimum number of staff needed for each department to continue critical plan operations.
2. Identify the critical operational tasks/functions that are required to continue health plan operations.
3. Investigate technological solutions/assistance.
4. Develop templates/instructions for the critical operations.
5. Identify transferable staff available to send to critical areas.
6. Deploy transferable staff as needed.
7. Determine if staff levels require temporary plan closure.
8. Enact the Communication Plan as appropriate.