EHRDowntimeProcedures:WhattheOIGExpectsandHowtoBuildThem

EHR systems go down. Cloud EHR vendors have outages. Network links fail. Ransomware encrypts servers. Regional fiber cuts disconnect multi-site practices. Planned maintenance slips. The 2024 Change Healthcare event, the CrowdStrike outage, and a steady stream of regional hospital ransomware attacks have made EHR downtime a near-certainty for any multi-year horizon. OIG audits and HIPAA Security Rule reviews increasingly focus on whether organizations have real, rehearsed, clinically usable downtime procedures — not shelf-ware binders.

The Regulatory Baseline: HIPAA Contingency Plan Standard

The HIPAA Security Rule Contingency Plan standard (§164.308(a)(7)) is where EHR downtime lives. It requires five implementation specifications:

• Data Backup Plan (R) — retrievable exact copies of ePHI
• Disaster Recovery Plan (R) — procedures to restore data
• Emergency Mode Operation Plan (R) — procedures to continue critical business processes while operating in emergency mode
• Testing and Revision Procedures (A) — periodic testing and revision of plans
• Applications and Data Criticality Analysis (A) — assess relative criticality

The "Emergency Mode Operation Plan" is what most people call downtime procedures. The specification is listed as Required, not Addressable.

What the OIG Looks For

The Office of Inspector General's audits of hospital and health system contingency planning have surfaced consistent findings. When OIG reviews downtime readiness, they look for:

• Written downtime procedures for each clinical and administrative workflow that depends on ePHI
• Role-specific quick-reference cards that a clinician can follow under stress
• Evidence the procedures have been exercised in the last 12 months
• A documented data-loss window (how much data may be lost between last sync and downtime)
• A documented downtime tolerance (how long can we operate in emergency mode before patient safety is at risk)
• Recovery procedures — not just operating during downtime, but reconciling data back into the EHR after restoration

The Workflows That Need Downtime Procedures

Start with every workflow that touches ePHI. For an ambulatory practice this typically includes:

• Patient check-in and registration
• Medication reconciliation and administration
• Order entry (labs, imaging, referrals, medications)
• Clinical documentation
• Lab and imaging results routing
• Prescription refills and e-prescribing
• Appointment scheduling and confirmation
• Patient communication and portal messaging
• Billing and claims submission
• Prior authorization

For each, answer: if the EHR is unavailable, how does this workflow continue? What paper form replaces the EHR screen? Who approves the form layout? Where are the forms stored? How does the data get back into the EHR on restoration?

Paper Forms Are Still the Answer

The reality most IT leaders resist: paper forms remain the most resilient downtime medium. They do not depend on the internet, power (for most of the process), or any vendor's uptime. Every clinical area should have a downtime box containing:

• Registration forms (face sheet, consent, HIPAA notice)
• Paper MAR (medication administration record)
• Order forms (lab, imaging, consult, medication)
• Progress note templates
• Prescription pads with DEA numbers for controlled substances
• Patient identification stickers or a manual labeling process
• Phone numbers for labs, imaging, pharmacy, referral contacts (laminated — the online directory is down)
• A downtime log to record every paper transaction for later EHR entry

Refresh the downtime box quarterly. Forms change. Providers leave. Phone numbers change. An out-of-date downtime box is worse than none — it gives false confidence.

The RPO / RTO Discussion Clinical Leadership Must Own

Recovery Point Objective (RPO) is the maximum acceptable data loss. Recovery Time Objective (RTO) is the maximum acceptable downtime. Both are clinical decisions disguised as IT decisions, and IT should never set them alone.

For a medication administration record, the clinically defensible RPO is often zero — losing the last 2 hours of MAR data creates double-dose risk. That drives backup frequency (synchronous replication, not nightly backups). For scheduling data, 24 hours of loss may be recoverable from patient confirmations. For billing, 24–72 hours is usually acceptable.

Document these decisions with clinical leadership's signature. Revisit annually.

Testing: The Gap Between Binder and Reality

Testing is where most contingency plans fall apart. The binder exists. The procedures were written two years ago. Nobody has done a live exercise. When the EHR actually goes down, clinicians improvise.

Two types of exercises are valuable:

• Tabletop (quarterly): scenario-driven discussion. "Cloud EHR is down for 8 hours on Tuesday morning. Walk me through your clinic's response." Identifies procedural gaps.
• Live drill (annually): pick a 2–4 hour window, formally declare downtime, run clinical operations on paper. High friction, high value. Reveals gaps tabletops cannot.

Live drills sound expensive until you compare them to the cost of an unplanned 8-hour outage without preparation.

Restoration: The Often-Missed Back Half

When the EHR comes back, paper data must be reconciled into the system. This is high-error territory — transcription mistakes, duplicate charges, missed medications. Your procedures should address:

• Who enters the paper data back in? (Often a dedicated backfill team, not the clinicians who treated the patients)
• How is paper-to-electronic reconciliation verified?
• Are paper records scanned into the EHR as the canonical record, or destroyed after data entry?
• How long do paper records get retained? (HIPAA's 6-year minimum applies)

Tie It to Business Associate Agreements

If your EHR is hosted by a vendor (which is most practices now), the vendor's contingency obligations should be in your Business Associate Agreement. Required elements include their RTO commitments, notification timelines during an outage, and their own testing cadence. If your BAA does not address contingency, amend it.

Specific Scenarios to Plan For

Generic "EHR is down" procedures leave gaps. Plan for specific scenarios that differ in what they affect:

• Cloud EHR internet outage: local systems work, but nothing reaches the EHR. Lab and imaging ordering may still function if those vendors have direct interfaces that do not route through the EHR.
• Cloud EHR vendor outage: internet works, but the EHR is down. Portal messaging, e-prescribing, and clinical documentation all affected.
• Ransomware encryption event: EHR plus many internal systems down simultaneously. Worst case, longest duration.
• Partial outage (scheduling only, results routing only): some workflows work, others do not. Often the hardest to manage because clinicians may not realize which functions are affected.
• Regional power or fiber event: affects network connectivity but may leave cloud vendors unaffected. Cellular failover becomes essential.
• Security incident requiring intentional shutdown: when IR teams take systems offline to contain an incident. Planned but usually on short notice.

Each scenario has different recovery priorities and different clinical workflow impact. A mature downtime plan walks through each.

For a healthcare IT assessment that includes contingency planning review and tabletop facilitation, see our healthcare practice page or request a consultation. We build downtime procedures that clinicians actually reach for during an event.