Business Continuity Plan

Abstract

This paper will include creation of a business continuity plan for Red Circle that addresses any pre-incident changes the company can do to minimize and mitigate risk. The companies’ use and protection of sensitive data will be analyzed. The companies’ use and protection of member information will be analyzed. Discussion of the communication plan to be used during and following the disruption will be explained. Lastly steps on how the companies operations will be restored after the disruption will be discussed.

Business Continuity Plan Red Circle is a non-for-profit health insurance company located in Minnesota. Red Circle serves members in commercial and government lines of business. The company has three office campuses located in Eagan, Minnesota. These locations are within 1 mile of each other. The company also has a location about 4 hours north of these locations, which houses customer service operations and claims processing employees.
Pre-incident changes A well thought out and planned business continuity plan is a necessity to keep a business operational if a disaster should strike the company. Red Circle can be prepared for any disaster by having a business continuity plan in place with trained staff on how to implement the plan, if disaster or disruption occurs. Annually the business continuity plan should be reviewed for accuracy and updates. Since Red Circle is located in the Midwest region, which is prone to tornadoes, the company can implement monthly tornado drills at all of their buildings to ensure safety of employees. Two of the office buildings are located on the river and most of the building consists of windows, so evacuation of employees to a safe area within the buildings is essential for staff safety. Red Circle can have a mock disaster, and test employees on how well the business continuity plan is implemented. This exercise will be done on at least an annual basis. This practice exercise can identify where gaps are and can help to assist employees responsible to implement the business continuity plan to become familiar with all the required components. Red Circle can ensure that all corporate policies and procedures are up to date. Red Circle will continue to back up all their computer systems to the network eCloud on a continuous basis to ensure that information is always available and easily restorable. All of the Red Circle office buildings are older and have a higher risk for fires to occur. Red Circle will conduct monthly fire drills to ensure staff knows evacuation procedures to ensure staff safety. The company has an automatic telephone calling system in place for emergencies. Each employee signs up and creates an account as to how they want to be reached. For example the employee can choose his or her cell phone, home phone, personal email, or even a text message. This automatic calling system is activated if there are any business continuity issues, such as an inclement weather day or lack of heat or water in a particular building. The system will call all employees affected by the issue and specific instructions will be given. For example on an inclement weather day, the campus may be closed and the message will be that staff is not to report to work due to inclement weather. The automatic calling system should be tested at least annually so that staff are signed up appropriately for the notifications and understand how to receive the calls or text messages. Leadership staff should receive annual training on the business continuity plan and be accountable to ensure that the plan is updated on an annual basis. The business continuity plan needs to be not only accurate but staff needs to understand all components of the plan in order to successfully implement the plan. Any type of disruption to operations can be addressed in the business continuity plan. A business continuity plan should not be thought of as a disaster plan, but as a way to continue operations in an effective manner, should there be some kind of disruption for an extended period of time.
Ethical use and protection of sensitive data The sensitive data encountered at Red Circle includes operating polices and procedures, employee personnel records, and group contract information. This information has sensitive data and needs to be protected. All staff at Red Circle is required to participate in annual ethics training. This training includes protection of sensitive information. Staff attests to understanding ethics and the role it plays in his or her job function at Red Circle on an annual basis. Corporate policies and procedures are only available to staff. This material is accessed via a lotus notes database, which requires special access. All policies and procedures are read only materials and cannot be edited. Staff is training that these policies and procedures are confidential and propitial and should not be shared or discussed with anyone outside of the company. Staff personnel records are only viewable by select Human Resources staff. Red Circle no longer has paper employee records and this is now all in an electronic format. The company has programs in place to monitor access of personnel records. IT security tracks who accesses these records and how often. If there were concerns regarding accessing of personnel records IT security would contact an employee’s manager to discuss the details. Managers who keep paper employee files are required to keep these locked up in a file cabinet at all times. Keys cannot be accessible to anyone except for the manager. Important group contract information has limited access by employees and only the account manager has access to the contract. All emails that contain contract information will be encrypted. Staff are Red Circle receive confidentiality training on an annual basis and are required to attest to receiving the training. Training advises staff on how to handle important confidential group contract information. All sensitive data is backed up to the network eCloud system on a daily basis. This is done automatically at the end of the business day when the employee restarts his or her computer. Red Circle has built this into the scripting when an employee restarts his or her computer. All work done on the individual employees N drive on his or her computer is backed up immediately to the network Ecloud as soon as the information is saved. Red Circle has added the auto back up feature at the end of the day to ensure that back up of all information has occurred. IT staff test the integrity of the network ecloud on a monthly basis to ensure that data is being backed up and stored appropriately. After a major disruption since data is already backed up and stored on the network eCloud there would not be any difficulties to recover data, because the data should always be available. Red Circle tests the back up of data on a monthly basis to ensure that data that is sent to the network eCloud is the same as the data stored in the N drive on the individual’s computer. The network ecloud storage is at an offsite facility and would not be affected if there were a disruption to any of the Red Circle buildings.
Ethical use and protection of customer records At Red Circle customer records could be member specific information, such as name, address, phone number, and medical records. This information would be considered personal and protected health information. Such information is protected under Health Insurance Portability and Accountability Act (HIPPA). HIPPA protects the privacy of an individual’s identifiable health information (U.S. Department of Health & Human Services, 2014). HIPPA is very important in a health insurance company where providers submit information in for medical necessity review for items such as wheelchairs or a surgical procedure. At times the clinical review team has left personal health information (PHI) unattended on a fax machine, which is a direct HIPPA violation. Red Circle has an option called print to me, where the employee prints documents to a queue and then the employee enters a code at the printer to retrieve the items printed. This process will ensure that Red Circle is HIPPA compliant. Prior to employment at Red Circle all employees undergo an extensive background study to identify any potential issues. Staff receives annual HIPPA training and must attest to receiving this training. Red Circle limits access to their employee group. Since Red Circle is a health insurance company, many employees have health insurance coverage through Red Circle. Strict guidelines are in place as to who can obtain access to employee group information. Only a limited amount of staff has access to employee group information. IT security monitor how often employee records are accessed in the mainframe system and then determine if it was necessary to access that information. Managers become involved if there is a reason to believe one of his or her employees accessed another employee’s record inappropriately. Red Circle has strict termination policies in place for inappropriate access of information. Red Circle has a need to know policy. Only information should be accessed if the information is needed. Staff receives training on what information can be accessed and or requested if further information is needed to be obtained. Member specific information is also obtained in customer services in the mainframe system and in the claims system. This information contains personal information such as name, address, and phone number and needs to be protected. Staff receives annual training on how to handle personal sensitive information and attest to receiving this training. Staff activity in all computer systems is tracked. High profile member accounts are monitored by IT via reports to track who has accessed and when. Reports are ran monthly to capture the number of times an account was accessed to identify if accounts are being accessed inappropriately.
All sensitive data is backed up to the network eCloud system on a daily basis. This is done automatically at the end of the business day when the employee restarts his or her computer. Red Circle has built this into the scripting when an employee restarts his or her computer. All work done on the individual employees N drive on his or her computer is backed up immediately to the network Ecloud as soon as the information is saved. Updated data is available in real-time so all areas of the business are synched with the same information. Red Circle has added the auto back up feature at the end of the day to ensure that back up of all information has occurred. IT staff test the integrity of the network ecloud on a monthly basis to ensure that data is being backed up and stored appropriately. After a major disruption since data is already backed up and stored on the network eCloud there would not be any difficulties to recover data, because the data should always be available. Red Circle tests the back up of data on a monthly basis to ensure that data that is sent to the network eCloud is the same as the data stored in the N drive on the individual’s computer. The network ecloud storage is at an offsite facility and would not be affected if there were a disruption to any of the Red Circle buildings.
Communication plan Red Circle has both internal and external stakeholders. These stakeholders include employees, members, government agencies, and board of directors. Red Circle has many employees who report to work on a daily basis. Red Circle serves over 2 million members nationwide with their health insurance. If a disaster would occur Red Circle would need to communicate to employees and members. In the health insurance industry the members are the customers. For employees Red Circle already has an automatic calling system in place for if the business continuity plans is put into place. An employee chooses how he or she wants to me notified. Some employees choose an email, or a phone call, or even a text message. The automatic system will call each employee until the employee is able to verify he or she received the message. When the employee answers the phone call and then presses a key after the call the system will verify the message was received. This will allow the automatic system to not call the employee anymore, unless another update is done. This automatic system is very efficient and calls a high volume of people at the same time. The person initiating the calls leaves message and this message is then relayed to all staff. If the automatic phone calling system does not work then the back up plan would be for each Manager to call each of their employees directly and to relay any message. Each Manager is required to have a phone calling tree with all employees phone numbers should this back up plan need to be initiated. The manager keeps this document with him or her at all times and has it available for after hour emergencies. For external customers such as the Red Circle members the communication plan would be to post a message on the Red Circle Internet homepage with specific details of what the disruption is and any interim back up plans in place. A public relations media release will be given. This will then be uploaded to the Internet homepage and will go out to the local news stations. This will be the best way for the communication of the disruption to get out to external stakeholders. Red Circle also has a dedicated phone number for employees dedicated for business continuity updates. This phone number can be called 24 hours per day for message updates. This phone number is on the back of an employees ID badge. If Red Circle is unable to answer customer and provider service phone numbers the company can leave a voice mail message on their incoming phone lines numbers informing members and providers what the disruption in service is and what the alternatives are. All members who have an active email address on file with the company could be sent an email with the disruption issue and any backup plans. A distribution list is already built and updated on a regular basis so it would be very easy to send an email regarding a disruption to all members and other business contacts that had an email address on file with the company.
Restoring operations after the disruption Red Circle has three locations within a 2-mile radius in Eagan, MN. Should one of the buildings sustain a total loss the first step would be to initiate the business continuity plan. This plan would switch operations done in an affected building to another building. The first building houses human resources, all corporate operations and IT services. The second building houses all customer service staff. The third building houses all network and clinical operations staff. Temporary space could be setup in each building to house essential staff from the displaced building. Building facilities would be responsible to contact the corporate insurance company and have an insurance adjuster come to the affected building and access the damage, in order to file a claim. Bids would be done with several construction companies to start re-building or fixing the existing building. Red Circle has some properties that they own but lease out in the same area. Consideration would be made if one of those buildings could be used temporarily to re-locate staff. Red Circle has extra computer workstations available that can be setup in other locations. Each department determines as part of their business continuity plan essential job functions that would need to continue if a disruption occurs. These numbers are reported and taken into consideration as part of the amount of space that would need to be available if a building would be destroyed by a tornado. For example is the building with clinical staff would become destroyed, the continuity plan in place organizes work by priority. The clinical area is highly regulated by turn around times. On average when a member or provider submits a request for a service or item, Red Circle has 10 business days to make a decision. This work takes priority over processing of claims, which can have a time line of up to 30 days. Each clinical area would be given designated space in an alternate building to perform essential job functions. All forms are available in paper form, should the IT network be unavailable. Work could be done on paper and entered into the computer system at a later time. Some staff with remote access maybe can work from home remotely and sign into the network, if that is available, therefore the lack of space is not an issue and work can continue. Since Red Circle stores and backs up all date in their network eCloud there should not be an issue with the data being restored. The eCloud is stored securely at another location and should not be affected if one building is destroyed by a tornado. The biggest issue will be computer workstations for all staff and the space to accommodate everyone displaced. All staff could access the Red Circle network from home with remote access. This access can be requested and approved within 24 hours. An employee would use his or her own personal computer to access the Red Circle network remotely. Access would be available to most applications available in the office. This function would allow Red Circle to be up and functional in a short period of time after a natural disaster. All vendors or suppliers that come to the building would need to be contacted and informed to put all deliveries on hold. Members rarely go to any of the Red Circle buildings so as along as phone operations were function there would be little impact to members. Employees would continue to be updated on the status of the building and plans for the future. Each Manager is responsible once the business continuity plan is initiated to contact his or her own employees with department specific instructions. All incoming mail comes to post office boxes so mail would not need to be forwarded by the Post Office, as this could be handled internally by the companies internal mailroom. When a long-term rebuilding plan is in place, Red Circle would need to relay this message to all members, employees, government organizations, and contracts. This message could be relayed via email and or by posting a media release on the Red Circle Internet homepage. In conclusion a business continuity plan is a necessity for Red Circle to ensure that operations can continue after a disaster or disruption occurs. Profits can be maintained by having continued operations. A well thought out and planned business continuity plan with regular review for updates is very important. Staff needs ongoing training to ensure he or she can deliver on his or her portion of the business continuity plan. With the strong business continuity plan in place at Red Circle, their operations can continue with little loss of production and therefore should be no gap to members. Employees should be able to continue working and being productive.

References
U.S. Department of Health & Human Services. (2014). Health Information Privacy. Retrieved on May 11, 2014 from http://www.hhs.gov/ocr/privacy/

Business Continuity Plan

Similar Documents

Business Continuity Plan

Business Continuity Plan

Business Continuity Plan

Business Continuity Plan

Business Continuity Plan

Business Continuity Plan

Business Continuity Plan

Business Continuity Plan

Business Continuity Plan

Business Continuity Plan

Bcp - Business Continuity Plan

Business Continuity and Recover Plan

Business Continuity Plan Memo

Assignment 2 Business Continuity Plan

Business Continuity Plan (BCP): Business Analysis

Popular Essays