At 6:45 on a Tuesday morning in September 2024, a home health agency in Connecticut discovered that their EHR platform was inaccessible — the first visible indicator of a ransomware attack that had been spreading through their systems since the previous Friday evening. At that moment, seventeen field nurses were preparing for morning visits. Three patients were scheduled for OASIS assessment visits that generated Medicare billing. One patient was receiving daily wound care that required the nurse to reference the physician's current order. And the clinical coordinator who normally dispatches nurses, verifies care plans, and handles urgent clinical questions could not access any patient records.
The agency had no documented downtime procedures. By 10am, three nurses had postponed visits because they could not confirm patient addresses from their personal phones. Two OASIS assessments were not completed on schedule. The wound care visit was completed by a nurse who called the patient's physician directly from her personal cell phone to verbally confirm the current order — a process that worked, but that is not a policy, not documented, and not reproducible at scale. Business continuity planning is not about preventing cyberattacks. It is about ensuring that when an attack occurs, patient care continues while the technical response unfolds.
The Five Components of a Complete Home Health Business Continuity Plan
Component 1: Clinical Downtime Procedures
Clinical downtime procedures are the most critical and most absent component of home health business continuity plans. They define exactly how nurses continue to provide care when the EHR is unavailable. Every field nurse should carry — in their nursing bag, on a laminated card — the following minimum information that allows care to continue without EHR access:
- Their assigned patient roster for the day: patient names, home addresses, and scheduled visit times — printed each morning before leaving the office, or generated automatically by the scheduling system and sent to a personal device before the EHR went down
- The current care plan summary for each patient: the primary diagnosis, the care goals, the active orders, and any special instructions — a one-page summary that a nurse can reference for routine visits without real-time EHR access
- Emergency contact information: the clinical supervisor's direct cell phone number, the on-call physician number, and the agency's downtime coordination number — not email addresses, not the general office line, direct phone numbers that function without internet
- Paper documentation forms: a standardised visit note form, a medication administration record template, and an unusual occurrence form that captures any clinical events requiring immediate physician notification
Component 2: Communication Protocols During an Incident
When the EHR goes down, three communication challenges emerge simultaneously: nurses in the field need to know what happened and what to do; clinical supervisors need to coordinate care across their caseloads without their normal tools; and families and physicians who contact the agency during the outage need to be informed appropriately without creating panic or undermining trust. Each of these communication streams needs a documented protocol:
- Field nurse notification: a text message broadcast through a personal communication channel (not work email) sent within 30 minutes of an EHR outage to all field staff, describing the situation and directing them to downtime procedures
- Clinical supervisor coordination: a phone tree that allows supervisors to reach their assigned nurses, confirm visit status, and identify any clinical urgent issues that require immediate escalation — without depending on any system that may be down
- External communication: a brief, factual statement for families and physicians that acknowledges the technical issue, confirms that patient care is continuing normally, and provides an alternative contact number for urgent clinical questions
Component 3: Backup Data Access for Clinical Decision Support
The EHR contains information that nurses need during visits beyond the basic care plan: current medication lists, recent vital sign trends, physician orders, and clinical alerts. A robust business continuity plan provides an alternative method for accessing this information during an EHR outage. Options include: a daily automated export of key clinical data to a secure, offline-accessible format; a secure portal that operates independently of the primary EHR and contains read-only access to critical patient information; or printed patient summary sheets updated daily and distributed to supervising nurses.
Component 4: Billing and Revenue Continuity
The billing backlog that accumulates during an EHR outage is the financial consequence that lasts longest after technical recovery is complete. A business continuity plan must address billing continuity: paper visit documentation that captures the data required for Medicare billing, a process for entering that documentation retroactively when systems are restored, and a review of Medicare claims filing deadlines for any episodes that fall during the outage period to confirm whether extensions are available or whether deadline management is required.
Component 5: Testing and Annual Review
A business continuity plan that has never been tested is a hypothesis, not a capability. The plan should be tested annually through a tabletop exercise that walks leadership through a realistic outage scenario — "It is Tuesday morning, the EHR has been unavailable since Saturday, and twenty nurses are preparing for morning visits. Walk me through exactly what happens." The exercise reveals gaps in the plan that would not be visible in a document review.
Protecting your home health agency starts with understanding exactly where you stand today. ShieldForce delivers a free, no-obligation HIPAA Risk Assessment — thirty minutes with a healthcare cybersecurity expert who has spent three decades inside this industry. You will leave with a clear picture of your gaps, your priorities, and what a fully managed security programme looks like for an organisation exactly like yours.
→ Schedule Your Free HIPAA Risk Assessment — shieldforce.io/hipaa-assessment
→ See ShieldForce Advantage Services — shieldforce.io/shieldforce-advantage
→ View Transparent Pricing from $35/user/month — shieldforce.io/pricing-comparison

