Most healthcare organizations focus their downtime planning on one question: how do we keep caring for patients while the system is down? That is the right priority. But there is a second question that matters just as much, and it tends to get less attention: what records are we required to keep during and after the event?
The answer has real consequences. Organizations that fail to properly document a downtime event can face HIPAA enforcement actions, accreditation findings, insurance complications, and internal audit failures. And yet, in many hospitals, post-downtime documentation is ad hoc at best.
This post breaks down what healthcare organizations are actually required to document during an EHR downtime event, what best practices look like for post-event records, and how dbtech’s Downtime Solution makes much of this documentation automatic.
Why Downtime Documentation Is a Compliance Issue, Not Just an Operational One
The HIPAA Security Rule’s Contingency Planning standard (45 CFR §164.308(a)(7)) requires covered entities to maintain procedures for responding to EHR outages in a way that protects electronic protected health information (ePHI). That requirement does not pause during a downtime event. Organizations must demonstrate that they maintained data security protocols throughout the incident and can account for what happened to patient information while systems were offline.
The documentation requirement extends beyond the outage itself. Post-event records are reviewed during OCR audits, Joint Commission surveys, and internal compliance reviews. If an organization cannot show a clear record of what occurred, who was affected, and how information was handled, it faces significant exposure.
What You Are Required to Document During the Event
Outage Log
From the moment a downtime event is declared, the organization should maintain a running log that captures:
- The date and time the outage began
- The systems affected (EHR only, network-wide, specific modules)
- The initial cause, if known
- Names and roles of staff who were notified
- Actions taken to respond, with timestamps
- The date and time the system was restored
This log serves as the official record of the incident and will be requested in the event of any regulatory review or insurance claim.
Patient Care Documentation
Clinical staff must continue to document patient care during a downtime event. The documentation must be:
- Legible and clearly dated and timed
- Attributed to the individual providing care (name, role, credentials)
- Specific enough to reconstruct the patient encounter if needed
- Stored securely in a way that protects ePHI
Paper-based documentation during downtime creates problems with all four of these requirements. Handwriting is often illegible, timestamps are inconsistently applied, and paper forms can be misplaced or damaged. An electronic downtime solution eliminates these risks.
New Patient Registrations
Patients who are registered during a downtime event need a complete record of their encounter, including:
- Demographic information
- Insurance and identification documentation
- Assigned downtime medical record number or encounter number
- Forms completed and signatures captured
All of this information must eventually be reconciled back into the EHR. Organizations that rely on paper for this process frequently discover missing or incomplete records during reconciliation.
Data Security Records
HIPAA does not disappear during an outage. Access to patient information during a downtime event must still be controlled, logged, and restricted to authorized personnel. Your documentation should reflect who accessed patient data during the event, from which workstation, and at what time. dbtech’s HIPAA-compliant downtime workstations provide discrete login and password access, creating an automatic audit trail that satisfies this requirement without any additional administrative work.
What You Are Required to Document After the Event
Incident Report
Every downtime event should produce a formal incident report that includes:
- A summary of the root cause
- The systems and departments affected
- Patient populations impacted
- Steps taken during recovery
- Any data loss or compromise identified
- Actions taken to prevent recurrence
If the downtime was caused by or resulted in a data breach, additional breach notification requirements under HIPAA may apply. Organizations should consult legal counsel to determine whether notification to HHS or affected patients is required.
Recovery Documentation
The reconciliation of data captured during downtime back into the EHR must also be documented. This includes:
- Confirmation that all patient encounters created during downtime were transferred to the EHR
- Verification of data accuracy post-transfer
- Resolution of any discrepancies identified during reconciliation
With manual paper-based processes, this reconciliation is time-consuming and error-prone. With dbtech’s Rapid Recovery feature, data is automatically exported back to the EHR via HL7 upon system restoration, and the transfer is logged electronically.
Testing and Drill Records
HIPAA and the ONC SAFER guidelines both require that contingency plans be tested regularly. Records of your downtime drills, including dates, participating departments, outcomes, and identified gaps, must be retained as evidence of compliance. For more on how frequently to run those drills, see our companion guide: How Often Should You Test Your Downtime Procedures?
How dbtech Makes Downtime Documentation Automatic
The documentation requirements above are significant. Meeting them manually. especially in the middle of an active downtime event, is genuinely difficult. That is why dbtech’s Downtime Solution is designed to capture and organize the records your organization needs automatically:
- Patient data accessed during downtime is logged with user credentials and timestamps
- New encounters are documented electronically, not on paper
- eForms are completed and signed digitally, creating structured records that do not require manual re-entry
- Rapid Recovery exports all downtime data back to the EHR upon restoration, with a documented transfer record
- Downtime workstations operate offline if necessary, maintaining access without compromising security controls
Implement dbtech’s Downtime Solution
Downtime documentation is not optional. It is a compliance obligation that protects your organization, your staff, and your patients. Healthcare organizations that treat it as an afterthought are the ones that struggle when an auditor, insurer, or regulator comes asking questions.
dbtech’s Downtime Solution builds documentation into the fabric of your downtime response, so you are not scrambling to reconstruct records after the fact. Take our free Downtime Audit Assessment to find out where your current documentation processes stand, or contact our team to see how dbtech works in your environment.