Share this article on:
Hospitals in Texas and Louisiana had to ensure medical services continued to be provided during and after Hurricane Harvey, without violating HIPAA Rules. Questions were raised about when it is permitted to share health information with patients’ friends and family, the media and the emergency services and how the Privacy Rule applies in emergencies. The Department of Health and Human Services’ Office for Civil Rights responded by issuing guidance to covered entities on the HIPAA Privacy Rule and disclosures of patient health information in emergency situations to help healthcare organizations protect patient privacy and avoid violating HIPAA Rules. Allowable disclosures are summarized in this document.
Hot on the heels of hurricane Harvey comes hurricane Irma, closely followed by hurricane Jose. Hospitals in other parts of the United States will have to cope with the storm and its aftermath and still comply with HIPAA Rules. OCR has taken the opportunity to remind covered entities of the need to prepare.
OCR has explained that the HIPAA Privacy Rule was carefully created to ensure that in emergency situations, healthcare organizations can protect the privacy of patients and still share individually identifiable health information.
OCR also reconfirmed that even in emergency situations, the HIPAA Security Rule is not suspended and preparation for emergencies is essential. HIPAA-covered entities and business associates are required to implement strategies to ensure ePHI remains secured at all times and the confidentiality, integrity, and availability of ePHI is not placed in jeopardy. During and after an emergency, ePHI must be accessible, which means covered entities must plan for all eventualities to ensure patient health information can always be accessed.
OCR explained that the HIPAA Security Rule – § 164.308(a)(7) – requires contingency plans to include a data backup plan, disaster recovery plan, and emergency mode operation plan. These are all required elements of the HIPAA Security Rule.
The data backup plan must ensure retrievable, exact copies of electronic protected health information are created and maintained. The disaster recovery plan must ensure any data lost during a natural disaster or emergency can be recovered from backups. Procedures must be established, and implemented as necessary, to ensure data can be quickly recovered. During emergency mode, security processes to protect ePHI must be maintained, even during power outages and technical failures.
Further, there are two addressable requirements: testing and revision procedures and application and data criticality analysis. Covered entities should periodically test their contingency plans and revise them as necessary to ensure they continue to be effective in an emergency situation. Covered entities should also identify software applications that store, maintain or transmit ePHI, and assess how important each is to business needs. Priorities must be set for data backup, emergency operations, and disaster recovery.
OCR has drawn attention to an interactive decision tool on the HHS website that has been developed to help healthcare organizations prepare for the worst and find out how HIPAA Rules apply in emergency situations. OCR explains, “The tool is designed for covered entities as well as emergency preparedness and recovery planners at the local, state and federal levels.”
While the reminders have been issued specifically to help covered entities prepare for when hurricane Irma makes landfall, even covered entities unlikely to be affected must ensure they are prepared for the worst.