OCR Warns Covered Entities to Prepare for Natural Disasters

Medical Centers and Hospitals in Texas and Louisiana have been stretched due to Hurricane Harvey,and are trying to provide medical services without breaching HIPAA Rules.

Concern arose regarding when it is allowable to share health information with patients’ friends and family, the media and the emergency services and how the Privacy Rule applies in emergencies. The Department of Health and Human Services’ Office for Civil Rights reacted by issuing guidance to covered entities on the HIPAA Privacy Rule and disclosures of patient health information in emergencies to assist healthcare groups protect patient privacy and avoid violating HIPAA Rules. Allowable disclosures are summarized in this document.

Following quickly after Hurricane Harvey came hurricanes Irma and Jose. Hospitals in other parts of the USA will have to cope with these natural disasters and their aftermath and still adhere to HIPAA Rules. OCR has taken the chance to remind covered entities of the need to ready themselves.

OCR has stated that the HIPAA Privacy Rule was carefully formulated to ensure that in emergency situations, healthcare organizations can safeguard the privacy of patients and still share individually identifiable health information.

OCR also stated that even in cases of emergency, the HIPAA Security Rule is not put on hold and preparation for emergencies is very important. HIPAA-covered entities and business associates are required to put in place procedures to ensure ePHI remains secured at all times and the confidentiality, integrity, and availability of ePHI is not put in jeopardy. During and after an emergency, ePHI must be accessible, which means covered entities must plan for all possibilities to ensure patient health information can always be accessed.

OCR referred to the the HIPAA Security Rule – § 164.308(a)(7) – which requires contingency plans include a data backup plan, disaster recovery strategy, and emergency mode operation procedure. These are all required elements of the HIPAA Security Rule.

The data backup plan must ensure rescue-able, exact copies of electronic protected health data are created and controlled. The disaster recovery plan must ensure any information lost during a natural disaster or case of emergency can be recovered from backups. Procedures must be established, and implemented as necessary, to ensure data can be quickly rescued. During a period of emergency measures being in place, security processes to protect ePHI must be sustained, even during power outages and technical difficulties.

Additionally, there are two addressable obligations: testing and revision processes and an application and data criticality analysis. Covered entities should periodically test their contingency plans and review them as necessary to ensure they remain effective in a case of emergency. Covered entities should also identify software applications that store, control or transmit ePHI, and assess how important each is to business requirements. Priorities must be put in place for data backups, emergency operations, and disaster recovery.

OCR has pointed to an interactive decision tool on the HHS website that has been formulated to help healthcare groups ready themselves for the worst and find out how HIPAA Rules apply in cases of emergency. OCR commented, “The tool is designed for covered entities as well as emergency preparedness and recovery planners at the local, state and federal levels.”

While these OCR reminders have been issued specifically to help covered entities prepare for when hurricane Irma makes landfall, even covered entities outside of the predicted emergency zone must ensure they are prepared for natural disasters and other emergency situations.

Author: Maria Perez