Medical Centers and Hospitals were recently stretched before and after Hurricane Harvey, in Texas and Louisiana, as they sought to provide medical services without breaching HIPAA Rules.
Concern arose regarding when it is allowable to share health information with patients’ friends and family, the media and the emergency services and how the Privacy Rule applies in emergencies. The Department of Health and Human Services’ Office for Civil Rights racted by issuing guidance to covered bodies on the HIPAA Privacy Rule and disclosures of patient health information in cases of emergency to assist healthcare groups protect patient privacy and avoid violating HIPAA Rules. Allowable disclosures are summarized in this document.
Following quickly after Hurricane Harvey comes hurricanes Irma and Jose. Hospitals in other parts of the USA will have to cope with the storm and its aftermath and still adhere to HIPAA Rules. OCR has taken the chance to remind covered groups of the need to ready themselves.
OCR has stated that the HIPAA Privacy Rule was carefully formulated to ensure that in emergency situations, healthcare organizations can safeguard the privacy of patients and still share individually identifiable health information.
OCR also stated that even in cases of emergency, the HIPAA Security Rule is not on hold and preparation for emergencies is very important. HIPAA-covered groups and business associates are required to put in place procedures to ensure ePHI remains secured at all times and the confidentiality, integrity, and availability of ePHI is not put in jeopardy. During and after an emergency, ePHI must be accessible, which means covered groups must plan for all possibilities to ensure patient health information can always be accessed.
OCR referred to the the HIPAA Security Rule – § 164.308(a)(7) – which requires contingency plans include a data backup plan, disaster recovery strategy, and emergency mode operation procedure. These are all required elements of the HIPAA Security Rule.
The data backup plan must ensure rescue-able, exact copies of electronic protected health data are created and controlled. The disaster recovery plan must ensure any information lost during a natural disaster or case of emergency can be recovered from backups. Procedures must be established, and implemented as necessary, to ensure data can be quickly rescued. During a period of emergency measures being in place, security processes to protect ePHI must be sustained, even during power outages and technical difficulties.
Additionally, there are two addressable obligationss: testing and revision processes and application and data criticality analysis. Covered groups should periodically test their contingency plans and review them as necessary to ensure they remain effective in a case of emergency. Covered groups should also identify software applications that store, control or transmit ePHI, and assess how important each is to business requirements. Priorities must be put in place for data backup, emergency operations, and disaster rescue.
OCR has pointed to an interactive decision tool on the HHS website that has been formulated to help healthcare groups ready themselves for the worst and find out how HIPAA Rules apply in cases of emergency. OCR commented, “The tool is designed for covered entities as well as emergency preparedness and recovery planners at the local, state and federal levels.”
While these OCR reminders have been issued specifically to help covered groups prepare for when hurricane Irma makes landfall, even covered groups outside of the predicted emergency zone must ensure they are prepared for the worst case scenario.