- As healthcare organizations prepare for potential natural disasters, it is essential that they have contingency plans in place that include a data backup plan and disaster recovery plan, according to a recent OCR release.
Hurricane Irma is predicted to cause damage in the US when it makes landfall in early September 2017, and covered entities and business associates should prepare for the storm’s arrival, the agency stressed. The HIPAA Privacy Rule and Security Rule are not suspended during natural disasters, and organizations need to ensure they are adhering to the federal regulations.
“The Privacy Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur,” OCR stated. “The HIPAA Security Rule’s requirements with respect to contingency planning also help HIPAA covered entities and business associates assure the confidentiality, integrity and availability of electronic PHI (ePHI) during an emergency such as a natural disaster.”
A data backup plan, a disaster recovery plan, and an emergency mode operation plan are required elements under the Security Rule, the release explained. Testing and revision procedures, along with application and data criticality analysis are addressable requirements.
Organizations need to ensure that ePHI remains protected during emergencies, but ePHI also needs to be accessible during and after an emergency, OCR said.
“Covered entities must have contingency plans that establish policies and procedures for responding to an emergency or other occurrence (fire, system failure and natural disaster) that damages systems that contain e-PHI,” HHS states on its website.
For example, a hospital could have ePHI stored in a backup network or in the cloud. That way, if the hospital becomes flooded because of a hurricane and computers cannot be used, the data could still be accessed from another location to properly care for patients.
The OCR release also discussed proper PHI access in emergencies, as dictated by the HIPAA Privacy Rule. OCR has an interactive decision tool available on its website, which can help recovery planners determine how to access PHI while still adhering to the Privacy Rule.
“By helping users focus on key Privacy Rule issues, the tool helps users appropriately obtain health information for their public safety activities,” OCR stated. “The tool is designed for covered entities as well as emergency preparedness and recovery planners at the local, state and federal levels.”
HHS released a bulletin on proper PHI access and how it can be shared in emergencies toward the end of August 2017, following Hurricane Harvey. Patient information can be shared in disaster relief efforts and to help ensure patients receive necessary care, the agency maintained.
“In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures,” the bulletin said. “Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.”
The HHS Secretary also declared a limited waiver of HIPAA sanctions and penalties, which can occur during a declared emergency. The following provisions can be waived when that occurs:
- The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care
- The requirement to honor a request to opt out of the facility directory
- The requirement to distribute a notice of privacy practices
- The patient's right to request privacy restrictions
- The patient's right to request confidential communications.
In emergencies, public health authorities and other entities responsible for ensuring public health and safety – such as the Centers for Disease Control and Prevention or a state health department – can also have PHI access so they can continue to carry out their public health mission.
“Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct,” the Rule states. “Thus, providers may disclose a patient’s health information to anyone who is in a position to prevent or lessen the threatened harm, including family, friends, caregivers, and law enforcement, without a patient’s permission.”
Patient PHI can also be shared in the following situations:
- For patient treatment
- Disclosing information to family, friends, or other caregivers
- Imminent danger
- Disclosing information to the media
Business associates may also make disclosures on behalf of a covered entity to the extent that is allowed under their business associate agreement.
Organizations must ensure that they adhere to the “minimum necessary” requirement though, which requires that a covered entity make reasonable efforts to limit the disclosed information to only what is truly needed.