OCR Tells Covered Entities to Prepare for Hurricanes and Other Natural Disasters

Hospitals in the states of Louisiana and Texas needed to make sure medical services are provided through the duration of and right after Hurricane Harvey, without breaking the HIPAA Rules. Questions were brought up regarding when it is allowed to share patient data with the patient’s family, emergency services and the media and how the Privacy Rule apply in emergency cases. The Department of Health and Human Services’ Office for Civil Rights replied by providing guidance to covered entities about the HIPAA Privacy Rule and the sharing of patient health data during emergency cases to help healthcare providers safeguard patient privacy and refrain from breaking the HIPAA Rules. Permitted disclosures are described in this pdf file.

After hurricane Harvey comes hurricane Irma, then hurricane Jose. Hospitals in many areas of the U.S. need to deal with the storm and its consequences and still adhere to the HIPAA Rules. OCR reminded covered entities that they need to prepare. OCR stated that the HIPAA Privacy Rule was meticulously put together to make sure that in emergency scenarios, healthcare providers can safeguard patient privacy while sharing individually identifiable health data.

OCR likewise reconfirmed that even during emergency circumstances, the HIPAA Security Rule is not revoked and preparing for disasters is important. HIPAA-covered entities as well as business associates need to follow techniques to make sure ePHI is safe all the time and the confidentiality, availability and integrity of ePHI is not put at risk. In times of an emergency, ePHI should be accessible, that means covered entities need to make plans for all situations so that patient health data are always accessible.

OCR mentioned the requirement of the HIPAA Security Rule – § 164.308(a)(7) that contingency plans should have a data backup plan, emergency mode operation plan and disaster recovery plan. These are all needed components of the HIPAA Security Rule.

The data backup plan ought to create and maintain retrievable, exact copies of ePHI. The disaster recovery plan should be sure that any data lost in a natural disaster or emergency could be restored from backup copies. Procedures should be established, and executed as required so that data could be immediately restored. While in emergency mode, security procedures to safeguard ePHI should be maintained, even in the event of power failures and technical problems.

Additionally, there are two addressable prerequisites: 1. testing and modification procedures and 2. application and data criticality analysis. Covered entities must regularly test their contingency plans and modify them as required to make sure they are effective in emergency circumstances. Covered entities must also choose software apps that store, manage or transfer ePHI, and evaluate how crucial each is to meeting business needs. Priorities ought to be established for data backup, emergency procedures, and disaster recovery.

OCR promoted an interactive decision tool on its HHS website which was developed to assist healthcare companies get ready for the worst and determine how the HIPAA Rules are applied in emergency cases.

Although the reminders were given particularly for guiding covered entities in preparing for the coming of hurricane Irma, covered entities that are not affected should also be prepared worst situations.