As Hurricane Irma approaches, hospitals, medical professionals, and emergency medical personnel in the path of the storm are actively preparing for the storm’s arrival. Making sure that health information is available before, during and after the storm is a critical part of that preparation. U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) wants to make sure medical professionals and emergency personnel understand when the HIPAA regulations may apply to them – and when those regulations apply, how they can share individually identifiable (protected) health information (PHI) during emergency situations. The Privacy Rule is carefully designed to protect the privacy of health information while allowing important health care communications to occur. The HIPAA Security Rule’s requirements with respect to contingency planning also help HIPAA covered entities and business associates assure the confidentiality, integrity, and availability of electronic PHI (ePHI) during an emergency such as a natural disaster.
OCR makes available on its website an interactive decision tool designed to assist emergency preparedness and recovery planners in determining how to gain access to and use PHI consistent with the HIPAA Privacy Rule. The tool guides the user through a series of questions to find out how the Privacy Rule would apply in specific situations. By helping users focus on key Privacy Rule issues, the tool helps users appropriately obtain health information for their public safety activities. The tool is designed for covered entities as well as emergency preparedness and recovery planners at the local, state and federal levels. To utilize the Disclosures for Emergency Preparedness Decision Tool, click here.
Covered entities and business associates should also look to recent guidance issued during Hurricane Harvey for more information on how the HIPAA Privacy permits sharing of PHI in circumstances that arise during natural disasters. https://www.hhs.gov/sites/default/files/hurricane-harvey-hipaa-bulletin.pdf
The HIPAA Security Rule is not suspended during natural disasters or emergencies and specifically requires covered entities and business associates to implement strategies to protect ePHI during an emergency and assure ePHI can be accessed during and after an emergency. https://www.hhs.gov/hipaa/for-professionals/faq/2005/is-the-security-rule-under-hipaa-suspended-during-a-public-health-emergency/index.html
In particular, covered entities and business associates must have contingency plans that include or address the following elements:
1) Data Backup Plan (required);
2) Disaster Recovery Plan (required);
3) Emergency Mode Operation Plan (required);
4) Testing and Revision Procedures (addressable)*; and
5) Application and Data Criticality Analysis (addressable)*.
For further information, please see https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf?language=es (pages 19-22).
Please also view the Civil Rights Emergency Preparedness page to learn how nondiscrimination laws apply during an emergency.
*Addressable does not mean optional. Addressable means that CEs and BAs must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative. This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions that a covered entity makes regarding addressable specifications must be documented in writing. The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.