With the approach of spring, yet another concern can be added to that of HIM departments:
PHI + Natural Disasters = Trouble
Reports of flooding, tornadoes, severe storms, and hurricanes seem to pop up more frequently as the spring season nears, and healthcare facilities and hospitals must have a disaster response plan for their PHI when these incidents occur. What does this mean for your facility? Are you located in a region that is often the victim of natural disasters? Does your facility have systems and protocols set in place in the event that a disaster does occur? How, if it all, can you be prepared for this type of unfortunate event?
These can all be daunting questions to think about, but nonetheless questions that must be addressed within every healthcare facility.
One major area of concern that needs to be addressed when considering the possibility of a natural disaster is how to protect PHI and stay compliant with HIPAA when a catastrophe strikes. Acts of god do not except covered entities from HIPAA.
The HIPAA Privacy Rule permits the disclosure of PHI in order to 1) treat patients; 2) identify, locate and notify family members, guardians, or anyone else responsible for an individuals care; 3) obtain the services of disaster relief agencies; 4) conduct public health activities; and 5) prevent or lessen serious and imminent threats to health or safety. The Secretary of HHS may waive sanctions and penalties arising from certain provisions of the Privacy Rule if the President declares an emergency or disaster and the Secretary declares a public health emergency.
This is exactly what happened when Hurricane Sandy hit. On October 30, 2012, President Obama declared a major disaster in New York and New Jersey. On October 31, 2012, HHS Secretary Sebelius declared a public emergency and authorized waivers and modifications under Section 1135 of the Social Security Act for New York and New Jersey.
Section 1135 waives sanctions and penalties arising from noncompliance with the following HIPAA provisions: 1) the requirement to obtain a patients agreement to speak with family members or friends or to honor a patients request to opt-out of the facility directory; 2) the requirement to distribute a notice of privacy practices; 3) the patients right to request privacy restrictions or confidential communications. Section 1135 waivers are limited to the designated area of emergency and only during the emergency period, which is limited to a 72 hour period.
The Security Rule
However, while provisions of the Privacy Rule may be waived in times of emergency, HHS does state that the Security Rule is not suspended during a national or public health emergency. Covered Entities are required to implement security measures that specifically contemplate emergency conditions. This means covered entities must have contingency plans to establish policies and procedures for responding to an emergency or other occurrence (natural disaster).
The Centers for Medicare and Medicaid Services (CMS) offers seven steps as guidance for creating a contingency plan: 1) assess your situation, 2) identify risks, 3) formulate an action plan, 4) decide if and when to activate your plan, 5) communicate the plan, 6) test your plan, and 7) treat your contingency plan as an evolving process. A disaster recovery plan should also be included within your contingency plan, which ensures that electronic PHI is backed up regularly and can be restored should any disaster occur.
Disclosures During an Emergency
Luckily, HHS also provides some guidelines for disclosures before and during emergencies. They even created a flowchart as a tool to assist providers during a public health emergency (You can view the chart here: Flowchart Decision Tool). These questions may help to provide extra guidance during a time of crisis.
So, what are the most important things to remember when it comes to PHI and natural disasters?
- Always be prepared - It is much easier to deal with a disaster if certain safeguards have already been set in place.
- Make sure you have a contingency plan - This is not only a suggestion but a requirement by HIPAA. It needs to continually be updated as your systems change.
- Has a state of disaster/emergency been declared? - If this state has been declared, you may be able to make disclosures under the privacy rule that would otherwise not be permitted.
- The Security Rule is never suspended - security measures must be planned for and implemented during any disaster or emergency.
Hopefully, some of these suggestions will help your organization be better prepared in case a disaster does strike. However, let's hope that one never does!
- Christiana Thomson, Director of Business Development