Hurricane Irma - Important HIPAA Reminders

PUBLISHED: Sep 8, 2017
Relevant to: Ambulatory Care, Behavioral Health, Clinical Lab, Community Mental Health Centers, Critical Access Hospitals, Dialysis Facilities, Home Health, Hospice, Hospitals, Long Term Care, Medical Office, Pharmacy

As Hurricane Irma approaches, hospitals, medical professionals and emergency medical personnel in the path of the storm are actively preparing for the storm’s arrival. Making sure that health information is available before, during and after the storm is a critical part of that preparation. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is reminding health care providers of key components of HIPAA that are especially important inr times of disaster.

The Privacy Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur. Requirements with respect to contingency planning also help HIPAA covered entities and business associates assure the confidentiality, integrity and availability of electronic PHI (ePHI) during an emergency such as a natural disaster.

On the OCR website is an interactive decision tool designed to assist emergency preparedness and recovery planners in determining how to gain access to and use PHI consistent with the HIPAA Privacy Rule. The tool guides the user through a series of questions to find out how the Privacy Rule would apply in specific situations. By helping users focus on key Privacy Rule issues, the tool helps users appropriately obtain health information for their public safety activities. The tool is designed for covered entities as well as emergency preparedness and recovery planners at the local, state and federal levels. A link to the Disclosures for Emergency Preparedness Decision Tool is provided below. Please see the StayAlert! Notice published on September 1 which reviews OCR guidance issued during Hurricane Harvey on how the HIPAA Privacy rule permits sharing of PHI in circumstances that arise during natural disasters.

Health care organizations and providers are reminded that the HIPAA is not suspended during natural disasters or emergencies and specifically requires covered entities and business associates to implement strategies to protect ePHI during an emergency and assure ePHI can be accessed during and after an emergency. In particular, covered entities and business associates must have contingency plans that include or address the following elements:

  • Data backup plan
  • Disaster recovery plan
  • Emergency mode operation plan
  • Testing and revision procedures
  • Application and data criticality analysis

Included with today’s notice are example policies reflecting the above requirements.

Want to read the full alert and receive alert emails?

Browse Additional Alerts