OCR Reminds Covered Entities to Prepare for Public Health Emergencies

In addition to dealing with the devastating aftermath of Hurricane Harvey, hospitals in Texas and Louisiana had to ensure medical staff continue to comply with HIPAA Rules. When such natural disasters occur, new questions are raised how the implementation of the HIPAA Privacy Rule. OCR has taken the opportunity to remind covered entities of the need to prepare for public health emergencies. 

Hospital staff may be unsure on the Privacy Rule applies in such emergencies.  Under such special circumstances, questions have arisen about when they are permitted to share health information with patients’ friends and family, the media and the emergency services. In response to the confusion, the Department of Health and Human Services’ Office for Civil Rights have issued guidance to covered entities on the HIPAA Privacy Rule and disclosures of patient health information in emergency situations. OCR hopes to help healthcare organizations protect patient privacy and avoid violating HIPAA Rules while still providing a high standard of care.

Hospitals will soon have the opportunity to put these guidelines into practice as Hurricane Irma is expected to land soon, closely followed by hurricane Jose. Hospitals in other parts of the United States will have to cope with the storm and its aftermath and still comply with HIPAA Rules.

OCR has explained that the HIPAA Privacy Rule was designed to ensure that in emergency situations, healthcare organizations are able share individually identifiable health information while still protecting the privacy of the patients in their care. 

OCR also reconfirmed that even in emergency situations, the HIPAA Security Rule still applies. HIPAA-covered entities and business associates are required implement safeguards to ensure ePHI remains secured at all times. The Security Rule stipulates that, even in time of emergency, the confidentiality, integrity, and availability of ePHI is not placed in jeopardy. During and after an emergency, ePHI must be accessible, which means covered entities must plan for all eventualities to ensure patient health information can always be accessed. The HIPAA Security Rule – § 164.308(a)(7) – requires contingency plans to include a data backup plan, disaster recovery plan, and emergency mode operation plan.

The data backup plan must ensure retrievable, exact copies of electronic protected health information are created and maintained. The disaster recovery plan must ensure any data lost during a natural disaster or emergency can be recovered from backups and is never permanently lost. Covered entries are also required to ensure that data can be recovered quickly and efficiently when needed. During emergency mode, security processes to protect ePHI must be maintained, even during power outages and technical failures.

OCR reminded covered entities of two further addressable requirements: testing and revision procedures and application and data criticality analysis. Covered entities should periodically test their contingency plans and revise them as necessary to ensure they continue to be effective in an emergency situation. Covered entities should also identify software applications that store, maintain or transmit ePHI, and assess how important each is to business needs. Priorities must be set for data backup, emergency operations, and disaster recovery.

OCR has drawn attention to an interactive decision tool on the HHS website that has been developed to assist professionals in healthcare organisations prepare their disaster contingency plan. The website also contains information about HIPAA Rules and their  application in emergency situations. 

OCR explains, “The tool is designed for covered entities as well as emergency preparedness and recovery planners at the local, state and federal levels.”