Adhering to HIPAA Throughout a Natural Disaster
September 8, 2017
We’re thinking of the victims, survivors, and first responders currently battling the recent and ongoing hurricane disasters. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two reminders to consider in the event of a natural disaster like many are currently facing.One, there are some HIPAA Privacy Rules that are designed to protect the privacy of health information while allowing important health care communication to occur. Recent guidelines were issued during Hurricane Harvey to provide guidance to how the HIPAA Privacy Rules permit sharing of Protected Health Information (PHI) in circumstances that arise during natural disasters. For more information, see this bulletin from HHS.Useful ToolThe OCR has an interactive decision tool on its website designed to assist emergency preparedness and recovery planners in determining how to gain access to and use PHI consistent with the HIPAA Privacy Rule. The Disclosures for Emergency Preparedness Decision Tool guides the user through a series of questions to find out how the Privacy Rule would apply in specific situations.Secondly, the OCR has made clear that HIPAA Security Rules are NOT suspended during natural disasters. Indeed, the Security Rules require data back-up plans, disaster recovery plans and emergency mode operation plans. These requirements are not suspended during a natural disaster—instead, we are reminded that natural disasters are exactly why these rules were implemented and required. In addition to the required security rules mentioned, addressable elements include testing and revision procedure and application and data criticality analysis. For further information, reference pages 19-22 of Volume 2 / Paper 2 Security Standards: Administrative Safeguards of the HIPAA Security Series from HHS. Also, read this FAQ from HHS.gov on the same topic. Even if you are not impacted by these two recent and ongoing natural disasters, take this opportunity to reassess your organization’s security policies and determine if you have all the “required” security rules in place. The recent Equifax data breach is a further reminder that anyone’s systems can be infiltrated. Therefore, performing routine assessments of your security protocols is strongly recommended.If you wish to speak to an attorney about the HIPAA Privacy Rules or Security Rules, contact us, as we are happy to help.