Following Governor Rick Scott's State of Emergency Declaration, I anxiously watched the news and tracked Hurricane Irma's progress. I wondered if there was a chance Hurricane Irma would turn harmlessly to sea. Once it was evident our state would be impacted, time was of the essence. We knew we needed to be prepared in the event Hurricane Irma reached our coast.
We quickly reviewed our family's emergency preparedness plan and verified our hurricane readiness plan was ready. Boards and clips were ready for our windows, and sandbags were accessible if needed. And like most other Floridians, we made sure our gas tank was full so that if gas stations ran out (which they did), we would be ready to evacuate if necessary.
Similarly, it is important for healthcare facilities, medical professionals, and emergency medical personnel to be ready; and thankfully there were. According to guidance recently published by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) hospitals, medical professionals, and emergency medical personnel actively prepared for the storm's arrival.
In the next few sections we will touch on the OCR's guidance titled Navigating the Storm: HIPAA Compliance and Preparing for Irma. In addition, we will discuss how Healthcare Compliance Pros can help healthcare facilities and healthcare professionals do to be prepared in the event of a hurricane or other adverse weather conditions.
From a HIPAA Privacy perspective
In their guidance, the OCR provides a link to their decision tool designed to assist emergency preparedness and recovery planners in determining how to gain access to and use PHI consistent with the HIPAA Privacy Rule. Specifically, the decision tool asks a series of questions to find out how the Privacy Rule would apply in specific situations. For example, a disclosure may be needed to meet the needs of the elderly or persons with disability in the event of an evacuation. While under the HIPAA Privacy Rule covered entities need to disclose PHI for a variety of purposes, there may be special considerations, including sanctions being waved in the event a disaster is declared.
The tool is designed for covered entities as well as emergency preparedness and recovery planners at the local, state and federal levels. To utilize the Disclosures for Emergency Preparedness Decision Tool, click here.
HIPAA Security Rule considerations
According to OCR, the HIPAA Security Rule is not suspended during natural disasters or emergencies and specifically requires covered entities and business associates to implement strategies to protect ePHI during an emergency and assure ePHI can be accessed during and after an emergency.
Under the HIPAA Security Rule, covered entities and business associates must have contingency plans that include or address the following elements:
- data backup plan (required);
- disaster recovery plan (required);
- emergency mode operation plan (required);
- testing and revision procedures (addressable); and
- application and data criticality analysis (addressable).
Tools to help you be prepared
Whether you require assistance with HIPAA Privacy Rule or the HIPAA Security Rule, we have got you covered. Here are a few of tools of the tools we can help you with:
- Disaster Recovery Plan (DRP) a custom DRP that meets HIPAA requirements and provides the steps to take in the event of an emergency in your organization. Your DRP can be updated and reviewed annually or as necessary and is available for training by your staff.
- Security Risk Analysis (SRA) A SRA is an ongoing process of continual improvements your organization should address to ensure the privacy and security of your patients' protected health information. Conducting and reviewing a SRA is one of the most important HIPAA Security Rule and MIPS requirements your organization will undertake.
- Threat Matrix because this risk assessment is based on an "all hazards" approach, focusing on capacities and capabilities, this tool can be used for both HIPAA and CMS Emergency Preparedness
Impacted by Harvey or Irma
If your practice or organization was impacted by one of the recent Hurricanes, we would like to help. For non-clients we would like to offer you a free Disaster Recovery Plan template you may use. For clients, we would like to add the Disaster Recovery Plan module to your account free of charge. Contact us today by phone: 855-427-0427 or by email: support@hcp.md
About the Author
Chad Schiffman is the Director of Research & Development with Healthcare Compliance Pros. Chad's background includes over 15 years combined experience in Healthcare, Information Technology and Customer Service. Chad holds degrees in the areas of Medical Specialties and Healthcare Administration, and a master's degree in Healthcare Informatics.