First, we want to wish all of our readers across the United States a very healthy and Happy Thanksgiving!
We also ask that you remember that this holiday, the Northeast is just emerging from the most devastating natural disaster to hit our area – Superstorm Sandy. Some remain without electrical power, and others have had their homes and personal property destroyed. Others are even less fortunate. To all those who are affected directly or indirectly by this recent catastrophe, we extend our heartfelt empathy and hope that from the chaos there is hope for the future.
Superstorm Sandy also offers another opportunity to revisit how incredibly important it is for healthcare organizations to have in place an emergency mode operation plan (EMOP), which is in fact a required Implementation Specification under the HIPAA Security Rule. Data Backup and Disaster Recovery are also required Implementation Specifications under the HIPAA Security Rule, and are vital to any healthcare organization being ready to continue providing critical healthcare services to patients during a disaster. Here is a sample of our template HIPAA Administrative Security Policy for Contingency Plans.
In addition, disaster events like Superstorm Sandy highlight how networked health information exchange (HIE) can help support a healthcare organization’s EMOP. During Superstorm Sandy, NY Bellevue Hospital and NYU Langone Medical Center had to evacuate their facilities and transfer hundreds of patients to other facilities around the city. The challenge of attempting to keep patients’ critical medical information available, updated and linked to the correct patient – especially in the confusion and panic – is a tall order. However, as poignantly noted by New York eHealth Collaborative’s Executive Director, David Whitlinger, during a recent interview:
In disasters such as Sandy, having HIE is as important as having … fire hydrants.
We couldn’t agree more!
So, for instance, if the two New York hospitals were participants of the HIE network called SHIN-NY and other facilities to which patients were transferred were also participants of SHIN-NY, then the hospitals accepting the transferred patients could gain real-time access to critical patient information so that immediate and appropriate care can continue.
It is also worth noting that HIPAA supports information sharing in disasters, as do many state laws. In particular, after Hurricane Katrina, the Office for Civil Rights (OCR) released guidance as well as an emergency preparedness flowchart which emphasize that the Privacy Rule would not prohibit information being shared for disaster relief purposes. In indeed, under HIPAA providers can share information during disaster relief activities in several ways, including for:
1. Treatment Purposes. HIPAA permits providers to share patient information as needed to provide the individual with treatment. This can include sharing information with other hospitals, clinics, and health care providers, referring patients to other providers where they have been relocated, and coordinating patient care with individuals such as emergency relief workers, or others that assist with finding appropriate health services for patients.
2. Public Health Activities. HIPAA permits providers to share patient information for public health activities, which may include disaster relief efforts. Disclosures of PHI may be made to ”public health authorities,” which include agencies of federal or state government responsible for public health matters as part of their official mandates, or persons or entities acting under grant of authority or grant with such agency. Local health departments are also public health authorities. Disclosures may be made for the purpose of controlling or preventing disease, injury or disability, public health surveillance, public health investigations and public health interventions.
3. Averting Threat to Health or Safety. Providers may disclose PHI in order to prevent or less a serious and imminent threat to the health or safety of a person or the public. The provider must act in good faith and further limit the disclosure to only such person or persons “reasonably able to prevent or lessen the threat” or to law enforcement to identify or apprehend an individual.
4. National Security. Disclosures of PHI may be made for certain specialized government functions, in particular, intelligence, counter-intelligence and national security activities authorized by the NSA, as well as protection of the President and other authorized persons.
5. Facility Directories, Notice to Caregivers and Others. Providers may disclose PHI through facility directories and for notification purposes. PHI may be disclosed to individuals responsible for the care of the patient to the extent of such individual’s involvement in the patient’s care or payment of the patient’s care. This includes family, friends, guardians, and other individuals that may be identified. PHI may also be disclosed to notify or assist in notifying family, friends and other individuals of the patient’s general location, condition or death. Furthermore, disaster relief purposes are specifically carved out and made permissible in order for the provider to assist with and coordinate disaster relief efforts for notification purposes as described above. Disclosures may be made to a public or private entity authorized by law or its charter to assist with disaster relief. Finally, a provider may include a patient’s name, location and general condition on its facility directory so that people may inquire about the patient by name. For all of these disclosures, the individual must be provided with the opportunity to object, if practicable.
6. Disclosures to Business Associates. Finally, in general, business associates of a covered entity may use and disclose PHI in connection with the performance of services or functions for or on behalf of the covered entity subject to the terms and conditions of a HIPAA Business Associate Agreement. However, in disasters and other emergencies, certain disclosures of PHI may not within the permissible uses/disclosures set forth in the HIPAA BAA. As such, OCR released guidance that permits the HIPAA BAA to be amended to allow for such disclosures in response to the disaster or emergency situation.
Many states also have laws governing how information may be disclosed in an emergency situation. To see an example of the types of laws New Jersey has on this topic, Continue Reading below.
It is unfortunate that it often takes a disaster to remind us how vulnerable the healthcare industry can be. Many thanks to those who put their lives at risk and spent countless hours helping those in need during this difficult time after Superstorm Sandy. With a refocused effort on disaster mode planning and the promise that HIEs bring to help support healthcare organizations critical functions in the future, we are optimistic and thankful to all the people working tirelessly for a better future.