SERCH Project Recommendations for HIE and Disaster Preparedness

As Helen noted in her post on Thanksgiving, Superstorm Sandy re-emphasized the need for health care organizations to have plans in place for disaster preparedness, data backup and recovery. As New York and New Jersey rebuild, health care organizations are taking a closer look at what they can do to improve the availability of critical health care services for their patients, and in particular, the role of HIE in keeping patient information available.  

This past July, ONC released the results of a two-year effort by the Southeast Regional HIT-HIE Collaboration (SERCH) Project on Health Information Exchange in Disaster Preparedness and Response. The SERCH project began in November 2010 and included representatives from natural disaster-prone states such as Alabama, Arkansas, Florida, Georgia, Louisiana, and Texas. 

Supported by ONC, the SERCH Project was a state-led initiative aimed at identifying information-sharing challenges during natural disasters and developing strategic plans to incorporate HIE into disaster planning. The group developed an actionable plan to improve HIE capabilities in response to disasters, both during and in the aftermath, focusing particularly on interstate communication and information-sharing, and addressing legal and other barriers to the use and disclosure of patient information. 

Although limited primarily to the groundwork that needs to be covered prior to implementation of a fully-operational State HIE, the SERCH Project recommended five steps for any organization planning on sharing information through HIE to take to integrate HIE and disaster planning, especially where information-sharing could occur across state lines.

  1. Understanding the State’s disaster response policies and align with the State agency designated for Emergency Support Function #8 (Public Health and Medical Services) before a disaster occurs.
  2. Developing standard procedures approved by relevant public and private stakeholders to share electronic health information across State lines before a disaster occurs.
  3. Considering enactment of the Mutual Aid Memorandum of Understanding to establish a waiver of liability for the release of records when an emergency is declared and to default state privacy and security laws to existing Health Insurance Portability and Accountability Act (HIPAA) rules in a disaster. States should also consider using the Data Use and Reciprocal Support Agreement (DURSA) in order to address and/or expedite patient privacy, security, and health data-sharing concerns.
  4. Assessing the State’s availability of public and private health information sources and the ability to electronically share the data using HIE(s) and other health data-sharing entities.
  5. Considering a phased approach to establishing interstate electronic health information-sharing capabilities.

These recommendations can also be applied and implemented by individual HIE networks and organizations, not only at the state-level. 

A full copy of the whitepaper can be found on the Health IT website.  You can also find a summary of the report by Lee Stevens, Policy Director for the State HIE Program, as well as his blog post in 2011 on the Joplin Tornado and the role of EHRs at the Health IT Buzz

Last Call for Hospital Attestations

CMS is reminding hospitals that Friday, November 30, is the last day to register and submit their attestations for FY 2012 Meaningful Use incentive payments. Hospitals must attest to having successfully met all Meaningful Use requirements in order to be eligible for incentive payments.  

CMS has made available a 15 minute YouTube video that walks eligible hospitals and CAHs through the registration process. Additional resources are available on the CMS EHR Incentive Program website, including the Hospital Attestation Worksheet, Calculator and User Guide.  CMS has also released an HIT timeline with key deadlines in 2013 and 2014 for EPs and hospitals addressing both Stage 1 and Stage 2.  

State Medicaid deadlines for attestation may vary.  Hospitals participating in the New Jersey Medicaid EHR Incentive Program have until December 31, 2012 to attest for FY 2012, while EPs will have until March 31, 2013. 

What do Thanksgiving, HIE and Disaster Recovery Have in Common?

turkey2.pngFirst, we want to wish all of our readers across the United States a very healthy and Happy Thanksgiving! 

We also ask that you remember that this holiday, the Northeast is just emerging from the most devastating natural disaster to hit  our area – Superstorm Sandy. Some remain without electrical power, and others have had their homes and personal property destroyed. Others are even less fortunate. To all those who are affected directly or indirectly by this recent catastrophe, we extend our heartfelt empathy and hope that from the chaos there is hope for the future.

Superstorm Sandy also offers another opportunity to revisit how incredibly important it is for healthcare organizations to have in place an emergency mode operation plan (EMOP), which is in fact a required Implementation Specification under the HIPAA Security Rule.  Data Backup and Disaster Recovery are also required Implementation Specifications under the HIPAA Security Rule, and are vital to any healthcare organization being ready to continue providing critical healthcare services to patients during a disaster.  Here is a sample of our template HIPAA Administrative Security Policy for Contingency Plans.

In addition, disaster events like Superstorm Sandy highlight how networked health information exchange (HIE) can help support a healthcare organization’s EMOP.  During Superstorm Sandy, NY Bellevue Hospital and NYU Langone Medical Center had to evacuate their facilities and transfer hundreds of patients to other facilities around the city. The challenge of attempting to keep patients’ critical medical information available, updated and linked to the correct patient – especially in the confusion and panic – is a tall order. However, as poignantly noted by New York eHealth Collaborative’s Executive Director, David Whitlinger, during a recent interview

In disasters such as Sandy, having HIE is as important as having … fire hydrants.

We couldn’t agree more!

So, for instance, if the two New York hospitals were participants of the HIE network called SHIN-NY and other facilities to which patients were transferred were also participants of SHIN-NY, then the hospitals accepting the transferred patients could gain real-time access to critical patient information so that immediate and appropriate care can continue.

It is also worth noting that HIPAA supports information sharing in disasters, as do many state laws. In particular, after Hurricane Katrina, the Office for Civil Rights (OCR) released guidance as well as an emergency preparedness flowchart which emphasize that the Privacy Rule would not prohibit information being shared for disaster relief purposes. In indeed, under HIPAA providers can share information during disaster relief activities in several ways, including for: 

1. Treatment Purposes. HIPAA permits providers to share patient information as needed to provide the individual with treatment. This can include sharing information with other hospitals, clinics, and health care providers, referring patients to other providers where they have been relocated, and coordinating patient care with individuals such as emergency relief workers, or others that assist with finding appropriate health services for patients.

2. Public Health Activities. HIPAA permits providers to share patient information for public health activities, which may include disaster relief efforts. Disclosures of PHI may be made to ”public health authorities,” which include agencies of federal or state government responsible for public health matters as part of their official mandates, or persons or entities acting under grant of authority or grant with such agency. Local health departments are also public health authorities. Disclosures may be made for the purpose of controlling or preventing disease, injury or disability, public health surveillance, public health investigations and public health interventions.

3. Averting Threat to Health or Safety. Providers may disclose PHI in order to prevent or less a serious and imminent threat to the health or safety of a person or the public. The provider must act in good faith and further limit the disclosure to only such person or persons “reasonably able to prevent or lessen the threat” or to law enforcement to identify or apprehend an individual.

4. National Security. Disclosures of PHI may be made for certain specialized government functions, in particular, intelligence, counter-intelligence and national security activities authorized by the NSA, as well as protection of the President and other authorized persons.

5. Facility Directories, Notice to Caregivers and Others. Providers may disclose PHI through facility directories and for notification purposes. PHI may be disclosed to individuals responsible for the care of the patient to the extent of such individual’s involvement in the patient’s care or payment of the patient’s care. This includes family, friends, guardians, and other individuals that may be identified. PHI may also be disclosed to notify or assist in notifying family, friends and other individuals of the patient’s general location, condition or death. Furthermore, disaster relief purposes are specifically carved out and made permissible in order for the provider to assist with and coordinate disaster relief efforts for notification purposes as described above. Disclosures may be made to a public or private entity authorized by law or its charter to assist with disaster relief. Finally, a provider may include a patient’s name, location and general condition on its facility directory so that people may inquire about the patient by name. For all of these disclosures, the individual must be provided with the opportunity to object, if practicable.

6. Disclosures to Business Associates. Finally, in general, business associates of a covered entity may use and disclose PHI in connection with the performance of services or functions for or on behalf of the covered entity subject to the terms and conditions of a HIPAA Business Associate Agreement. However, in disasters and other emergencies, certain disclosures of PHI may not within the permissible uses/disclosures set forth in the HIPAA BAA. As such, OCR released guidance that permits the HIPAA BAA to be amended to allow for such disclosures in response to the disaster or emergency situation.

Many states also have laws governing how information may be disclosed in an emergency situation.  To see an example of the types of laws New Jersey has on this topic, Continue Reading below. 

It is unfortunate that it often takes a disaster to remind us how vulnerable the healthcare industry can be.  Many thanks to those who put their lives at risk and spent countless hours helping those in need during this difficult time after Superstorm Sandy. With a refocused effort on disaster mode planning and the promise that HIEs bring to help support healthcare organizations critical functions in the future, we are optimistic and thankful to all the people working tirelessly for a better future. 

Continue Reading