What do Thanksgiving, HIE and Disaster Recovery Have in Common?

turkey2.pngFirst, we want to wish all of our readers across the United States a very healthy and Happy Thanksgiving! 

We also ask that you remember that this holiday, the Northeast is just emerging from the most devastating natural disaster to hit  our area – Superstorm Sandy. Some remain without electrical power, and others have had their homes and personal property destroyed. Others are even less fortunate. To all those who are affected directly or indirectly by this recent catastrophe, we extend our heartfelt empathy and hope that from the chaos there is hope for the future.

Superstorm Sandy also offers another opportunity to revisit how incredibly important it is for healthcare organizations to have in place an emergency mode operation plan (EMOP), which is in fact a required Implementation Specification under the HIPAA Security Rule.  Data Backup and Disaster Recovery are also required Implementation Specifications under the HIPAA Security Rule, and are vital to any healthcare organization being ready to continue providing critical healthcare services to patients during a disaster.  Here is a sample of our template HIPAA Administrative Security Policy for Contingency Plans.

In addition, disaster events like Superstorm Sandy highlight how networked health information exchange (HIE) can help support a healthcare organization’s EMOP.  During Superstorm Sandy, NY Bellevue Hospital and NYU Langone Medical Center had to evacuate their facilities and transfer hundreds of patients to other facilities around the city. The challenge of attempting to keep patients’ critical medical information available, updated and linked to the correct patient – especially in the confusion and panic – is a tall order. However, as poignantly noted by New York eHealth Collaborative’s Executive Director, David Whitlinger, during a recent interview

In disasters such as Sandy, having HIE is as important as having … fire hydrants.

We couldn’t agree more!

So, for instance, if the two New York hospitals were participants of the HIE network called SHIN-NY and other facilities to which patients were transferred were also participants of SHIN-NY, then the hospitals accepting the transferred patients could gain real-time access to critical patient information so that immediate and appropriate care can continue.

It is also worth noting that HIPAA supports information sharing in disasters, as do many state laws. In particular, after Hurricane Katrina, the Office for Civil Rights (OCR) released guidance as well as an emergency preparedness flowchart which emphasize that the Privacy Rule would not prohibit information being shared for disaster relief purposes. In indeed, under HIPAA providers can share information during disaster relief activities in several ways, including for: 

1. Treatment Purposes. HIPAA permits providers to share patient information as needed to provide the individual with treatment. This can include sharing information with other hospitals, clinics, and health care providers, referring patients to other providers where they have been relocated, and coordinating patient care with individuals such as emergency relief workers, or others that assist with finding appropriate health services for patients.

2. Public Health Activities. HIPAA permits providers to share patient information for public health activities, which may include disaster relief efforts. Disclosures of PHI may be made to ”public health authorities,” which include agencies of federal or state government responsible for public health matters as part of their official mandates, or persons or entities acting under grant of authority or grant with such agency. Local health departments are also public health authorities. Disclosures may be made for the purpose of controlling or preventing disease, injury or disability, public health surveillance, public health investigations and public health interventions.

3. Averting Threat to Health or Safety. Providers may disclose PHI in order to prevent or less a serious and imminent threat to the health or safety of a person or the public. The provider must act in good faith and further limit the disclosure to only such person or persons “reasonably able to prevent or lessen the threat” or to law enforcement to identify or apprehend an individual.

4. National Security. Disclosures of PHI may be made for certain specialized government functions, in particular, intelligence, counter-intelligence and national security activities authorized by the NSA, as well as protection of the President and other authorized persons.

5. Facility Directories, Notice to Caregivers and Others. Providers may disclose PHI through facility directories and for notification purposes. PHI may be disclosed to individuals responsible for the care of the patient to the extent of such individual’s involvement in the patient’s care or payment of the patient’s care. This includes family, friends, guardians, and other individuals that may be identified. PHI may also be disclosed to notify or assist in notifying family, friends and other individuals of the patient’s general location, condition or death. Furthermore, disaster relief purposes are specifically carved out and made permissible in order for the provider to assist with and coordinate disaster relief efforts for notification purposes as described above. Disclosures may be made to a public or private entity authorized by law or its charter to assist with disaster relief. Finally, a provider may include a patient’s name, location and general condition on its facility directory so that people may inquire about the patient by name. For all of these disclosures, the individual must be provided with the opportunity to object, if practicable.

6. Disclosures to Business Associates. Finally, in general, business associates of a covered entity may use and disclose PHI in connection with the performance of services or functions for or on behalf of the covered entity subject to the terms and conditions of a HIPAA Business Associate Agreement. However, in disasters and other emergencies, certain disclosures of PHI may not within the permissible uses/disclosures set forth in the HIPAA BAA. As such, OCR released guidance that permits the HIPAA BAA to be amended to allow for such disclosures in response to the disaster or emergency situation.

Many states also have laws governing how information may be disclosed in an emergency situation.  To see an example of the types of laws New Jersey has on this topic, Continue Reading below. 

It is unfortunate that it often takes a disaster to remind us how vulnerable the healthcare industry can be.  Many thanks to those who put their lives at risk and spent countless hours helping those in need during this difficult time after Superstorm Sandy. With a refocused effort on disaster mode planning and the promise that HIEs bring to help support healthcare organizations critical functions in the future, we are optimistic and thankful to all the people working tirelessly for a better future. 

(Credit and thanks to Krystyna Monticello for researching and preparing New Jersey law summary)


Health care providers in New Jersey are governed by licensing and other regulations that affect how patient health and other information may be disclosed without authorization.  Depending on the applicable law, disclosure may not be permitted in general for treatment and other HIPAA permissible purposes without the patient’s approval, consent or written authorization, even in the context of a natural disaster or other emergency.  Therefore, unless permitted or otherwise required by law, disclosure will require some form of patient approval. 

For physicians and other providers governed by the Board of Medical Examiners, information may be exchanged with other licensed health care providers for treatment purposes.  Likewise, physicians must disclose patient information where required by law, such as public health reporting.[1]  Hospitals, however, may not generally disclose patient information for treatment purposes to third parties outside the facility without the patient’s approval.  They may disclose information, however, where transferring a patient to another facility or where the facility to which a patient was transferred requires the information, where required by law, and as required by the NJ Department of Health.[2] 

The State’s Emergency Operations Plan, Emergency Support Function #8, Health and Emergency Medical Annex, in part states that the New Jersey Emergency Support Function (NJESF) #8 will not disclose patient medical information due to state confidentiality laws.  However, it will provide appropriate information to the Red Cross for access by the public. In addition, it must be officially activated by the State Office of Emergency Management. 

While it does not specifically permit information sharing for treatment and coordination of care purposes, NJESF 8 states, “Health and medical information is exchanged through the local, county and State EOC's and liaison occurs at these facilities. The NJDHSS and the local health departments provide for health surveillance in the affected area.”  At the very least then, information may be exchanged among and flow through local, county and other designated health departments and emergency operations individuals.  Furthermore, where otherwise required by the Department of Health, information may also be disclosed.   

The New Jersey Civil Defense and Disaster Control Act, P.L.1942, c.251 (C.App.A:9-33 et seq.), requires any information disclosed to the Governor (or his or her designees) as reasonably necessary to carry out the powers granted to him by the Act.  Furthermore, the Governor may make any order, rule or regulation governing medical corps, rescue squads, and other forces performing functions or duties in connection with emergency management.  However, it does not authorize specifically the disclosure of information for disaster relief efforts to and among public health and other entities, or third parties conducting disaster relief activities. 

The New Jersey Emergency Health Powers Act, N.J.S.A. 26:13-1 et seq., addresses public health emergencies and the scope of power granted to the Department of Health, requires providers to report to the Department of Health and any local health official any persons who are suspected of or have any illness or health condition reasonably believed to be potential causes of a public health emergency.  Disclosure of any information held by the Commissioner of Health is for very limited purposes unless the individual consents in writing to the disclosure, such as to local health departments for epidemiological investigation or containment countermeasures, to law enforcement agencies, and to determine death, among others.  However, the Emergency Health Powers Act only addresses public health emergencies, and not natural disasters and other forms of emergencies which may require disclosure of patient information.  


[1] N.J.A.C. 13:35-6.5(d).

[2] N.J.A.C. 8:43G-4.1(a)21.