The United States Office for Civil Rights (OCR) has issued guidance on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and Security Rule requirements during disaster situations. You can read the complete OCR guidance, with links to additional HIPAA resources, below.
September 7, 2017
NAVIGATING THE STORM: HIPAA COMPLIANCE AND PREPARING FOR IRMA
As Hurricane Irma approaches, hospitals, medical professionals and emergency medical personnel in the path of the storm are actively preparing for the storm’s arrival. Making sure that health information is available before, during and after the storm is a critical part of that preparation. OCR wants to make sure medical professionals and emergency personnel understand when the HIPAA regulations may apply to them – and when those regulations apply, how they can share individually identifiable (protected) health information (PHI) during emergency situations. The HIPAA Privacy Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur. The HIPAA Security Rule’s requirements with respect to contingency planning also help HIPAA covered entities and business associates assure the confidentiality, integrity and availability of electronic PHI (ePHI) during an emergency such as a natural disaster.
OCR makes available on its Web site an interactive decision tool designed to assist emergency preparedness and recovery planners in determining how to gain access to and use PHI consistent with the HIPAA Privacy Rule. The tool guides the user through a series of questions to find out how the Privacy Rule would apply in specific situations. By helping users focus on key Privacy Rule issues, the tool helps users appropriately obtain health information for their public safety activities. The tool is designed for covered entities as well as emergency preparedness and recovery planners at the local, state, and federal levels. To utilize the Disclosures for Emergency Preparedness Decision Tool, click here.
Covered entities and business associates should also look to recent guidance issued during Hurricane Harvey for more information on how the HIPAA Privacy Rule permits sharing of PHI in circumstances that arise during natural disasters. https://www.hhs.gov/sites/default/files/hurricane-harvey-hipaa-bulletin.pdf
The HIPAA Security Rule is not suspended during natural disasters or emergencies and specifically requires covered entities and business associates to implement strategies to protect ePHI during an emergency and assure ePHI can be accessed during and after an emergency. https://www.hhs.gov/hipaa/for-professionals/faq/2005/is-the-security-rule-under-hipaa-suspended-during-a-public-health-emergency/index.html
In particular, covered entities and business associates must have contingency plans that include or address the following elements:
1) data backup plan (required);
2) disaster recovery plan (required);
3) emergency mode operation plan (required);
4) testing and revision procedures (addressable); and
5) application and data criticality analysis (addressable).
For further information see: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf?language=es (pages 19-22).
Also see the Civil Rights Emergency Preparedness page to learn how nondiscrimination laws apply during an emergency.