Last year, Harvey and Irma occurred during hurricane season. This year, Alberto just had different plans. Alberto couldn't wait to kick off hurricane season a little bit early. Thankfully there was enough time and a reminder of "what if" scenarios to ensure we were adequately prepared for Alberto's expected impact. 2017 was the costliest hurricane season ever and now with two Category 4 hurricanes, Aletta and Bud are in the eastern Pacific Ocean and it looks like we will be in for another active hurricane season.
In the next few sections, we will revisit OCR's guidance titledNavigating the Storm: HIPAA Compliance and Preparing for Irma. In addition, we will discuss how Healthcare Compliance Pros can help healthcare facilities and healthcare professionals do to be prepared in the event of a hurricane or other adverse weather conditions.
From a HIPAA Privacy perspective
In their guidance, the OCR provides a link to their decision tool designed to assist emergency preparedness and recovery planners in determining how to gain access to and use PHI consistent with the HIPAA Privacy Rule. Specifically, the decision tool asks a series of questions to find out how the Privacy Rule would apply in specific situations. For example, a disclosure may be needed to meet the needs of the elderly or persons with disability in the event of an evacuation. While under the HIPAA Privacy Rule covered entities need to disclose PHI for a variety of purposes, there may be special considerations, including sanctions being waved in the event a disaster is declared.
The tool is designed for covered entities as well as emergency preparedness and recovery planners at the local, state, and federal levels. To utilize the Disclosures for Emergency Preparedness Decision Tool, click here.
HIPAA Security Rule considerations
According to OCR, the HIPAA Security Rule is not suspended during natural disasters or emergencies and specifically requires covered entities and business associates to implement strategies to protect ePHI during an emergency and assure ePHI can be accessed during and after an emergency.
Under the HIPAA Security Rule, covered entities and business associates must have contingency plans that include or address the following elements:
- data backup plan (required);
- disaster recovery plan (required);
- emergency mode operation plan (required);
- testing and revision procedures (addressable); and
- application and data criticality analysis (addressable).
Tools to help you be prepared
Whether you require assistance with HIPAA Privacy Rule or the HIPAA Security Rule, we have got you covered. Here are a few of the tools we can help you with:
- Disaster Recovery Plan (DRP) is a custom DRP that meets HIPAA requirements and provides the steps to take in the event of an emergency in your organization. Your DRP can be updated and reviewed annually or as necessary and is available for training by your staff.
- Security Risk Analysis (SRA) A SRA is an ongoing process of continual improvements your organization should address to ensure the privacy and security of your patient's protected health information. Conducting and reviewing an SRA is one of the most important HIPAA Security Rule and MIPS requirements your organization will undertake.
- Threat Matrix because this risk assessment is based on an "all-hazards" approach, focusing on capacities and capabilities, this tool can be used for both HIPAA and CMS Emergency Preparedness
If you are located on the east coast, use this weather tracker to keep an eye on the latest hurricanes and tropical storms to ensure your facility is prepared prior to the weather shift.
If you have any questions or would like more information about any of the tools above, please contact us today by phone: 855-427-0427 or by email: support@hcp.md.