As of June 1, 2018 the Atlantic hurricane season will begin as has been the traditional start date for decades.[1] Over time the season end dates have changed, but the beginning has remained the same marking the period when concerns that should always be present should increase and preparations should be given greater consideration. For Louisiana and Gulf Coast states it is a time period that has seen devastating problems including loss of life and massive property damage, e.g. Isidore, Lili, Matthew, Katrina, Harvey and other storms.[2] The extensive effects of these events included the loss of medical facilities and operational medical structures for an extended period of time.[3]
The HIPAA Privacy & Security Regulations have among many other requirements the mandate to protect health information, e.g. the Security Rule required standard to “…Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.”[4] This required standard is not “addressable” or optional.[5] Additionally there is a continuing requirement under the same regulations to determine potential risks by a “Risk Analysis” specifically stated to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”[6] It is necessary to have policies in place on how such risk assessments will be implemented as well as the methods of implementation and results. Once the results of assessments are known there must be efforts to “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level”.[7] This same requirement since 2013 applies to business associates (BA), i.e. entities handling protected health information for covered entities (CE) such as physicians.[8]
In the past there have been similar requirements for physicians accepting incentives under the government program for conversion to electronic health records (EHR). These requirements have continued under the recent Quality Payment Program for “Eligible Clinicians” started in January 2017. Risk protections are required e.g. the Merit Based Incentive Payment System (MIPS) reporting area of Advancing Care Information (ACI). This section specifies that professionals must secure, as a required objective, “Protected Health Information (PHI)” by a conducting a “…comprehensive risk analysis to identify security vulnerabilities, document improvements and justify why certain improvements were not made.” [9]
Clearly there is an historic potential for risk to medical information protected under federal regulations by hurricanes and related storms. Further such damage can therefore be “reasonably anticipated”.[10] Other damaging events across the country, e.g. fires, tornados can also be anticipated and should have the same considerations. The risk evaluations and necessary appropriate actions should be ongoing, but these activities take on even more significance in this season.
All medical practices should update their risk evaluations and other disaster mitigation plans as soon as possible. Other general government HIPAA disaster preparedness planning information is available at the Department of Health & Human Services (HHS).[11]
Kenneth E. Rhea, MD, FASHRM
Education Note: This publication is suitable for ongoing HIPAA education which is currently required by the HIPAA privacy and security regulations.
[1] Dorst N. When is Hurricane Season?. National Oceanic & Atmospheric Administration (NOAA). Site: www.aolm.noaa.gov. http://www.aoml.noaa.gov/hrd/tcfaq/G1.html. Pub. April 3, 2018. Accessed April 3, 2018
[2] Roth D. Louisiana Hurricane History. National Weather Service. Site: www.shr.noaa.gov. http://www.srh.noaa.gov/images/lch/tropical/lahurricanehistory.pdf. Pub. Update January 13, 2010. Accessed June 4, 2015
[3] Rudowitz R. et al. Healthcare in New Orleans Before & After Katrina. Health Affairs. Site: www.content.healthaffairs.org. http://content.healthaffairs.org/content/25/5/w393.full. Pub. November 28, 2006. Accessed June 4, 2015
[4] US Dept Health & Human Services Office of Civil Rights. HIPAA Administrative Simplification Regulation Text. Site hhs.gov. http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf. March 26, 2013. Accessed November 4, 2013. Pgs 63 & 64.
[5] Ibid p. 64
[6] Ibid
[7] Ibid
[8] Federal Register. Omnibus Final Rule. Government Printing Office.gov. http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf. Published 1/25/2013. Vol.78; No.17 Accessed June 4, 2015
[9] Goedert J. Risk analysis could trip providers up under MACRA. Health Data Management. Site: www.healthdatamanagement.com. https://www.healthdatamanagement.com/news/risk-analysis-could-trip-providers-up-under-macra. Pub. November 2, 2016. Accessed April 2, 2018.
[10] US Dept Health & Human Services Office of Civil Rights. HIPAA Administrative Simplification Regulation Text. Site hhs.gov. http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf. March 26, 2013. Accessed November 4, 2013. Pgs 63 & 64.
[11] HHS. Disclosures for Emergency Preparedness. Health Information Privacy. Site: www.hhs.gov. http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/decisiontoolintro.html. Accessed April 4, 2018