October 18, 2017

October 17, 2017

Subscribe to Latest Legal News and Analysis

October 16, 2017

Subscribe to Latest Legal News and Analysis

In the Wake of Harvey and Irma, OCR Reminds Providers of HIPAA Rules

As Texas, Florida, and the Caribbean rebuild after the latest string of deadly hurricanes and prepare for the possibility of future storms, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reminded health care providers of the importance of ensuring the availability and security of health information during and after natural disasters.  OCR’s guidance is a good reminder to all health care providers – regardless of where they are located – of the applicability of the HIPAA Privacy and Security Rules during natural disasters and other emergencies.

OCR recently published a bulletin during Hurricane Harvey discussing how the HIPAA Privacy Rule applies to sharing protected health information (PHI) during natural disasters. Recirculated while Irma was looming, the guidance document reminds health care providers that HHS may waive sanctions and penalties against a covered hospital for certain activities (e.g., obtaining a patient’s agreement before speaking with family or friends involved in the patient’s care) during an emergency. However, the waiver is limited to certain hospitals located within an emergency area and for a specific period of time.  More importantly, OCR noted in the bulletin that the Privacy Rule still applies to covered entities and their business associates during such emergencies, but the Privacy Rule does allow the disclosure of PHI without the patient’s consent for the patient’s treatment or public health activities.  Covered entities may also share PHI with a patient’s family or friends identified by the patient as being involved in their care, but OCR recommends that the covered entities obtain verbal permission or otherwise confirm that the patient does not object to sharing the information with these individuals.

Similarly, OCR reminded covered entities and business associates that the HIPAA Security Rule is not suspended during a natural disaster or emergency. On the contrary, the Security Rule actually imposes additional requirements during emergencies to ensure that electronic PHI is available during and after the emergency.  Specifically, covered entities and their business associates must have contingency plans that include plans for data back-up, disaster recovery, and emergency mode operation. 

Health care providers must remain vigilant that patient information is not compromised and that it remains secure and accessible at all times. Covered entities and their business associates should carefully review their policies and procedures to make sure that they can respond appropriately to such events.

©1994-2017 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Sarah Beth S. Kuyers, Mintz Levin, nonprofit affiliation lawyer, health care systems attorney
Associate

Sarah Beth’s practice focuses on advising health care providers, PBMs, and laboratories on a variety of regulatory issues.

Prior to joining Mintz Levin, Sarah Beth worked as a law clerk with the health staff of the US Senate Committee on Finance, where she researched policy, regulations, and legislation regarding commercial insurance reform, health IT, Medicare, Medicaid, and the Affordable Care Act. She also drafted legislation.

In addition, Sarah Beth worked as a law clerk for a legal practice in Washington, DC. Her...

202.434.7453