Complying with the Privacy Rule during a Disaster. Part 2: An Overview of Interim Management

by Aviva M. Halpert, MA, RHIA, CHPS

An HIM department’s disaster management plan is an iterative process with four identifiable phases that cycle continuously: plan development, back-up, recovery, and interim management. The first part of this series in the April 2008 issue provided an overview of plan development, data back-up, and recovery during a disaster. This article picks up where the April article left off, outlining how healthcare organizations should deal with management and privacy-related aspects of this special management topic.

Interim Management

Organizations must maintain certain functionality when a disaster occurs, regardless of its severity. The initial challenge during a disaster—whether it is man-made or natural, local or extensive—is to provide continuity of care. In order to do this, organizations must first enable the provision of immediate care.

Next, organizations must document the care that was provided and ensure data are accessible for continuity of care. Lastly, organizations must enable access to existing documentation of previous care. This process can be challenged by the unavoidable fact that disasters are characterized by insufficient time, staff, supplies, utilities, and communication, all of which are prerequisites of a well-oiled HIM system.¹

Once basic functionality is restored, the HIPAA requirements must be addressed with proper planning and care. The aspects of the privacy rule that apply during this interim period include managing a patient directory, controlling use and disclosure of protected health information (PHI), managing business associates within the constraints of a business associate agreement, ensuring the physical security of the PHI, and creating the appropriate documentation that will enable patients to access their designated record set and request amendments and even a rudimentary accounting of disclosures.

The key requirements in the privacy rule include directory information. The rule provides for disclosure of directory information (name, location, and condition) for all patients unless they opt out in favor of greater privacy. Guidance from the Office for Civil Rights (OCR) states that unless there is compelling evidence otherwise, organizations can assume that patients wish to be included in the directory even if they are not able to indicate that directly. In a disaster setting this certainly may be assumed to be true for all patients.^2,3

The OCR guidance provides that in an emergency situation, PHI may be shared without authorization with disaster relief organizations that are authorized by law or chartered to assist in disaster relief efforts, even though such agencies are not covered entities and are not bound by any redisclosure constraints. Such sharing enables victim identification and ultimately the reuniting of families and other social groups.⁴

Information may be shared with a family member or guardian as necessary to identify or locate a patient or to notify them of his or her location, general condition, or death.⁵

Use and Disclosure

The privacy rule permits use or disclosure of PHI for treatment, payment, and operations without patient authorization. Even where a stricter state law pre-empts HIPAA and requires authorization prior to disclosing PHI for treatment, any PHI necessary for treatment may be shared in an emergency without authorization.

If a patient has a personal representative, PHI may be shared with that individual as if he or she were the patient. In the absence of a personal representative the minimal amount of information necessary may be shared with an individual caring for a patient to the extent that it is necessary to provide such care.⁶

Disclosure of PHI may be made to any individual directly involved in assisting the patient in making payments or resolving a payment issue, including a relative, a friend, or even a public official, provided that there is indication that the patient has requested the individual to intercede or it is in the patient’s best interest to do so.⁷

A business associate acting on behalf of a covered entity may disclose PHI to the extent permitted in its business associate agreement. The associate may also subcontract with an agent who may function in accordance with the terms of the signed agreement provided that the business associate ensures that the agent agrees to the provisions of the agreement. An agreement must be drawn up and signed to attest to this.⁸

Although covered entities are still obliged to protect the confidentiality of PHI to the extent possible, OCR outlines additional permissible uses and disclosures in various bulletins to prevent inappropriate use and disclosure and to limit access to the minimum necessary to accomplish the necessary task at hand and meet the exigencies of a disaster.

According to OCR, PHI may be shared without authorization to prevent serious harm to the patient or to the public while the disaster is ongoing.⁹ During the disaster the covered entity and its business associate may amend the agreement to the extent necessary.¹⁰

For the purpose of providing or enabling care, health plans and providers may share prescriptions or other PHI with providers at shelters.¹¹ If a provider is not able to formalize a business associate agreement due to the grave nature of a disaster, disclosure may be made for care or identification purposes as if the agreement were executed, provided that an agreement is executed as soon as practically possible.¹²

OCR provides a decision tool on its Web site to assist in determining when PHI may be disclosed during a disaster.¹³

Evaluation of the Plan

After the critical phase has passed, attention will turn to management of the data that were created during the crisis. It is critical to perform an “autopsy” of the documentation process and conditions in order to facilitate the ultimate return to normalcy.

This data autopsy should include all decisions made regarding management of data, what documentation was created, what systems, if any, were used, and the scope of the emergency measures implemented, including the timeframe within which the disaster occurred, the number of patients treated, and to the extent possible, staffing schedules.

Based on feasibility and a risk-versus-benefit decision-making process laid out in the disaster plan, the following decisions should be made:

• Whether to integrate or segregate documentation created during the disaster based on the anticipated ease of future access to the patients’ designated record sets
• Whether resources should be allocated to flesh out documentation of demographics, diagnoses, signatures, or discharge summaries

Finally, performance should be carefully evaluated in the context of compliance with the original plan to ascertain:

• The lessons that can be learned. Questions to ask include: Were there any drawbacks? What additional actions would be needed to make the plan work? Was there a failure to follow the plan, and if so, why?
• Corrective action that may be needed for the future. Does the plan need to be rewritten? Do the back-up provisions need to be improved or extended? Is the data management plan realistic (does the decision to integrate or segregate disaster data mesh with reality)?

Finally, based on the conclusions reached, the organization should develop procedures for testing and revising contingency plans.¹⁴

With careful planning and objective evaluation and re-evaluation it is possible to make the best of whatever disaster occurs. Clearly, saving life or limb trumps privacy, but not even disasters justify wanton disregard of patient privacy rights. If it is possible to preserve only a shred of privacy, that shred should be preserved to provide the patient whatever dignity possible.

Notes

1. Murphy, James C. “Disaster Recovery in Healthcare Organizations: The Impact of HIPAA Security.” SANS Institute, 2004.
2. Health Insurance Portability and Accountability Act of 1996 (HIPAA). Public Law 104-191. 45 CFR 164.510(b)(3).
3. US Department of Health and Human Services, Office for Civil Rights. “HIPAA Privacy Rule Compliance Guidance and Enforcement Statement for Activities in Response to Hurricane Katrina.” Hurricane Katrina Bulletin #2, September 2, 2005.
4. Ibid.
5. Ibid.
6. HIPAA 45 CFR 164.510(b).
7. Office for Civil Rights. FAQ #1067, March 14, 2006. Available online at www.hhs.gov/ocr/hipaa.
8. HIPAA 45 CFR 164.504 (d)(2)(ii)(D).
9. US Department of Health and Human Services, Office for Civil Rights. “HIPAA Privacy Rule Compliance Guidance.”
10. Ibid.
11. Ibid.
12. Ibid.
13. Office for Civil Rights. “HIPAA Privacy Rule: Disclosures for Emergency Preparedness—A Decision Tool.” Available online at www.hhs.gov/ocr/hipaa/decisiontool.
14. HIPAA 45 CFR 164.308(a)(7)(ii)(D).

References

Burrington-Brown, Jill, and Gwen Hughes. “Disaster Planning for Health Information.” Updated June 2003. Available online in the FORE Library: HIM Body of Knowledge at www.ahima.org.

Marietta, Charlene, “HIPAA: Blueprint for Privacy and Security.” Healthcare Informatics 19, no. 1 (Jan. 2002): 55–60.

Office for Civil Rights. “Medical Privacy—National Standards to Protect the Privacy of Personal Health Information.” Available online at www.hhs.gov/ocr/hipaa.

Centers for Medicare and Medicaid Services. “Security Standards: Physical Safeguards.” HIPAA Security Series. Revised March 2007. Available online at www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp.

Aviva Halpert (aviva.halpert@mountsinai.org) is chief HIPAA officer at Mount Sinai Medical Center in Flushing, NY.