When people think of the HIPAA Security Rule many think about protecting the privacy / confidentiality of patient information. Privacy is a major part of HIPAA security but also ensuring the availability of patient information is equally important. Let’s take a look at the HIPAA Security General Rules:
§ 164.306 Security standards: General rules.
(a) General requirements. Covered entities must
do the following:
(1) Ensure the confidentiality, integrity, and
availability of all electronic protected health
information the covered entity creates, receives,
maintains, or transmits.
Under most normal circumstances there is not much to worry about regarding the availability of patient data. As long as your EMR is up and running you don’t normally worry about accessing patient information. But natural disasters such as hurricanes, tornadoes, etc. show why ensuring the availability of patient information is so important.
When we perform HIPAA Risk Assessments we find that many organizations do not have disaster recovery or emergency operations procedures. And once again under normal circumstances disaster recovery and emergency operations procedures are usually not a major concern.
But when disasters hit like Hurricane Sandy did several weeks ago, organizations without emergency operations procedures and disaster recovery plans find themselves scrambling to provide care for their patients. Electronic data and EMRs are crippled when there is no power to run or access the data. Availability to patient records is not possible. Providing care to patients without access to their records puts the patient’s health in jeopardy.
During the height of Hurricane Sandy’s assault on New York City, New York University Langone Medical Center had to evacuate patients when they lost power and their backup generators failed. Patients were transferred to other hospitals in the city. Patients had to be transferred without patient records or history of procedures, medication, etc. In an interview I heard that doctors had to go with patients or some of the other hospitals would not accept the patients. The other hospitals were concerned that they did not know what procedures the patients had or what medicines the patients were allergic to.
Planning for a disaster
Disasters don’t happen very often but when they do, organizations that have disaster recovery plans and emergency operations procedures in place will be able to provide the best care for their patients. Planning for disasters can be as complex as replicating data from an EMR to cloud based services or as simple as printing out records of patients that have been seen in the past week. The key is to determine how critical the patient information is and what level of disaster planning is required. For example an intensive care unit of a hospital would require much more detailed emergency operations procedures than a dermatology office.
Regardless of the criticality of patient information, every healthcare organization should have disaster recovery and emergency operations procedures.
Photo: NASA/Handout/Getty Images
A very good follow-up article by Katherine Rourke that mentions our blog.