September 21, 2017Nelson Mullins Hosts Inaugural Women in Cybersecurity Group, Recognizes Girl Scout STEM Program
September 7, 2017
On September 7, 2017, as Hurricane Irma overwhelmed several islands in the Caribbean and approached the continental United States, the Department of Health and Human Service’s Office for Civil Rights (OCR) issued its second bulletin in as many weeks addressing how HIPAA applies in emergency situations.
In that bulletin, OCR reminds HIPAA covered entities and business associates that the HIPAA Security Rule requires them to follow strategies to protect electronic protected health information (ePHI) during emergencies so that ePHI can be accessed both during and after the emergency situation. The Security Rule requires covered entities and business associates to create and maintain a contingency plan that can be implemented in the event of an emergency or natural disaster where information systems containing ePHI may be damaged. The contingency plan must include:
Covered entities and business associates also should periodically test and revise their contingency plans and determine which applications and data are most critical to support contingency plan operations.
The September 7 bulletin also reminds covered entities and business associates to review HHS’s interactive Emergency Preparedness Decision Tool, available here. This tool can assist emergency preparedness and recovery workers in accessing and using PHI consistent with the HIPAA Privacy Rule.
In an August 30 bulletin, OCR announced that HHS Secretary Tom Price had declared public health emergencies in Texas and Louisiana in the aftermath of Hurricane Harvey. Pursuant to these declarations, Secretary Price determined to waive sanctions against hospitals in those states for failing to comply with the following provisions of the HIPAA Privacy Rule:
The bulletin explains that the Secretary’s waiver is limited to the area and the time period identified in the emergency declaration, and to hospitals that have instituted a disaster protocol for up to 72 hours from institution of the disaster protocol.
Further information about HIPAA privacy and disclosures during emergencies is available here.
These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Internet subscribers and online readers should not act upon this information without seeking professional counsel.