My Guest Blogger Eric Levy is a senior attorney in Gardere’s Trial Practice Group who focuses on HIPAA, PHI, cyber security, PCI compliance, PII, eCommerce, and related complex contract negotiations and litigation. Eric has received the Certified Information Privacy Professional (CIPP-US) designation from the International Association of Privacy Professionals (“IAPP”).
It is beyond dispute that Hurricanes Harvey and Irma caused catastrophic levels of property damage to individuals and businesses in Texas, Florida and the rest of the Gulf Coast. In the midst of this devastation, however, the Office of Civil Rights (OCR) recently made a point to identify a particular type of property that cannot, under any circumstances, be permitted to be damaged by natural disaster: electronic protected health information (e-PHI).
Per OCR, the HIPAA Security Rule is not suspended at all during a national or public health emergency. Covered entities and business associates are required, under the Security Rule, to protect against any reasonably anticipated threats or hazards to the security or integrity of e-PHI that they create, receive, maintain or transmit. Other provisions of the Security Rule require covered entities to implement security measures that specifically contemplate emergency conditions. For example, covered entities and potentially business associates must have contingency plans, including disaster recovery and emergency mode operation plans, which establish policies and procedures for responding to an emergency or other occurrence (fire, system failure and natural disaster) that damages systems that contain e-PHI. In other words, companies that obtain, store and/or use e-PHI must take steps to ensure that all such e-PHI is accessible before, during and after an emergency, including backing up the data to the cloud or another secure location (one that will not be impacted by the emergency afflicting the covered entity).
Parts of the HIPAA Privacy Rule may be waived during a national or public health emergency. If the President declares an emergency or disaster and the HHS Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule, including the requirement to distribute a notice of privacy practices and the patient’s right to request privacy restrictions or confidential communications. If the Secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency period identified in the public health emergency declaration, and (2) to hospitals that have instituted a disaster protocol for up to 72 hours from the time the hospital implements that protocol. Regardless of the activation of an emergency waiver, the HIPAA Privacy Rule permits disclosures for treatment purposes and certain disclosures to disaster relief organizations. For instance, the Privacy Rule allows covered entities to share patient information with the American Red Cross so it can notify family members of the patient’s location.