From the Department of Health and Human Services Hurricane and HIPAA Bulletin:
“Severe disasters – such as Hurricane Harvey – impose additional challenges on health care providers. Often questions arise about the ability of entities covered by the HIPAA regulations to share information, including with friends and family, public health officials, and emergency personnel.
The HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need. In addition, while the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Secretary of HHS has issued temporary waivers of certain HIPAA Privacy Rule provisions for covered hospitals in Texas and Louisiana.” Continue reading
Emergency Situations: Preparedness, Planning, and Response
Disclosures for Emergency Preparedness - A Decision Tool
In addition, please view the Civil Rights Emergency Preparedness page to learn how nondiscrimination laws apply during an emergency.
In Areas Being Evacuated
In practices with EHRs, covered entities are required by the HIPAA security rule to have a contingency plan that includes disaster recovery. If you have a web-based or cloud-based EHR, make sure you take at least one device with you, if possible. If the practice has a local server, power down the server and move it. However, IT staff may be the only ones with the admin password needed to power down the server. In any case, take copies of the back up if stored on site.