Harvey, Irma, HIPAA & HITECH

Posted on  September 11, 2017


The United States has recently endured the catastrophic situation brought about by the Harvey and Irma hurricanes.

It is unfortunate that we live in a soundbite society where because of access to media, otherwise calamitous situations turn into yesterday’s news in the blink of an eye.

For a few days of massive flooding, the many thousands of people whose lives will be forever changed, and the tens of thousands of homes that were destroyed in Houston were the dominant stories (other than the incessant vilification of Trump and the national issue of Melania wearing high heels while walking to Marine One) until hurricane Irma took the front stage.

Texas made certain allowances to ease the provisions of healthcare which are further elaborated in a previous blog post “Texas Healthcare in Light of Harvey.”However, in the wake of Irma, Houston does not occupy the front stage. It is likely that shortly after Irma passes, the destruction it causes in the many lives that are disrupted will also be equally and easily forgotten.

As fellow compassionate responsible Americans, we should not forget that after the hurricane passes the rebuilding process begins. Thousands of people will be homeless. Many thousands of people will have their place of employment destroyed. Many thousands of people who rely on their own cars for transportation will no longer have them. Many people will find out that their homes were not assured to the extent they expected and that they do not necessarily have the resources to restore their homes to the condition they were in before the hurricane. Many adults and children alike will have to deal with both physical and emotional issues relating to the hurricanes. Many thousands of people will need medical care relating to either exposure to tainted water, ingestion of food that was unsanitary, infections, and dealing with the trauma of the hurricanes. We can only hope that the outpouring of compassion that Americans have shown will continue through the lengthy rebuilding process.

With respect to the medical aspect, many practitioners and/or patients will come to realize the importance of the security protocols required under HIPAA/HITECH.

Prevailing law required every covered entity OR in practical terms every medical provider to have a risk analysis in place. Part of the over 180questions that had to be addressed in the risk analysis was the likelihood of a natural disaster e.g. flood or fire, what the risk was, the likelihood of occurrence and thereafter in conjunction with steps taken to mitigate the effects, score the actual threat. The Contingency Plan, the section that speaks to natural disasters, is comprised of 5 implementation specifications: (a) Data Backup Plan;(b) Disaster Recovery Plan; (c) Emergency Mode Operation Plan; (d) Testing and Revision Procedures; and (e) Applications and Data Criticality Analysis.

For those practices that have or had EMR/EHR in a cloud-based system, retrieval of medical records should be relatively easy.

Houston was lucky in that many of the hospitals had recently begun working with an inter-operative system so that the transfer of patients from one hospital to another, at least from a medical records perspective could be done almost seamlessly.

However, most small, medium and even large independent medical practices do not have interoperative systems even if their EMR is cloud-based and state-of-the-art.

However, they can take solace in the fact that to the extent the records are in the cloud even if they do not have access to their office they could retrieve records from a remote site, and make provisions for medical care without the loss of medical records.

For those practices that are primarily paper-based, many may find themselves unable to access and/or transmit complete patient histories. It is beyond the scope of this post to opine as to the difficulties the patient’s will encounter or both the operational and or legal consequences to the medical practitioners that cannot retrieve patient records and did not have a proper risk analysis.

In a previous blog post, “Precluding a HIPAA Breach is Not Enough,” North memorial Health Care agreed to pay a $1.55 million settlement after there was a data breach and they were found to have failed to perform a risk analysis. It is clear that the government can find violations of HIPAA/HITECH by sheer virtue of the fact that there is no risk analysis even if there is no other violation.

Once again, we hope that the victims of these hurricanes are able to move past the injury, loss of property and trauma that they are enduring.

Bookmark This Page

Comments 21

  1. HIPAA had the unintended consequence of delaying the electronic sharing of patient data that might have been used around the world for “mass customization” in terms of diagnoses and treatment. But privacy is certainly a good reason to continue to eschew the cloud and data sharing among and between all medical researchers, medical community, universities and other research facilities.

    When the time comes and patient privacy can be assured even in the face of open sharing across the global medical community, AI-based treatment options will offer high probabilities of success on a patient-by-patient basis.

    1. Your points are well taken. However, it is abundantly clear while securing digital data is in it’s infancy, mass data breaches are so common that we are virtually desensitized to their scale and frequency.

Leave a Reply

Your email address will not be published.