By Inga Shugalo
Healthcare Industry Analyst at Itransition
There’s no denying that ensuring patient data security is a continuous challenge for healthcare organizations. According to the Verizon’s recent report, the outside activities, involving the loss of data assets (e.g., laptops, flash drives, documents), hacking, using malware and social engineering, account for almost 50% of the HIPAA violations causes together. However, the external threat can be often associated with the actions of internal actors. The report also claims that 58% of reviewed incidents included insiders, making healthcare the only industry threatened from the inside more than from the outside.
Safeguarding PHI from the inside requires the collective effort of both security specialists and care providers to create strict but flexible workflow organization protocols. If the local security protocols are inconvenient, cluttered, or simply don’t apply to the organization’s IT infrastructure, the staff may eventually resort to workarounds or start skipping security measures to save time.
Poor effort in creating best practices for handling patient information in a secure way can backfire in emergency situations. If people in panic start disregarding the established practices, their actions may even increase the data exposure. To avoid that, healthcare software development company Itransition offers 3 steps for planning the unplanned and creating the PHI safety strategy with HIPAA-embracing protocols.
Step 1: Prioritizing the PHI technology
Prior to reviewing the HIPAA provisions and including them into the emergency plan, a health organization needs to pinpoint the key and supporting software that creates, stores, shares, and maintains patient health information. Ranking the applications according to their importance for patient care, the provider can properly queue the procedures for emergency mode operation, data backup, and emergency recovery.
For example, if the organization uses both a CRM and an EHR as their go-to software for care delivery, they need to decide the one that will be prioritized in case of emergency. CRM allows storing more vast patient data with all needed highlights and no billing, while EHR contains detailed treatment history. Depending on their actual use within the organization, the provider can define which one of them will be more helpful in a crisis.
Step 2: Achieving HIPAA-compliant disclosure
In some cases, HHS releases HIPAA waivers to assist providers in fulfilling their patient information security obligations in crisis, reprieving the rules and fines for non-compliant actions. But these waivers are used on the extraordinary basis, so, usually, HIPAA rules stay in full force when the incidents occur.
HIPAA Privacy Rule offers a set of guidelines to enable swift care coordination and safe health information exchange so that providers create proprietary disaster protocols and adhere to PHI security at all times.
Care delivery
The provision states that the healthcare organizations may disclose PHI without patient consent if this data is used to ensure proper care for this or another patient (with similar symptoms, trauma, clinical history, etc.). The proper care delivery can relate to direct treatment, care team coordination within one organization, consultation between different health networks, or referring patients for care in case the current provider cannot ensure the required level of assistance.
Population health activity
PHI can be disclosed with no patient consent to different public health authorities within the US and abroad in case of an international population health threat. Additionally, providers can share patient information of individuals risking to contract or spread the disease.
Family disclosure
Protected patient information, including their current location and health status, can be disclosed to the care-related people identified by the patient themselves (e.g., relatives, caregivers) to notify them.
Threat prevention disclosure
To avoid or reduce a serious health hazard, secure patient data can be disclosed without patient consent to individuals and institutions able to influence the threat (e.g., caregivers, relatives, police authorities, special operations agencies).
Public disclosure
Healthcare organizations can share the strictly limited information about their patients to the agencies that are not related to patient care, including media. In particular, they can recognize an individual as their patient and provide a basic report about their health status. Still, the disclosure requires the explicit patient permission to share this information. If the patient is incapacitated, the provider should act in his or her best interest and in accordance with their previously expressed preferences.
Minimum necessary
Overall, the covered entities should control the disclosure, keeping it to the “minimum necessary” for disaster relief purpose. Internally, the organization should continue limiting the PHI access to the health specialists requiring it to perform their direct duties.
Business associates
BAs can disclose PHI to a public health authority on behalf of the healthcare organization or another BA under the business associate agreement.
HHS decision-making tool for internal protocols
HHS also provides the basic tool for decision assistance in the form of a flow chart. The tool focuses only on emergency situations and reviews the processes for information disclosure to different entities (e.g., agency, another provider, public health authority) and the supposed information disclosure purpose (e.g., treatment, public health, prevention).
Apart from applying as a print-out for the staff, the chart can be used to create specific disaster response protocols for patient data disclosure within the software across the healthcare organization used for PHI sharing and add rules and exceptions there.
For example, the email client can have an emergency mode. Toggling the mode initiates the set of protocols to ensure safe data transfer, such as two-step verification or a short questionnaire regarding the data recipient (if it is a public health authority, if the information is disclosed or used for treatment, if there is a data use agreement with the recipient, etc.). While not being the silver bullet, such protocols will require the specialist working with the data to double-check their actions and avoid mistakes.
Exception rule: HHS waiver for the public health emergency
If the President declares an emergency or disaster, the HHS Secretary can declare a public health emergency. In this case, only, HHS can postpone certain HIPAA rules by issuing a bulletin with suggestions for handling patient data. Here are the rules that can be disregarded:
- Obtaining a patient’s agreement to interact with the family and close ones related to patient care.
- Opting out of the patient facility directory upon request.
- Distributing a notice of privacy practices.
- Carrying out a patient’s request for privacy restrictions.
- Carrying out a patient’s request for confidential communications.
The issued bulletin applies only in the emergency area and for the regulated emergency period (up to 90 days). The use of the waiver is authorized only in the organizations with the active disaster protocol and only for up to 72 hours from its activation. If the disaster declaration ends within this 72-hour period, the waiver is no longer applicable and the organization should comply with all HIPAA Privacy Rule requirements again.
Step 3: Planning the emergency
When the core systems and HIPAA-compliant disclosure protocols are defined, the healthcare organization should set up the disaster response plan with the processes, procedures, and instructions for the staff in place. In particular, the following concerns should be addressed:
- Each employee’s role in case of emergency, their responsibilities and duties.
- A schedule for the “emergency mode” processes. The first hour, day, and week after the emergency are critical, so the solid scenario should be in place to stop the panic.
- Critical processes. The plan should elicit the essential operations within the organization to focus on their continuous functioning and minimizing losses in case of disruptions.
While creating the plan, the provider should keep the language comprehensive and simple to avoid ambiguities and misunderstanding. Plain wording will help the specialists to grasp their role easier, polish their performance during the drill, and avoid spending time on clarifications during the emergency.
So, you have an emergency
HIPAA compliance should stay a priority even at times of major crisis. To ensure it, healthcare organizations need to work with their security consultants and enable a flexible plan of actions, quick decision tools and even custom protocols for PHI-focused software.
When the provider isn’t relying on the waiver or doesn’t need to draft the plan on the go, the risk of data exposure can be reduced to a minimum. While every disaster is unique, the structured behavior pattern for each specialist within the organization allows healthcare professionals to coordinate the effort and overcome the situation, helping the patients to receive the needed care while keeping their health information breach-proof.