As the East Coast prepares for the arrival of Hurricane Matthew, covered entities and business associates should take the opportunity to remind their workforce members to safeguard protected health information (PHI) that is in paper form. Certainly, HIPAA requires covered entities and business associates to protect and secure PHI at all times. However, healthcare providers that deal with volumes of records (and particularly those relying heavily on paper records) should take extra precaution in preparation for inclement weather that may involve wind and water damage. Covered entities and business associates should remind and advise their workforce members as follows:
- PHI in paper form should be secured in locked file cabinets (where it will be less prone to wind and water damage) and should be kept separate from other paper documents.
- Consider storing physical PHI a locked file room or other locked interior room that can be used for storage so that it is contained in a secure interior location (and again less prone to wind and water damage).
- Workforce members, including physicians and other ancillary providers, should not remove PHI in paper form from the premises unless absolutely necessary.
While the HIPAA Privacy and Security Rules do not distinguish between inclement and ordinary weather and PHI should always be safeguarded, providers and other businesses that handle significant amounts of PHI in paper form should exercise additional caution when faced with severe weather to avoid damage to and loss of records. Not only can damaged or lost records amount to a HIPAA or state law data breach, they can impede patient care and pose risks.
Because severe weather may also pose risks to a business’ information technology infrastructure, among other systems and structures, covered entities and business associates should also review their emergency preparedness and disaster recovery plans.
For additional information about disaster preparedness, please visit the Office of Civil Right’s website, where you can find a November 2014 Bulletin entitled, HIPAA Privacy in Emergency Situations, which specifically states that “the protections of the Privacy Rule are not set aside during an emergency.” The bulletin also describes some exceptions for disclosing PHI during an emergency.