The ONC (Office of the National Coordinator for Health) recently blogged about disaster preparedness and health information exchange (HIE), citing the recent Hurricane Isaac as a reason for concern about accessing and locating health records in another state. In the event of a natural disaster, many people are displaced in neighboring states and may need access to their health records.
To answer the question, are we ready? the ONC created a consortium with representatives from several Southeast states; the Southeast Regional HIT-HIE Collaboration (SERCH). Their recommendations for HIE between different states in the event of a disaster are as follows:
Review the state’s disaster response policies and laws. Connect with the state agency that is responsible for Emergency Support Function #8 (ESF) (Public Health and Medical Services) before a disaster strikes. ESF allows for coordinated federal assistance to supplement medical resources in an emergency.
One way to establish a waiver of liability for the release of records in the declaration of an emergency is to enact the Mutual Aid Memorandum of Understanding (MOU), a type of contract.
In the event of a disaster, this also allows the default of state privacy and security laws to the federal Health Insurance Portability and Accountability Act (HIPAA). This is helpful if one state has more stringent patient privacy and security laws than another. It ensures that if a patient is relocated away from the disaster site, they can still receive care and not be held up by state laws.
Consider using the Data Use and Reciprocal Support Agreement (DURSA) to address patient privacy, security and data-sharing concerns. DURSA is a trust agreement between entities, organizations and federal agencies that choose to exchange electronic health information based on a set of national standards, services and policies. This ensures everyone is on the same page with security, and is useful in the event of a disaster when people are displaced.
Assess HIE resources and other available health data-sharing entities, and consider a phased approach when establishing interstate HIE:
Phase 1 includes leveraging existing systems of storing and transmitting ePHI (electronic protected health information).
Phase 2 includes implementing interstate directories to provide data across services in a disaster.
Phase 3 includes leveraging a fully functioning state HIE that allows for integrated patient look-up and physician authentication services.
While preparing for HIE in the event of a disaster is key to providing quality care, preserving and ensuring the availability of patient records is a healthcare organization’s responsibility. The HIPAA Contingency Plan standard described in section 164.308(a)(7)mandates the use of a data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures, and application and data criticality analysis.
Protecting healthcare data and ensuring its availability means putting procedures in place to mitigate disasters, and having a solid plan in-hand to activate when a disaster occurs. The infrastructure to do this is defined by two perspectives:
Disaster Prevention – Putting all the tools in place to minimize the probability of an outage in the data center infrastructure, server hardware, software and network connectivity.
Disaster Recovery – Assuring that the applications and data can be recovered and restored in a reasonable timeframe to continue running the business and making patient data available if a disaster occurs in the primary data center.
The use of HIE systems, including EHR (electronic health record) and EMR (electronic medical record) systems, requires data to be hosted in a secure, HIPAA compliant environment. To find out what components are necessary for a HIPAA compliant data center, including a full diagram and descriptions, read our HIPAA Compliant Hosting white paper.