Dealing with natural disasters in healthcare can be very difficult because you are concerned with both your patient’s safety and your own safety. We often get asked by our customers if we have suggestions for how to plan for natural disasters like hurricanes, tornados, earthquakes, or even just power outages.
I’d like to outline a couple things when it comes to the Health Insurance Portability and Accountability Act (HIPAA) and what healthcare organizations need to keep in mind about their responsibilities when dealing with a natural disaster or state of emergency. Most of the important parts to consider are within the administrative safeguards of the HIPAA security rule (45 CFR 164.308(a)(7)(i) Contingency plan) so we’ll touch on those key points:
- Data Backup Plan (making sure you have accurate and up-to-date backups ongoing regardless of a major event)
- Emergency Mode Operation Plan (a plan for continuing operations during the event)
- Disaster Recovery Plan (how to recover after the event)
All of these must be documented and kept up-to-date by healthcare providers, hospital systems, etc. Most everyone realizes that more than just a documented plan sitting collecting dust on paper is required. Healthcare organizations must have disaster ‘trial runs’ where plans are actually practiced, tested, and improved organically on a continuous, on-going basis. The unfortunate reality is that many do not practice what they preach. Or, in this case, many do not document what they preach and we see the proof after the disaster events.
It is not all doom and gloom; there are many great examples of healthcare providers who effectively pulled their patient lists and important Patient Health Information (PHI) to secure notebooks to perform with amazing care during emergencies. Telemedicine truly shines during these emergency times of disaster events. Most telemedicine kits, tablets, and other devices operate on cell service and WiFi. Emergency personnel work to first restore power and communication to hospitals and evacuation centers, which allows healthcare providers to maintain touch points with their patients and provide care that they might not have been able to do otherwise.
For care-coordinators and healthcare providers who pull emergency operations duty or for those who will return to duty immediately after a disaster, there are some best practices and tips which can hopefully help coping skills.
Leading Up to an Event
Prior to disaster events (for example, like an oncoming hurricane), first contact those patients you are actively monitoring or communicating with on any schedule. Talk with them about power outages and evacuation protocols. Most tablets for telemedicine have a 10-12-hour charge, but in circumstances where the outage can be several days or even longer, encourage your patients or their caregiver to only power-up their tablets and other devices when they need to take their vitals and then power them back down. Remind patients they may be able to charge their devices by using a car charger if necessary.
If patients need to evacuate, encourage them to pack up their health kit into its box and bring it with them. Even if there is no cell or WiFi coverage, they are still able to log their vitals and, as soon as there is connectivity, the biometric data will upload and populate into the portal.
In extreme circumstances, if you believe you will lose connectivity or power for an extended period of time, log in to your care management platform and download to a secure laptop or print directly a copy of your active patients. Because the Vivify Health platform is cloud-based, care managers who relocated during an event should always be able to access the platform as long as there is connectivity, so this shouldn’t be an issue. Also in those extreme circumstances of long-lasting loss of power, Vivify customers should consider the following reports:
1. Patient Data Dump – has all Active Patients Name, DOB, Address, Phone #, and Emergency Contacts.
2. Patient Score Data Dump – this is a listing of all of active patients with their most current Health Score.
3. After a major event where not all connectivity is restored, ensure your list is sorted by risk score and you will be able to work your active patient list based on the highest risk score first and then follow up telephonically.
As a general reminder, remember printed materials should not be left unattended during or after the printing, to avoid accidental disclosure. HIPAA doesn’t get suspended even during a natural disaster when it comes to protecting your patients PHI.
What you might not think about:
The last item to consider, and that many forget about, is dealing with the wolves. Wolves prey on the weak, especially during the vulnerability-stress of undergoing emergency disasters. Because of this, it’s important healthcare providers and care coordinators become sheepdogs of patient data, safeguarding this data during natural disaster events. Be wary of hackers and social engineers who look for major events to acquire patient data for nefarious purposes. This could include a person getting physical access to an area not normally available or taking advantage of care providers working in locations they normally would not during emergency operations.
When power and connectivity are restored, make sure you properly shred any documents that have PHI on them and follow your facility’s best practices of disposal.
Hopefully, this will help you when considering your emergency operations and disaster plans. Think of something else to consider? Let us know!