The Privacy and security of patient’s health information is a important challenge and responsibility for every health care organization and a concern for every U. S. citizen. To receive healthcare patients must reveal information that is very personal and often sensitive. Most the patient-physician relationship depends on very high levels of trust at the same time they also trust health care organization, to protect their confidential healthcare information with belief of security and privacy.
It is an ethical and legal responsibility for every health care organization to protect patients’ health information and should make a management plan for security and privacy of this confidential health information. “Disasters and security incidents may threaten the organization’s ability to carry out its mission as well as other operational functions. Advance planning and preparation will allow the organization to continue serving its patients and community and ensure the availability of patient protected health information as well as business information”( MHC IS Disaster Recovery Plan, 2006).
If access to data is not safe and precise during a natural disaster, there are bound to be many privacy concerns. The purpose of this paper is to describe and discuss about the natural disaster case scenario of a small town on the Gulf Coast that was struck by a hurricane and the detailed management plan for the security and privacy of the effected patients’ health care information. The execution and training staff of the management plan and code of conduct are also discussed in the paper. Natural disasters are known as a natural disaster because it is natural and are unpredictable.
Natural disaster can be impact on natural threats like earthquakes, tsunamis, cyclones, hurricanes, floods etc. All these natural disasters have had a major effect on health organizations and it is critical to have a disaster plan in place to protect every patient’s health information. “The health record serves a variety of purposes, one of which is to provide an accurate summary of a patient’s health status. An unexpected loss of patient health records could be devastating to the patient, organization, and clinical care provider.
Therefore, the health record must be guarded against unexpected losses due to a natural disaster. The occurrence of a disaster is rare; however, a well-designed disaster plan and subsequent action plan addressing the re-creation of lost or destroyed patient information will assist organizations in resuming business operations more efficiently and effectively” (AHIMA, 2003). However, every health organizations must have natural disaster plan to protect patient’s safety, secures health information from damage, ensures stability in continuity of care activities, and provides for orderly recovery of information.
Every healthcare organization is facing increasing regulatory burdens, and the latest to demand response is The Health Insurance Portability and Accountability Act (HIPAA) Security. “One major aspect of HIPAA Security is the disaster recovery plan, which seeks to restore appropriate access to information after a major calamity” (James C. Murphy, 2003). “The disaster recovery plan is a required implementation specification defined within the HIPAA Contingency Plan standard in the Administrative Safeguards section of the HIPAA Security Rule.
The organizational disaster plan must state how confidential data will be moved and restored without violating HIPAA standards of privacy and security. The objective of a disaster recovery plan is to establish (and implement as needed) procedures to restore any loss of data. A disaster recovery plan is the part of an overall contingency plan that contains a process enabling an enterprise to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure”(HIPPA, 2005).
Based on case scenario living on Gulf coast patients files were destroyed or washed away with the receding flooded by the storm surge. Therefore, the hospitals face major challenges to get patients’ health information after the disaster. Health records will be damaged or destroyed because of the disaster. This is not good for the patients and will ask for their health records to find treatment at other hospitals that were not affected negatively by the disaster.
However, after the disaster the responsibility of hospitals is to inform the patients that their health records or the information were destroyed. It makes every patient fill out a new health history and insurance form to rebuild the patient chart. “Health organizations should choose to maintain a log of lost or destroyed records, which will allow for easy retrieval of general information regarding the past event should any legal or accreditation issues arise”(AHIMA, 2003). “Once a disaster strikes and the disaster response plan is executed, post-disaster management is crucial.
Documentation is a key main step in any disaster plan. The facility must prepare a detailed record of the disaster event that includes at minimum a list of patient records affected, recovery efforts taken, and outcomes. Reconstruction of information must be documented, including the method used, and the entry must be authenticated according to the facility’s policy”(AHIMA,2003). In the case of electronic health records, if the organization has a backup plan and its data is stored in a secure remote location patient’s health information is not lost.
The electronic health record plan ensures patient information is safe in one location if the other location is destroyed. According to Wagner Electronic health care information is vulnerable to internal and external threats. Whether intentional or unintentional, these threats pose serious security risks. To minimize the risk and protect patients’ sensitive health care information, well-established and well-implemented administrative, physical, and technical security safeguards are essential for any health care organization, regardless of size.
A process in place with the protection of patient health information in expectancy of a natural disaster is to have an elegant pre and post disaster management plan to ensure patient security and privacy. “The U. S. Department of Health and Human Services requires medical providers to “protect against any reasonably anticipated threats or hazards to the security or integrity” of records” (Trevor Sutton, 2011). Appropriately planning for a disaster in advance can mitigate concerns and provide the valuable information to patients after a disaster.
The management plan should also include drills, review and updates of the plan, staff training, and execution and enforcement planning. “The HIPAA security rule requires health plans, healthcare clearinghouses, and healthcare providers that maintain or transmit health information electronically to provide reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of protected health information and protect the information against any reasonably anticipated threats or hazards to its security, integrity, unauthorized use, or disclosure”(Wagner, 2009).
The HIPAA Security Rule Administrative has nine safeguard standards and is called the contingency plan it can be used for disaster recovery planning. According to Wagner, the contingency plan has five required implementation standards which are: •Data backup plan •Disaster recovery plan •Emergency mode operational plan •Testing and revision procedures •Applications and data criticality analysis. These five requirements of the contingency plan address emergency situations, and preparation for a disaster when it strikes is of greatest importance in protecting patient health information.
Training and education of staff upon hire along with updating the staff as needed with regulation changes is important to a disaster plan. “The HIPAA privacy and security rules require formal education and training of the workforce to ensure ongoing accountability for privacy and security of protected health information (PHI). HIPAA’s privacy and security rules independently address training requirements. Like most standards, the training requirements are no prescriptive, giving organizations flexibility in implementation”(AHIMA2003).
Staff should have frequent competency reviews to describe their roles and responsibilities to ensure they can carry out their duties in the event of a natural disaster. Being refined on the organization’s code of conduct will benefit the organization’s efforts meeting with laws, regulations, and maintain ethical standards. Under any circumstance, the code of conduct will keep patient confidentiality safe and will give the patient a right to expect the organization will safeguard their privacy. Health care professionals have a legal and ethical responsibility to keep medical information private.
Physicians and nurses, along with hospitals and insurers, are required by law and professional codes to practice confidentiality. All the employees in the organization must fallow this code of conduct and their ethics to provide security and privacy for patients. If staff breaches the code of conduct, disciplinary action or employee dismissal may be taken. Based on case scenario in the Gulf Coast, the hurricane destroyed and damaged patient health information along with washing away the files causing a breach in patient privacy.
The organization is responsible for any breach in patient confidentiality during a disaster and needs to ensure patients their health information is secured by developing a successful plan. For example, organization must protect patient health information and other property against loss, theft, destruction, and misuse. Also, protect the privacy and security of patient medical, billing, and claims information, and other protected health information through sufficient and reasonable physical, technical, and administrative measures to prevent unauthorized access to or use or disclosure of patient information.
These ethical values will protect patient health information during any of the crucial time and in the natural disaster. The health organization must implement a management plan as well as a testing plan for a disaster. “A plan is only as strong as the people who execute it. A documented, finalized, and approved disaster recovery plan must be implemented, tested, and reviewed with all staff to ensure its overall compliance and success. Besides training, performing test runs of the plan is imperative in identifying gaps and any needed enhancements or changes” (AHIMA, 2003).
A test performance run of the plan is essential to identifying any issues, gaps, and changes needed in the plan. Implementing the management disaster plan involves performing and preparing activities of the contingency plan. For example sharing the preliminary plan with the organizational committee and developing agreements with vendors and service providers specialized in disaster recovery location.
Provide staff with the training and tools like all the employees should be able to verbalize perfectly their duties and responsibilities these are the requirement to implement the management plan. Testing and revision procedures are an addressable implementation specification defined within the HIPAA Contingency Plan standard in the Administrative Safeguards section of the HIPAA Security Rule”(HIPAA, 2012). Reevaluate and revise the plan and corresponding procedures based on the results of testing and simulated disaster trials. Input should be collected from all staff, including the safety officer, risk manager, and privacy and security officials. After a successful implementation of the plan document findings and continue to update and test the plan.
A natural disaster can strike at any time and using the implementation process will alert the information systems manager to any staff issues, plan issues, and equipment issues requiring changes. It is important for any organization to ensure the disaster management plan is well developed, tested, and maintained. During the natural disaster, a disaster management plan is very helpful to protect patients security and privacy of health information. Especially for the Gulf Coast organization is required this plan to protect their patients’ health information.
Besides the fact that it causes shock and emotional pain, the unexpected loss of health information because of hurricanes, or other natural disasters, causes the patient to lose their trust and respect for a certain organization. Privacy is invaded when patient health care information, which is confidential under normal circumstances, is dispersed all over town. Therefore, an electronic back up plan is essential to safeguarding a patient’s health care information because the backup plan stores the information in a remote location in the event of a natural disaster.