Complying with the Privacy Rule During a Disaster

An overview of interim management

CHICAGO, May 15, 2008—An organization’s well-designed disaster plan cannot anticipate all decision points, but it is a prerequisite for health information management (HIM) departments to follow a specific process when a disaster occurs, regardless of its severity, according to an  article in the May issue of the Journal of AHIMA. Once basic functionality is restored, then HIPAA requirements must be addressed with proper planning and care to ensure patient privacy rights are being protected.

After a disaster, aspects of the privacy rule that apply during the interim period include managing a patient directory, controlling use and disclosure of protected health information (PHI), managing business associates within the constraints of a business associate agreement, ensuring the physical security of the PHI, and creating the appropriate documentation that enables patients to access their designated record set and request amendments.

This article is the second installment of a two-part series that provides an overview of interim management and privacy-related aspects of HIM. Complying with the Privacy Rule During a Disaster-Part 1 outlines how healthcare organizations should deal with plan development, data back-up and recovery.

Read the complete article in the May issue of the Journal of AHIMA or view both articles online at www.ahima.org.