Hurricane Harvey: Hospital EHRs Appear to Weather the StormOfficial Says No Major Outages Reported Yet
In the wake of Hurricane Harvey, Texas hospitals have not reported issues involving access to electronic health records and other critical systems, says Lance Lunsford of the Texas Hospital Association. But some hospitals particularly hard-hit by flooding have evacuated patients.
Meanwhile, healthcare organizations in the region are getting some relief from complying with the HIPAA Privacy Rule and other regulations to help expedite quick treatment of patients.
"You have to take into account that Houston is in the heart of the target zone of hurricane tracks," Lunsford says. "We've had 15 years since [tropical storm] Allison, then Hurricane Katrina, and many big storms in between, to learn from and to build the physical and technology infrastructures, emergency and response plans."
Hospitals in the region "have understood how vulnerable they are and have stepped up their infrastructures, emergency management and staffing to deal with hurricane threats," he says.
That includes hospitals moving computer and electrical equipment "to higher ground" to avoid the damage caused to some in past storms by flooding of basements where IT and high-end medical equipment were formerly stored, he says.
"There haven't been reports of massive failures," he told Information Security Media Group. "Hospital leaders are learning the lessons of the past."
While most hospitals so far appear not to be reporting hurricane-related problems with their information systems, it's likely still too soon to know whether smaller clinics and pharmacies are also in good shape, Lunsford says.
"Most of them closed up shop [to prepare and deal with the storm late last week] and haven't reopened yet," he notes.
Mac McMillan, president of security consulting firm CynergisTek, which is based in Austin, Texas, says that while many smaller clinics and offices have been closed, "the hospitals have continued to operate, but the biggest challenge is getting patients to their doors. First it was the floods from the storm, now it is the controlled flooding as they work to save the dams and levees."
McMillan notes that Houston is a city that "understands the need for solid plans for disasters from storms. Testing and conducting practice drills is a part of their culture. The problem is as some have said the reality of the next storm is never the same as the one in the past, and Harvey is like no other in history in terms of the amount of water they are having to contend with."
Meanwhile, The Department of Health and Human Services has declared a public health emergency in Texas. HHS Secretary Tom Price, M.D., under his authority in the Public Health Service Act and Social Security Act, is allowing the Centers for Medicare and Medicaid Services "to waive certain documentation requirements to help ensure facilities can deliver care" to Medicare patients, according to an HHS statement.
HHS notes that many Medicare beneficiaries have been evacuated to neighboring communities where receiving hospitals and nursing homes may have no healthcare records, information on current health status or even verification of the person's status as a Medicare beneficiary. "Due to the emergency declaration and other actions taken by HHS, CMS is able to waive certain documentation requirements to help ensure facilities can deliver care," HHS says.
As part of that emergency declaration, HHS has issued a bulletin about how the HIPAA Privacy Rule regulations fit into extreme emergency situations and the rule's requirements that are being waived temporarily in the hurricane-affected regions.
"Severe disasters - such as Hurricane Harvey - impose additional challenges on healthcare providers," HHS notes in the bulletin. "Often questions arise about the ability of entities covered by the HIPAA regulations to share information, including with friends and family, public health officials, and emergency personnel.
"The HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts and to assist patients in receiving the care they need."
HHS is exercising its authority to waive sanctions and penalties against hospitals in Texas that do not comply with the following provisions of the HIPAA Privacy Rule:
- The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care;
- The requirement to honor a request to opt out of the facility directory;
- The requirement to distribute a notice of privacy practices;
- The patient's right to request privacy restrictions;
- The patient's right to request confidential communications.
HHS adds that such a waiver only applies under specific conditions, including in the emergency area and for the emergency period identified in the public health emergency declaration; to hospitals that have instituted a disaster protocol; and for up to 72 hours from the time the hospital implements its disaster protocol.
"When the presidential or secretarial declaration terminates, a hospital must then comply with all the requirements of the privacy rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol," HHS says.
Meanwhile, the National Health Information Sharing and Analysis Center is working with federal agencies, including HHS and the Department of Homeland Security, to assist in the disaster efforts, says Denise Anderson, executive director.
"NH-ISAC is sending out alerts and cross-sector information as applicable as well as attending calls with HHS and DHS," she says. "We are coordinating with the DHS National Infrastructure Integration Center, HHS and our partners and monitoring any member requests that come in."
HHS notes it is also is helping evacuate hospital patients to healthcare facilities outside the impacted area.
Among flooded hospitals that have evacuated patients is Ben Taub Hospital in Houston, which is operated by Harris Health Care.
In a separate statement issued Monday, HHS said that thousands of Texans sheltering at the George R. Brown Convention Center in Houston will have medical care on site through a 250-bed Federal Medical Station being established by HHS at the request of Texas' State Department of Health.
"The Federal Medical Station we are setting up and staffing in Houston will provide vital care to Texans affected by Hurricane Harvey, and we stand ready to devote additional resources as needed," Price says in the HHS statement.
HHS says it also has additional Federal Medical Stations available for patient care in Texas, and has positioned two 250-bed stations in Baton Rouge ready to be deployed in Louisiana should state officials determine they are needed.
HHS adds that it has more than 500 personnel on the ground to assist those affected by Hurricane Harvey and 1,300 more on standby.
The agency also has helped local public health officials address the needs of those who rely upon electricity-dependent medical equipment. HHS has provided information to local public health officials about the number of Medicare beneficiaries in each impacted area who rely on 14 types of life-maintaining and assistive equipment, ranging from oxygen concentrators to electric wheelchairs, as well as data on the number of people who rely on dialysis, oxygen, and home health services.
"These citizens are among the most vulnerable in their communities and most likely to need life-saving assistance in prolonged power outages," HHS says.
HHS did not immediately respond to ISMG's request for additional information about the disaster efforts, how many hospitals in the affected region have been evacuated and whether access to patient electronic information has been disrupted.
Beware of Scams
Besides help in dealing with the physical challenges posed by the hurricane, federal regulators are also cautioning businesses and the public about phishing scams.
In an alert, DHS' U.S. Computer Emergency and Response Team warns users "to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey."
Users are advised "to exercise caution in handling any email with subject line, attachments, or hyperlinks related to Hurricane Harvey, even if it appears to originate from a trusted source," the alert states. "US-CERT encourages users and administrators to use caution when encountering these types of email messages and take ... preventative measures to protect themselves from phishing scams and malware campaigns.