Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

HIPAA Requirements PHI in Natural Disasters

Posted on June 8, 2011 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Brian Van Zandt, a long time reader of EMR and HIPAA and an account executive at a managed IT services company in New York, NST, sent me the following fascinating question.

I’ve had a conversation with a few people recently about something that been on the news a lot recently. A tornado in the mid west destroyed a hospital and patient records, I heard about x-rays specifically, were found miles from the hospital. In extreme cases like that, are hospitals still liable for penalties from HIPAA for losing patient information?

First, I have to start with my regular disclaimer that I’m not a lawyer, I don’t play one on TV and much prefer being a blogger. Consult a lawyer for legal advice.

With that disclaimer, it’s a fascinating situation to consider. I remember from my business law classes in college that there’s a legal term called “Act of God” which seems like it might have consideration in this situation. I can’t say for sure that the Act of God defense would work when it comes to disclosure of PHI, but it would be interesting to see it play out.

I think the other consideration and question is what efforts did the hospital make to prevent the disclosure of the PHI. How did they act when the tornado warning was announced? What measures had they taken to prevent such an issue from happening since they likely new they were in an area that was prone for tornadoes? What efforts did they put forth once the hospital was destroyed to protect the information that was scattered?

I’m sure there’s a lot more questions that would likely be asked. I’m just trying to start the conversation and hopefully some HIPAA lawyers that read this blog will chime in with more details.

Although, I must admit that my first reaction to reading this question was, would people really have a legal issue with this? My point being that someone would have to bring a legal case against this hospital for us to really find out the legal requirements. It’s just a sad commentary on society if individuals would really bring a HIPAA violation against a hospital that was destroyed by a tornado. I’m all for the legal system when there are issues of negligence. I just don’t see how a tornado’s disclosure of PHI miles away is negligence.

Of course, if the hospital had an EMR, they wouldn’t have to worry about an X-ray being found miles away. Well, unless the hard drive, server, computer, laptop, etc was blown miles away. Hopefully the data center planning took natural disasters like this into account. Although, even if it didn’t, with appropriate device encryption even this wouldn’t be an issue. It would be like having an encrypted laptop stolen. One more reason to have an EMR instead of paper records.

This is an interesting edge case that I’d love to learn about since every healthcare entity could potentially be hit by a natural disaster. Of course, I’ve seen a lot of discussion about providing healthcare during a natural disaster. I hadn’t thought as much about HIPAA during a natural disaster. Maybe that’s how it should be.

On a more personal note, my thoughts and prayers go out to those who’ve been hit by this disaster and others. I didn’t know anyone in Joplin, but we have family in Springfield, MA which had a tornado cause destruction as well as some fires raging in Arizona that are affecting many people we know. I wish them all the best as they deal with challenging situations.

Microsoft’s HealthVault Now Going Mobile

Posted on I Written By

The full press release can be found here, and there are some great screen shots at this website, but here are my thoughts on the release.

After essentially leading the early years of the computer age Microsoft appears to be consistently playing catch-up.  They have chased after the ideas of others for years now.  The best example probably being the development of Bing trying to catch up with Google.

I find it amusing that they are now announcing the release of HealthVault to the mobile market as if they are the first company to release to the mobile market.  It looks like a worthwhile app, and has some great value in the long run, but it never ceases to amuse me how Microsoft always feels like they are the top dog in everything when they are actually just following a trend.  End rant.

As for the app itself there are some very interesting aspects.

The first being simply the mobile availability of features.  It is very convenient for people to carry their personal health record in their pocket.  This would allow patients to look up their medical history when filling out forms, and tell doctors exactly what they have been taking or been diagnosed with in the past.

Right now it is only available on Windows Phone 7, but that it should be available on the Apple iOS and Google Android in the coming weeks.  They have also built in client libraries to allow for the development of related apps.  The first one, Health Guard by Akvelon is already available on the WP7 marketplace.

HealthVault does a good job of translating CCR and CCD files into the PHR which is convenient since that is what most doctors are starting to use as they work towards attaining Meaningful Use.  The sheer convenience of this inputting method should help drive their product.  Users will still have the option to input manually, and anything that is not recognized will default to a manual input, but the more automation involved the more likely people will be to adopt it.

Maybe the most interesting aspect of the release is the ability to use Facebook to access the site.  By using your Facebook credentials you can populate the sign up form take advantage of what HealthVault has to offer.  With the amount of people that think of Facebook as the internet and how it drives their lives, this makes tons of sense.  They did emphasize that there will be no flow of information from HealthVault back to Facebook, but that if they ever were to develop such apps they would not be implemented without the express permission of users.

This really brings up an interesting discussion about EHR/EMR/PHR and social networking.  This was addressed in a video done by the founder of which can be found here.  I don’t think we will be seeing people’s health records end up on their wall or anything, but I do think we will start to see apps that more widely cover our personal healthcare and take advantage of the power of Facebook.

A Checklist for the HITECH Act and State Mandates for Breach Management

Posted on I Written By

This video is a webcast done by Ali Pabrai, chief executive of ecfirst, discussing a checklist for HITECH and state mandates for breach management. It can be easy to get complacent when we are given a list of rules to follow, but history has shown that for every rule there will invariably be a handful of people braking it, some intentionally and some ignorantly. This video is a good reminder to help us remain vigilant.



Watch the video here.