HIPAA Requirements PHI in Natural Disasters

Brian Van Zandt, a long time reader of EMR and HIPAA and an account executive at a managed IT services company in New York, NST, sent me the following fascinating question.

I’ve had a conversation with a few people recently about something that been on the news a lot recently. A tornado in the mid west destroyed a hospital and patient records, I heard about x-rays specifically, were found miles from the hospital. In extreme cases like that, are hospitals still liable for penalties from HIPAA for losing patient information?

First, I have to start with my regular disclaimer that I’m not a lawyer, I don’t play one on TV and much prefer being a blogger. Consult a lawyer for legal advice.

With that disclaimer, it’s a fascinating situation to consider. I remember from my business law classes in college that there’s a legal term called “Act of God” which seems like it might have consideration in this situation. I can’t say for sure that the Act of God defense would work when it comes to disclosure of PHI, but it would be interesting to see it play out.

I think the other consideration and question is what efforts did the hospital make to prevent the disclosure of the PHI. How did they act when the tornado warning was announced? What measures had they taken to prevent such an issue from happening since they likely new they were in an area that was prone for tornadoes? What efforts did they put forth once the hospital was destroyed to protect the information that was scattered?

I’m sure there’s a lot more questions that would likely be asked. I’m just trying to start the conversation and hopefully some HIPAA lawyers that read this blog will chime in with more details.

Although, I must admit that my first reaction to reading this question was, would people really have a legal issue with this? My point being that someone would have to bring a legal case against this hospital for us to really find out the legal requirements. It’s just a sad commentary on society if individuals would really bring a HIPAA violation against a hospital that was destroyed by a tornado. I’m all for the legal system when there are issues of negligence. I just don’t see how a tornado’s disclosure of PHI miles away is negligence.

Of course, if the hospital had an EMR, they wouldn’t have to worry about an X-ray being found miles away. Well, unless the hard drive, server, computer, laptop, etc was blown miles away. Hopefully the data center planning took natural disasters like this into account. Although, even if it didn’t, with appropriate device encryption even this wouldn’t be an issue. It would be like having an encrypted laptop stolen. One more reason to have an EMR instead of paper records.

This is an interesting edge case that I’d love to learn about since every healthcare entity could potentially be hit by a natural disaster. Of course, I’ve seen a lot of discussion about providing healthcare during a natural disaster. I hadn’t thought as much about HIPAA during a natural disaster. Maybe that’s how it should be.

On a more personal note, my thoughts and prayers go out to those who’ve been hit by this disaster and others. I didn’t know anyone in Joplin, but we have family in Springfield, MA which had a tornado cause destruction as well as some fires raging in Arizona that are affecting many people we know. I wish them all the best as they deal with challenging situations.

About the author

John Lynn

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • In the event of a natural disaster, cloud computing is even more secure than encrypted PHI on hard drives.

    Nevertheless, for small offices such as most dental practices, the risk of natural disasters is hardly a reason to go paperless. Besides. Which is easier to see with a flashlight? An EHR or a paper record?

  • “Which is easier to see with a flashlight? An EHR or a paper record?”
    I’d have to say EHR. Laptops work really well in the dark;-)

  • A couple of items here:
    There is a point at which a natural disaster (or two or three) is well beyond what is practical to plan for.
    Things that come to mind here are: 500 year floods, levees that are blown up & earthquakes followed by tsunamis.
    Yes, there should be a plan, but (especially) in a small private practice, there is point of diminishing returns in the planning process.

    Of course, HIPAA gives solid guidance for the minimum amount of planning.

    Next: lets see, paper or electronic, combustion engine or horse, etc.
    While in the Air Force, the plane I flew had all of its’ electronics “hardened” to withstand an “EMP burst”. This electro-magnetic-pulse that tends to accompany a nuclear blast essentially “melts” electronic components and renders them useless. How many data centers are hardened for this?

    My point is, there is a reasonable standard that you are expected to meet. For the medical world, HIPAA sets those minimum standards. My opinion is, in certain areas HIPAA does not go far enough…purely from a business continuity standpoint, not just privacy.

    Yet: if a hospital is destroyed that uses paper, and everything is lost there is not much difference between a hospital on EHR that does not backup off site (off site backup is NOT a HIPAA requirement, but dang smart business.) that has everything lost.

    The servers that PHI is stored on are not required to be encrypted – oh yes, but smart business.

    My guess is, while walking around the absolute destruction of a city, the fact that some medical records are found is on the lower end of the things people are concerned about at that point. Lawyers in other cities are a different story.

  • Interesting premise John. Required vs. smart business. Could start some really interesting discussions.

  • One would think it would start a good conversation…but then there is reality.

    Notice, no further discussion here.

    My experience is this: a practice daily walks a tight rope act. Each day that completes without disaster is a sigh of relief. After a while, not a second thought is given to the way things operate as there are more pressing issues to deal with “today”.

    Then disaster strikes: like when a law office called to have their crashed computer fixed. Only, this was a complete physical hard drive failure.

    “We don’t have any backup.”

    A $3000 clean room fee later and they got most of their data back. No telling how many years of life the lawyer worried away.

    The point is, just like a proper diet and exercise, there is saying you’ll do it, then there is actually doing it.

    HIPAA is there to force the medical world to do it, yet Docs still routinely ignore it.

    The smart ones are acting now. Once the heavy fines start flying, the rest will scramble.

  • Our helicopters began arriving on the roof helipads of a large New Orleans hospital to help in the evacuation of patients, staff and family members several days after Katrina.

    As we were loading our first load of ambulatory patients I asked the physician running the rooftop vertical evacuation staging: “Where are the patient’s records and charts?” He told me the records for the most part were under water and the ward patient charts … he just shrugged.

    I looked over the edge into the 12feet of water eight floors down and the long line of ambulatory and litter patients needing to be moved. Shook my head and said: “Oh cr*p! … well guess we need to get on with it.”

    The patients from this hospital and several others in New Orleans were lifted to hospitals from Slidell to Baton Rouge to Lafayette. Patients arrived at their next facility for the most part without one single piece of paper telling the story as to who they were, where they lived, their medical history, why they were hospitalized, who was their attending physician, what their insurance coverage details were, or what their treatment plan was.

    “Cr*p, cr*p, cr*p.”

Click here to post a comment