Skip to content Skip to navigation

Disaster Preparedness and HIEs

September 28, 2012
by John DeGaspari
| Reprints
ONC works with states to develop a blueprint for action

As health information technology and health information exchanges (HIEs) make progress on improving the quality of healthcare, one area that has received limited research is how HIEs can provide timely access to clinical information in response to a disaster. That’s the subject of the final report, released in July, of the Southeast Regional HIT-HIE Collaboration (SERCH), which makes recommendations to improve how the nation’s ability to respond to natural disasters through the use of HIEs.

The SERCH consortium, which was formed in November 2010, included representatives from states at high risk of hurricanes: Alabama, Arkansas, Florida, Georgia, Louisiana and Texas. Its aim was to come up with a strategic plan for sharing health information data among the Southeast and Gulf Coast states during a declared natural disaster, and includes an actionable plan for incorporating HIEs into disaster preparedness efforts. The members assessed the challenges of accessing medical records and coordinating health healthcare information among patient populations displaced during a disaster.

The report also addresses legal, technical and governance issues, and lays out steps states can take to align their HIE activities with emergency preparedness activities. It made five recommendations that any public or private organization planning to share electronic health information during a disaster should follow:

  • Understand the state’s disaster response policies and align with the lead state agency (designated by the National Response Framework as responsible for Public Health and Medical Services Emergency Function #8) to coordinate public and private interests and create working relationships in planning for disasters.
  • Develop standard procedures to share electronic health information across state lines before a disaster occurs.
  • Consider enacting a memorandum of understanding to establish a waiver of liability for the release of records when an emergency is declared, and to default state privacy and security laws to existing Health Insurance Portability and Accountability Act (HIPAA) rules in a disaster. It also suggests using the Data Use and Reciprocal Support Agreement (DURSA) to address or expedite patient privacy, security or health data-sharing concerns.
  • Assess the state’s availability of public and private health information sources and its ability to electronically share the data using HIEs and other data-sharing entities.
  • Consider a phased approach to establishing interstate electronic health information-sharing capabilities.

As noted in the report, none of the consortium member states had an operational statewide HIE network as of September 2011. It envisions a three-phase approach for the technical aspects of providing data during a disaster. These include a foundation for data sharing, likely through transmissions of shared point-to-point encrypted messages of data from personal health records, cloud-based electronic health records, claims data and other information; privacy provisions; and, eventually, integrated access accompanied by participation agreements, privacy policies and business associate agreements.

HIE as a Model for Data Backup and Sharing

Separately, interviews with HIE leaders prior to the release of the SERCH report suggest that disaster preparedness should be taken seriously by HIEs, and suggest why HIEs are a useful platform for disaster planning across state lines. Within their own networks, HIEs are a model for sharing of patient data, while providing redundant systems for data storage for their provider organizations. Depending on the model of HIE, each takes a slightly different approach to protecting its data within its own network.

Dick Thompson, executive director and CEO of Quality Health Network (QHN), Grand Junction, Colo., which covers nearly all of the western part of the state, says the HIE, which is coming up on its seventh anniversary, has become “mission-critical to many of our stakeholders.” He notes that QHN is a Beacon Community organization that has deployed population health tools and virtual longitudinal patient records that provide medical histories of patients regardless of where they are in the state. It is also beginning to include business analytics and claims data to better correlate improvements in care quality and costs.

QHN is a federated model, with multiple disparate sources of data, in which participating hospital members retain copies of their own data, and have their own backup, failover and disaster recovery capabilities, he says.

He says QHN has been cognizant of the importance of disaster preparedness since the beginning, and put in place a disaster recovery plan within six months of its go-live. “It’s an important part of the business plan, and it’s important that we test it annually,” he says.

QHN contracts with an outside vendor (Optum, Eden Prairie, Minn.), which includes disaster recovery services. As the HIE has expanded its services, it has signed disaster recovery agreements with other vendors as well, he says. Thompson notes that disaster recovery testing is done in conjunction with the vendor, and takes into account configuration changes that have been made to the system. Data is synchronized daily between the primary data site and the secondary site. Testing should encompass people and process as well as technology, “so that people on both sides of the process understand that they can actually execute,” he says.