If you are a healthcare provider or supplier that engages with Medicare and Medicaid programs, it’s urgent that you understand and comply with new Department of Health and Human Services (HHS) healthcare emergency preparednessregulations (“EP Regulations”) to protect your access to Medicare and Medicaid programs. Under the new rules issued by the Center for Medicare and Medicaid Services providers must comply by November 15, 2017. That is this calendar year folks. Are you ready?
Finding that current healthcare emergency preparedness plans do not go far enough, HHS now requires providers and suppliers to:
- Adequately prepare for both manmade and natural disasters
- Meet the needs of patients during emergency situations and
- Coordinate with governmental emergency response systems.
Think of it as a much-needed adaptation in the wake of historic natural disasters like Hurricanes Andrew, Katrina and Sandy, the latest onslaught felt this summer by Harvey and Irma, along with other increasing mass injury events such as the recent earthquakes in Mexico. This is in addition to the cyberattacks on technology systems like WannaCry and Petya simply requires that organizations have solid notification and response plans in plan.
The EP Regulation covers 17 different provider types including home health agencies (HHAs), hospice and long-term care facilities (LTCF), many of which are under-prepared for emergencies compared to large healthcare systems. “Whether it’s trauma care or long-term nursing care or a home health service, patients’ needs for health care don’t stop when disasters strike; in fact, their needs often increase in the immediate aftermath of a disaster,” said Dr. Nicole Lurie, HHS assistant secretary for preparedness and response.
HHS outlines four core elements for healthcare emergency preparedness — (a) risk assessment and planning, (b) policies and procedures, (c) communication plan and (d) training and testing.
All four are important and must be adhered to by the November deadline. In this blog however, I want to take a closer look at communications in disasters and emergencies – what kinds of communications may be expected, the impact that can occur and what alternative communication channels exist to help providers comply with the healthcare emergency preparedness regulations?
Natural disasters such as hurricanes, earthquakes, wildfires, flooding and extreme weather can devastate healthcare providers’ ability to give care and keep families informed about their loved ones’ status and location in the case of an evacuation. Power and phone lines go down, along with transportation infrastructure – all isolating first responders and healthcare providers during disasters.
An Urban Institute study on Hospitals in Hurricane Katrina found that dependencies on citywide communications that failed in the hurricane put patients in perilous circumstances, with hospitals severed from the outside world as they struggled to keep ICU and hospice patients alive and coordinate chaotic evacuations. “When the hospital heard from no one on [Tuesday], people began to get nervous.”
Of course, it’s not only large hospitals that face communications issues during natural disasters. Home healthcare providers giving care in homes, hospices assisting dying patients, long-term care facilities (LTCF) and skilled nursing facilities (SNF) with ill residents are also cut off from patients’ doctors, families and emergency responders. Imagine the anxiety of families unable to contact care givers after severe weather. A panicked meds nurse at a LTCF or hospice may urgently need to discuss lifesaving medication or pain management substitutes when flooding destroys medication supplies or like in the case with Irma, panic set in and deaths unfortunately occurred due to the lack of air-conditioning. All plausible situations that you, the healthcare facility must have a plan for in case of emergency.
The healthcare emergency preparedness regulation requires that HHA, Hospice and LTCF have communication plans that specify primary and alternative means for communicating with staff, employees and governmental emergency management agencies. They must also maintain continuity of care with a method for sharing information on patients under their care, patient families and with other healthcare providers during a disaster or emergency. Providers must also be able to keep the Incident Response Center informed on their needs and ability to provide assistance.
Do you have these communication capabilities?
This is a category that unfortunately has several areas to be covered and planned for. Whether cyberattacks, acts of terror, shootings or carelessness, the human race can be the cause of large-scale incidents or disasters that healthcare organizations must be prepared to respond. Certainly, cyberattacks are on the top of every emergency preparedness list. The Reg’s overview however only references cyberattacks as a hazard that may be considered in developing emergency plans – though there are no specific cybersecurity requirements that must be met. Following the WannaCry cyberattack that locked down systems in 20 percent of the U.K.’s National Health Service, U.S. healthcare providers worked feverishly (and are still working) to buoy their systems. In these cyberattacks of ransomware, criminals encrypt healthcare systems to block doctors and healthcare providers from accessing patient files and from using technology to care for patients – all pending a ransom payment. Unfortunately, most are ill-prepared to deal with such a request and end up paying the ransom.
To deal with a cyberattack that freeze the communication and data systems and therefore the care of patients, HHAs, hospices and long-term facilities will all want an alternative channel of communication as part of their emergency communication plans. A secure, alternative communication method to discuss notification, bringing up backup and recovery systems to avoid paying ransom, and to do so without tipping off the bad actor of recovery plans are all extremely desirable.
Dealing with acts of terror or an active shooter, however, can be just as important when providing your plans for incident response. Women’s Health reports that during the Pulse nightclub disaster last year, the emergency alert system at the Orlando Regional Medical Center didn’t reach all medical personnel. So, the attending trauma surgeon started calling personal cell phones to get doctors and nurses to rush in to help handle the chaos of 44 gunshot victims and 28 emergency surgeries. Pagers didn’t help because doctors typically turn those off when not on call. Worried families suffered enormously as they waited for word on the many “Jane Doe” patients.
Clearly, making one-off cell phone calls is not an efficient communication method to round up medical teams to save victims in mass shootings. The same can be said for emergency communications needed to manage the trauma and carnage experienced by healthcare providers in incidents like the Boston Marathon bombing or other mass public injury events. The phone tree approach and waiting game are not enough when an emergency has occurred. This could be the same scenario if an active shooter walks into an emergency room or a long- term care facility. There’s got to be a better way to for healthcare providers to communicate during an emergency or a disaster.
Secure Texting for Emergency Preparedness
To comply with the new emergency healthcare preparedness Regulation, providers including HHAs, hospices and LTCFs must be able to communicate the patient’s general condition and location to family members under the Health Insurance Portability and Accountability Act (HIPAA) regulations.
In the case of an emergency, Vaporstream secure messaging provides an alternative communication channel to keep sensitive communications going. This is especially critical for any healthcare organizations, given that they cannot just close when an incident occurs. Secure messaging provides a means to continue critical conversations, to discuss emergency notification, mitigation, response and recovery plans while continuing to serve patients’ immediate needs. Whether manmade or a natural disaster, you can securely text medical care teams, patients, families and government emergency response centers to comply with the communication plan requirements in the new EP regulation.
In the case that hackers or even terrorists have access to certain information or the full network, organizations can rest assured that whatever conversations they need to conduct will be uncompromised via Vaporstream secure messaging, keeping the bad actors “out of the know”. IT and crisis management teams have a secure rapid communication channel to discuss sensitive details for recovery as they work ferociously to restore data and access back-up data, keeping bad actors with access to your network in the dark.
Bottom line – whether a security breach, act of terror or an act of nature, every organization must be prepared to respond in a secure and efficient manner to minimize the impact. Encrypted, secure, ephemeral messaging protects high-level communications at every step of the way—during day-to-day business communications for such things as discussing PII, PHI and IP, as well as during out-of-course events where emergency response plans need to go into action.
Contributor: Kristi Perdue Hinkle
(updated September 18, 2017)