Order Code RS22310
October 28, 2005
CRS Report for Congress
Received through the CRS Web
Hurricane Katrina: HIPAA Privacy and
Electronic Health Records of Evacuees
Gina Marie Stevens
Legislative Attorney
American Law Division
Summary
On September 4th, 2005 Health and Human Services (HHS) Secretary Leavitt
declared a federal public health emergency for Louisiana, Alabama, Mississippi, Florida
and Texas, and waived certain requirements under Medicare, Medicaid, the State
Children's Health Insurance Program, and the Health Insurance Portability and
Accountability Act to allow health care providers in affected areas to care for patients
without violating certain provisions of those laws. The Secretary waived sanctions and
penalties arising from noncompliance with certain provisions of the HIPAA privacy
regulations.
On September 9, HHS issued Hurricane Katrina Bulletin #2 – HIPAA Privacy
Rule Compliance Guidance and Enforcement Statement for Activities in Response to
Hurricane Katrina. The September 9 bulletin builds on a September 2 guidance in
which the department emphasized how the HIPAA privacy rule allows patient
information to be shared to assist in disaster relief efforts, and to assist patients in
receiving care. Shortly after Hurricane Katrina, the federal government began a pilot
test of KatrinaHealth.org, an Electronic Health Record (EHR) online system, sharing
prescription drug information for most of the hurricane evacuees with health care
professionals.
This report discusses, in response to Hurricane Katrina, HHS’ waiver of certain
provisions of the HIPAA Privacy Rule, and the compliance and enforcement guidance
with respect to the Privacy Rule issued by HHS. It also provides a brief overview of
KatrinaHealth.org. This report will not be updated.
HIPAA Privacy Rule Waivers. Congress enacted the Health Insurance Portability
and Accountability Act of 1996 (HIPAA),1 to improve portability and continuity of health
1 P.L. 104-191, 110 Stat. 1936, 42 U.S.C. §§ 1320d et seq.
Congressional Research Service ˜ The Library of Congress

---

CRS-2
insurance coverage. On August 14, 2002, HHS published the modified final Privacy Rule
to regulate the use and disclosure of protected health information, 67 Fed. Reg. 53181.2
On September 4, 2005 Health and Human Services Secretary Leavitt declared a
federal public health emergency for Louisiana, Alabama, Mississippi, Florida and Texas,
and waived certain requirements under the Health Insurance Portability and
Accountability Act to allow health care providers in affected areas to care for patients
without violating certain provisions of the HIPAA Privacy Rule.3 The Secretary waived
sanctions and penalties arising from noncompliance with the following provisions of the
HIPAA privacy regulations: (a) the requirements to obtain a patient’s agreement to speak
with family members or friends or to honor a patient’s request to opt out of the facility
directory (45 C.F.R.164.510); (b) the requirement to distribute a notice of privacy
practices (45 C.F.R.164.520); and (c) the patient’s right to request privacy restrictions or
confidential communications (45 C.F.R.164.522). The HIPAA waivers are in effect for
a period of time not to exceed 72 hours from implementation of a hospital disaster
protocol, and are not effective with respect to any action taken that discriminates among
individuals on the basis of their source of payment or their ability to pay.
On September 9 HHS issued Hurricane Katrina Bulletin #2 – “HIPAA Privacy Rule
Compliance Guidance and Enforcement Statement for Activities in Response to
Hurricane Katrina.”4 The September 9 bulletin expounds upon a September 2 guidance
in which the Department emphasized that the HIPAA privacy rule "allows patient
information to be shared to assist in disaster relief efforts, and to assist patients in
receiving the care they need."5 Bulletin #2 gave as an example the allowed disclosure by
health plans and health care providers of prescription and other health information to
health care providers at shelters to facilitate treatment of evacuees. In addition, HHS
allowed business associates (entities managing information on behalf of covered entities)
to make disclosures "to the extent permitted by their business associate agreements with
the covered entities, as provided in the Privacy Rule." In terms of compliance guidance,
HHS indicated that covered entities or their business associates "may provide health
information on evacuees to another party for that party to manage the health information
and share it as needed for providing health care to the evacuees." On the subject of
enforcement, HHS noted that Section 1176(b) of the Social Security Act provides the
agency may not impose a civil money penalty where the failure to comply is based on
reasonable cause and is not due to willful neglect, and the failure to comply is cured
within a 30-day period. HHS asserted its authority to extend the period within which a
covered entity may cure the noncompliance "based on the nature and extent of the failure
2 Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and
164; [http://www.hhs.gov/ocr/combinedregtext.pdf].
3 U.S. Department of Health and Human Services, Hurricane Katrina: HHS Declares Public
Emergency for Hurricane Katrina (Sep. 4, 2005), [http://www.hhs.gov/katrina/ssawaiver.html].
4 U.S. Department of Health and Human Services, Hurricane Katrina Bulletin #2: HIPAA Privacy
Rule Compliance Guidance and Enforcement For Activities in Response to Hurricane Katrina,
[http://www.hhs.gov/ocr/hipaa/EnforcementStatement.pdf].
5 U.S. Department of Health and Human Services, Hurricane Katrina Bulletin: HIPAA Privacy
and Disclosures in Emergency Situations, [http://www.hhs.gov/ocr/hipaa
/KATRINAnHIPAA.pdf].

---

CRS-3
to comply." HHS, in determining whether reasonable cause exists for a covered entity's
failure to meet requirements and in determining whether and to what extent the period
within which noncompliance must be cured, “will consider the emergency circumstances
arising from Hurricane Katrina, along with good faith efforts by covered entities, its
business associates and their agents, both to protect the privacy of health information and
to appropriately execute the agreements required by the Privacy Rule as soon as
practicable."
Prescription Health Records of Evacuees. Shortly after Hurricane Katrina,
the federal government began a pilot test of KatrinaHealth.org, an Electronic Health
Record (EHR) online system, sharing prescription drug information for most of the
hurricane evacuees with health care professionals. The launch of KatrinaHealth.org was
possible in part because of plans already made and actions taken by the Administration,
the Congress, foundations, and the private sector to implement electronic health records
(EHRs) as part of the national health information infrastructure.6 President Bush and the
Departments of Health and Human Services, Defense, and Veterans Affairs (HHS) have
focused on the importance of transforming health care delivery through the improved use
of health information technology (HIT). Philanthropies such as California Health Care
Foundation, Robert Wood Johnson, the Markle Foundation, and many others have
provided funding, leadership, and expertise to this effort. In the private sector, the medical
informatics, nursing informatics, and the medical and nursing professional societies have
also been involved.
Electronic health records are controversial among many privacy advocates and
citizens, who are concerned about information security and the potential for the
6 National Committee on Vital and Health Statistics, "Assuring a Health Dimension for the
National Information Infrastructure," (Oct. 14, 1998) [http://www.ncvhs.hhs.gov/hii-nii.htm]; In
March 2003 the first set of uniform standards for the electronic exchange of clinical health
information to be adopted across the federal government were announced. U.S. Department of
Health and Human Services, The Consolidated Health Informatics Initiative,
[http://www.hhs.gov/healthit/chiinitiative.html]; The Medicare Prescription Drug Improvement
and Modernization Act of 2003 requires the Centers for Medicare and Medicaid Services to
develop standards for electronic prescribing, and requires the establishment of a Commission on
Systemic Interoperability. P.L. No. 108-173, 117 Stat. 2066, §§ 101(e)(4)(A) and 1012;
Department of Health and Human Services, Centers for Medicare & Medicaid Services, Medicare
Program; E-Prescribing and the Prescription Drug Program, 70 FR 6256 (Feb. 5, 2005);
Executive Order 13335: Incentives for the Use of Health Information Technology and
Establishing the Position of the National Health Information Technology Coordinator, (Apr. 27,
2004), [http://www.whitehouse.gov/news/releases/2004/04/20040427-4.html]; President's
Information Technology Advisory Committee, Revolutionizing Health Care Through Information
T e c h n o l o g y ( J u n e 2 0 0 4 ) [ h t t p : / / w w w . n i t r d . g o v / p i t a c / m e e t i n g s / 2 0 0 4
/20040617/20040615_hit.pdf]; Markle Foundation, Preliminary Roadmap for Achieving
Electronic Connectivity in Healthcare, [http://www.connectingforhealth.org
/resources/cfh_aech_roadmap_072004.pdf]; Health and Human Services and the National
Coordinator for Health IT, The Decade of Health Information Technology: Delivering
Consumer-centric and Information-rich Health Care, Framework for Strategic Action (July 21,
2004), [http://www.hhs.gov/healthit/documents/hitframework.pdf]; Health and Human Services,
Commissioners Selected for American Health Information Community The Community Will
Help Shape the Future of Health Care for Generations (Sep. 13, 2005),
[http://www.hhs.gov/news/press/2005pres/20050913.html].

---

CRS-4
exploitation of personal medical information by hackers, companies or the government,
and the sharing of health information without the patients' knowledge.7 Privacy
advocates, in general, support and encourage the development of an interoperable national
health information network built on the concepts of patient control, privacy, and
participation.8
On September 22, 2005, KatrinaHealth.org [http://www.katrinahealth.org], a secure
online service, was launched to enable authorized healthcare providers to electronically
access medication and dosage information for evacuees from Hurricane Katrina in order
to renew prescriptions, prescribe new medications, and coordinate care.
KatrinaHealth.org is a completely new, secure online service created in three weeks to
help deliver quality care and avoid medical errors. The data contain records from 150 zip
codes in areas hit by Katrina. At its launch, prescription drug records on over 800,000
people from the region could be searched by health care professionals.9 The information
was compiled and made accessible by private companies, public agencies, and national
organizations, including medical software companies; pharmacy benefit managers; chain
pharmacies; local, state, and federal agencies; and a national foundation. The effort to
create KatrinaHealth.org was facilitated by the Office of the National Coordinator for
Health Information, Department of Health and Human Services. With the assistance of
federal, state, and local governments, KatrinaHealth.org is being operated by private
organizations, such as the Markle Foundation.10
The data or prescription information was obtained from a variety of government and
commercial sources. Sources include more than 150 private and public organizations'
electronic databases from commercial pharmacies, government health insurance programs
such as Medicaid, and private insurers such as Blue Cross and Blue Shield Association
of America, and pharmacy benefits managers in the states affected by the storm. Key
data and resources were contributed by the American Medical Association (AMA), Gold
Standard, the Markle Foundation, RxHub and SureScripts. Data contributors also include
the Medicaid programs of Louisiana and Mississippi; chain pharmacies (Albertsons, CVS,
Kmart, Rite Aid, Target, Walgreens, Wal-Mart, Winn Dixie); and Pharmacy Benefit
Managers (RxHub, Caremark, Express Scripts, Medco Health Solutions)). Federal
agencies involved include the U.S. Departments of Commerce, Defense, Health and
Human Services, Homeland Security, and Veterans Affairs. The information in
7 In January 2005, privacy advocates, the AFL-CIO, the National Association of People with
AIDS, the American Mental Health Counselors Association, and the American Association of
People with Disabilities collectively submitted comments to the Office of the National
Coordinator for Health Information Technology urging strong privacy and security protections
be built in at the outset of developing a system of electronic health records. See, Health Privacy
Project, Majority of Americans Have Privacy Concerns about Electronic Medical Record System
(Feb. 23, 2005), [http://www.healthprivacy.org/info-url_nocat2303/info-url_nocat
_show.htm?doc_id=263085]
8 See, e.g., [http://www.healthprivacy.org/usr_doc/NHIN_RFI_Response.pdf].
9 Krim, Jonathon, Health Records of Evacuees Go Online, New York Times (Sep. 14, 2005).
10 WWW.KATRINAHEALTH.ORG Will Provide Prescription Medication Information For
Katrina Evacuees to Authorized Health Professionals and Pharmacists, (Sep. 22, 2005),
[http://www.markle.org/resources/press_center/press_releases/2005/press_release_09222005.
php].

---

CRS-5
KatrinaHealth.org does not exist in a central database, rather access is provided to a mix
of data sets. Some of the information from chain pharmacies has been aggregated while
other available information has not.
Licensed doctors and pharmacists, anywhere in the United States, treating evacuees
from Louisiana, Mississippi, and Alabama, are eligible to use KatrinaHealth. Patients are
not permitted access to the prescription information at the online site. Authorized
clinicians and pharmacists using the system can view evacuees' prescription histories
online, obtain available patient allergy information and other alerts, view drug interaction
reports and alerts, see therapeutic duplication reports and alerts, and query clinical
pharmacology drug information. The system will only be accessible to authorized health
care professionals and pharmacists, who are providing treatment or supporting the
provision of treatment to evacuees. To ensure that only authorized physicians use
KatrinaHealth.org, the AMA will provide physician credentialing and authentication
services. The AMA will validate the identity of health care providers, a key step in
ensuring patient confidentiality and security. The National Community Pharmacists
Association (NCPA) will authenticate and provide access for independent pharmacy
owners. SureScripts will provide these services for chain pharmacies on behalf of the
National Association of Chain Drug Stores (NACDS).
When treating an evacuee, an authorized user of KatrinaHealth.org will be prompted
to enter the evacuee's first name, last name, date of birth, pre-Katrina residence zip code
and gender. If the evacuee's information is available in KatrinaHealth.org, the health
provider will link to the following information: quantity and day supply; the pharmacy
that filled the script (if available); the provider that wrote the script; and drug information,
such as indication and dosage, administration and interactions.
Tools to prevent unauthorized access, and audit logs of system access and records
access will be maintained and reviewed. The site provides “Read Only” access and
information in the system can not be modified or other wise changed.
The developers acknowledge that KatrinaHealth.org does not contain information
on every Katrina evacuee from Louisiana, Mississippi, and Alabama, that the information
on each evacuee’s prescription history may be incomplete, and that the data may contain
errors or omissions or duplication. Users of KatrinaHealth are encouraged to review the
data with the patient.
According to the developers, privacy and security concerns were central to the design
of KatrinaHealth.org. Only authorized users are permitted access to the site. Highly
sensitive personal information was filtered out to comply with state privacy laws.
Medication information about certain sensitive health care conditions (HIV/AIDS, mental
health issues, and substance abuse or chemical dependencies) is not available through
KatrinaHealth.
Pilot site participants included Shelter staff at Reunion Arena and Dallas County
Convention Center in Dallas, Texas; Special Needs Shelters in Louisiana; Sparks
Regional Medical Center; University of Mississippi Medical Center; University of South
Alabama College of Medicine; University of Texas at Houston; and University of Texas
Southwestern.

---