Order Code RS22310 October 28, 2005 CRS Report for Congress Received through the CRS Web Hurricane Katrina: HIPAA Privacy and Electronic Health Records of Evacuees Gina Marie Stevens Legislative Attorney American Law Division Summary On September 4th, 2005 Health and Human Services (HHS) Secretary Leavitt declared a federal public health emergency for Louisiana, Alabama, Mississippi, Florida and Texas, and waived certain requirements under Medicare, Medicaid, the State Children's Health Insurance Program, and the Health Insurance Portability and Accountability Act to allow health care providers in affected areas to care for patients without violating certain provisions of those laws. The Secretary waived sanctions and penalties arising from noncompliance with certain provisions of the HIPAA privacy regulations. On September 9, HHS issued Hurricane Katrina Bulletin #2 – HIPAA Privacy Rule Compliance Guidance and Enforcement Statement for Activities in Response to Hurricane Katrina. The September 9 bulletin builds on a September 2 guidance in which the department emphasized how the HIPAA privacy rule allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving care. Shortly after Hurricane Katrina, the federal government began a pilot test of KatrinaHealth.org, an Electronic Health Record (EHR) online system, sharing prescription drug information for most of the hurricane evacuees with health care professionals. This report discusses, in response to Hurricane Katrina, HHS’ waiver of certain provisions of the HIPAA Privacy Rule, and the compliance and enforcement guidance with respect to the Privacy Rule issued by HHS. It also provides a brief overview of KatrinaHealth.org. This report will not be updated. HIPAA Privacy Rule Waivers. Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA),1 to improve portability and continuity of health 1 P.L. 104-191, 110 Stat. 1936, 42 U.S.C. §§ 1320d et seq. Congressional Research Service ˜ The Library of Congress CRS-2 insurance coverage. On August 14, 2002, HHS published the modified final Privacy Rule to regulate the use and disclosure of protected health information, 67 Fed. Reg. 53181.2 On September 4, 2005 Health and Human Services Secretary Leavitt declared a federal public health emergency for Louisiana, Alabama, Mississippi, Florida and Texas, and waived certain requirements under the Health Insurance Portability and Accountability Act to allow health care providers in affected areas to care for patients without violating certain provisions of the HIPAA Privacy Rule.3 The Secretary waived sanctions and penalties arising from noncompliance with the following provisions of the HIPAA privacy regulations: (a) the requirements to obtain a patient’s agreement to speak with family members or friends or to honor a patient’s request to opt out of the facility directory (45 C.F.R.164.510); (b) the requirement to distribute a notice of privacy practices (45 C.F.R.164.520); and (c) the patient’s right to request privacy restrictions or confidential communications (45 C.F.R.164.522). The HIPAA waivers are in effect for a period of time not to exceed 72 hours from implementation of a hospital disaster protocol, and are not effective with respect to any action taken that discriminates among individuals on the basis of their source of payment or their ability to pay. On September 9 HHS issued Hurricane Katrina Bulletin #2 – “HIPAA Privacy Rule Compliance Guidance and Enforcement Statement for Activities in Response to Hurricane Katrina.”4 The September 9 bulletin expounds upon a September 2 guidance in which the Department emphasized that the HIPAA privacy rule "allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need."5 Bulletin #2 gave as an example the allowed disclosure by health plans and health care providers of prescription and other health information to health care providers at shelters to facilitate treatment of evacuees. In addition, HHS allowed business associates (entities managing information on behalf of covered entities) to make disclosures "to the extent permitted by their business associate agreements with the covered entities, as provided in the Privacy Rule." In terms of compliance guidance, HHS indicated that covered entities or their business associates "may provide health information on evacuees to another party for that party to manage the health information and share it as needed for providing health care to the evacuees." On the subject of enforcement, HHS noted that Section 1176(b) of the Social Security Act provides the agency may not impose a civil money penalty where the failure to comply is based on reasonable cause and is not due to willful neglect, and the failure to comply is cured within a 30-day period. HHS asserted its authority to extend the period within which a covered entity may cure the noncompliance "based on the nature and extent of the failure 2 Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164; [http://www.hhs.gov/ocr/combinedregtext.pdf]. 3 U.S. Department of Health and Human Services, Hurricane Katrina: HHS Declares Public Emergency for Hurricane Katrina (Sep. 4, 2005), [http://www.hhs.gov/katrina/ssawaiver.html]. 4 U.S. Department of Health and Human Services, Hurricane Katrina Bulletin #2: HIPAA Privacy Rule Compliance Guidance and Enforcement For Activities in Response to Hurricane Katrina, [http://www.hhs.gov/ocr/hipaa/EnforcementStatement.pdf]. 5 U.S. Department of Health and Human Services, Hurricane Katrina Bulletin: HIPAA Privacy and Disclosures in Emergency Situations, [http://www.hhs.gov/ocr/hipaa /KATRINAnHIPAA.pdf]. CRS-3 to comply." HHS, in determining whether reasonable cause exists for a covered entity's failure to meet requirements and in determining whether and to what extent the period within which noncompliance must be cured, “will consider the emergency circumstances arising from Hurricane Katrina, along with good faith efforts by covered entities, its business associates and their agents, both to protect the privacy of health information and to appropriately execute the agreements required by the Privacy Rule as soon as practicable." Prescription Health Records of Evacuees. Shortly after Hurricane Katrina, the federal government began a pilot test of KatrinaHealth.org, an Electronic Health Record (EHR) online system, sharing prescription drug information for most of the hurricane evacuees with health care professionals. The launch of KatrinaHealth.org was possible in part because of plans already made and actions taken by the Administration, the Congress, foundations, and the private sector to implement electronic health records (EHRs) as part of the national health information infrastructure.6 President Bush and the Departments of Health and Human Services, Defense, and Veterans Affairs (HHS) have focused on the importance of transforming health care delivery through the improved use of health information technology (HIT). Philanthropies such as California Health Care Foundation, Robert Wood Johnson, the Markle Foundation, and many others have provided funding, leadership, and expertise to this effort. In the private sector, the medical informatics, nursing informatics, and the medical and nursing professional societies have also been involved. Electronic health records are controversial among many privacy advocates and citizens, who are concerned about information security and the potential for the 6 National Committee on Vital and Health Statistics, "Assuring a Health Dimension for the National Information Infrastructure," (Oct. 14, 1998) [http://www.ncvhs.hhs.gov/hii-nii.htm]; In March 2003 the first set of uniform standards for the electronic exchange of clinical health information to be adopted across the federal government were announced. U.S. Department of Health and Human Services, The Consolidated Health Informatics Initiative, [http://www.hhs.gov/healthit/chiinitiative.html]; The Medicare Prescription Drug Improvement and Modernization Act of 2003 requires the Centers for Medicare and Medicaid Services to develop standards for electronic prescribing, and requires the establishment of a Commission on Systemic Interoperability. P.L. No. 108-173, 117 Stat. 2066, §§ 101(e)(4)(A) and 1012; Department of Health and Human Services, Centers for Medicare & Medicaid Services, Medicare Program; E-Prescribing and the Prescription Drug Program, 70 FR 6256 (Feb. 5, 2005); Executive Order 13335: Incentives for the Use of Health Information Technology and Establishing the Position of the National Health Information Technology Coordinator, (Apr. 27, 2004), [http://www.whitehouse.gov/news/releases/2004/04/20040427-4.html]; President's Information Technology Advisory Committee, Revolutionizing Health Care Through Information Technology (June 2004) [http://www.nitrd.gov/pitac/meetings/2004 /20040617/20040615_hit.pdf]; Markle Foundation, Preliminary Roadmap for Achieving Electronic Connectivity in Healthcare, [http://www.connectingforhealth.org /resources/cfh_aech_roadmap_072004.pdf]; Health and Human Services and the National Coordinator for Health IT, The Decade of Health Information Technology: Delivering Consumer-centric and Information-rich Health Care, Framework for Strategic Action (July 21, 2004), [http://www.hhs.gov/healthit/documents/hitframework.pdf]; Health and Human Services, Commissioners Selected for American Health Information Community The Community Will Help Shape the Future of Health Care for Generations (Sep. 13, 2005), [http://www.hhs.gov/news/press/2005pres/20050913.html]. CRS-4 exploitation of personal medical information by hackers, companies or the government, and the sharing of health information without the patients' knowledge.7 Privacy advocates, in general, support and encourage the development of an interoperable national health information network built on the concepts of patient control, privacy, and participation.8 On September 22, 2005, KatrinaHealth.org [http://www.katrinahealth.org], a secure online service, was launched to enable authorized healthcare providers to electronically access medication and dosage information for evacuees from Hurricane Katrina in order to renew prescriptions, prescribe new medications, and coordinate care. KatrinaHealth.org is a completely new, secure online service created in three weeks to help deliver quality care and avoid medical errors. The data contain records from 150 zip codes in areas hit by Katrina. At its launch, prescription drug records on over 800,000 people from the region could be searched by health care professionals.9 The information was compiled and made accessible by private companies, public agencies, and national organizations, including medical software companies; pharmacy benefit managers; chain pharmacies; local, state, and federal agencies; and a national foundation. The effort to create KatrinaHealth.org was facilitated by the Office of the National Coordinator for Health Information, Department of Health and Human Services. With the assistance of federal, state, and local governments, KatrinaHealth.org is being operated by private organizations, such as the Markle Foundation.10 The data or prescription information was obtained from a variety of government and commercial sources. Sources include more than 150 private and public organizations' electronic databases from commercial pharmacies, government health insurance programs such as Medicaid, and private insurers such as Blue Cross and Blue Shield Association of America, and pharmacy benefits managers in the states affected by the storm. Key data and resources were contributed by the American Medical Association (AMA), Gold Standard, the Markle Foundation, RxHub and SureScripts. Data contributors also include the Medicaid programs of Louisiana and Mississippi; chain pharmacies (Albertsons, CVS, Kmart, Rite Aid, Target, Walgreens, Wal-Mart, Winn Dixie); and Pharmacy Benefit Managers (RxHub, Caremark, Express Scripts, Medco Health Solutions)). Federal agencies involved include the U.S. Departments of Commerce, Defense, Health and Human Services, Homeland Security, and Veterans Affairs. The information in 7 In January 2005, privacy advocates, the AFL-CIO, the National Association of People with AIDS, the American Mental Health Counselors Association, and the American Association of People with Disabilities collectively submitted comments to the Office of the National Coordinator for Health Information Technology urging strong privacy and security protections be built in at the outset of developing a system of electronic health records. See, Health Privacy Project, Majority of Americans Have Privacy Concerns about Electronic Medical Record System (Feb. 23, 2005), [http://www.healthprivacy.org/info-url_nocat2303/info-url_nocat _show.htm?doc_id=263085] 8 See, e.g., [http://www.healthprivacy.org/usr_doc/NHIN_RFI_Response.pdf]. 9 Krim, Jonathon, Health Records of Evacuees Go Online, New York Times (Sep. 14, 2005). 10 WWW.KATRINAHEALTH.ORG Will Provide Prescription Medication Information For Katrina Evacuees to Authorized Health Professionals and Pharmacists, (Sep. 22, 2005), [http://www.markle.org/resources/press_center/press_releases/2005/press_release_09222005. php]. CRS-5 KatrinaHealth.org does not exist in a central database, rather access is provided to a mix of data sets. Some of the information from chain pharmacies has been aggregated while other available information has not. Licensed doctors and pharmacists, anywhere in the United States, treating evacuees from Louisiana, Mississippi, and Alabama, are eligible to use KatrinaHealth. Patients are not permitted access to the prescription information at the online site. Authorized clinicians and pharmacists using the system can view evacuees' prescription histories online, obtain available patient allergy information and other alerts, view drug interaction reports and alerts, see therapeutic duplication reports and alerts, and query clinical pharmacology drug information. The system will only be accessible to authorized health care professionals and pharmacists, who are providing treatment or supporting the provision of treatment to evacuees. To ensure that only authorized physicians use KatrinaHealth.org, the AMA will provide physician credentialing and authentication services. The AMA will validate the identity of health care providers, a key step in ensuring patient confidentiality and security. The National Community Pharmacists Association (NCPA) will authenticate and provide access for independent pharmacy owners. SureScripts will provide these services for chain pharmacies on behalf of the National Association of Chain Drug Stores (NACDS). When treating an evacuee, an authorized user of KatrinaHealth.org will be prompted to enter the evacuee's first name, last name, date of birth, pre-Katrina residence zip code and gender. If the evacuee's information is available in KatrinaHealth.org, the health provider will link to the following information: quantity and day supply; the pharmacy that filled the script (if available); the provider that wrote the script; and drug information, such as indication and dosage, administration and interactions. Tools to prevent unauthorized access, and audit logs of system access and records access will be maintained and reviewed. The site provides “Read Only” access and information in the system can not be modified or other wise changed. The developers acknowledge that KatrinaHealth.org does not contain information on every Katrina evacuee from Louisiana, Mississippi, and Alabama, that the information on each evacuee’s prescription history may be incomplete, and that the data may contain errors or omissions or duplication. Users of KatrinaHealth are encouraged to review the data with the patient. According to the developers, privacy and security concerns were central to the design of KatrinaHealth.org. Only authorized users are permitted access to the site. Highly sensitive personal information was filtered out to comply with state privacy laws. Medication information about certain sensitive health care conditions (HIV/AIDS, mental health issues, and substance abuse or chemical dependencies) is not available through KatrinaHealth. Pilot site participants included Shelter staff at Reunion Arena and Dallas County Convention Center in Dallas, Texas; Special Needs Shelters in Louisiana; Sparks Regional Medical Center; University of Mississippi Medical Center; University of South Alabama College of Medicine; University of Texas at Houston; and University of Texas Southwestern.