Hurricane Katrina: HIPAA Privacy and Electronic Health Records of Evacuees

January 23, 2007 (RS22310)

Contents

Summary

Shortly after Hurricane Katrina, the federal government began a pilot test of KatrinaHealth.org, an online electronic health record (EHR) system that shared prescription drug information for hurricane evacuees with health care professionals. The website was available for a 90-day period. To allow health care providers in affected areas to care for patients without violating the Health Insurance Portability and Accountability Act (HIPAA), Health and Human Services (HHS) Secretary Leavitt waived certain provisions of the HIPAA Privacy Rule and issued guidance to clarify situations where the HIPAA privacy rule allows information sharing to assist in disaster relief efforts and with patient care.

This report discusses HHS's waiver of certain provisions of the HIPAA privacy rule and guidance issued by HHS with respect to the use and disclosure of protected health information under the HIPAA Privacy Rule in response to Hurricane Katrina. It also briefly discusses the development of electronic health records (EHRs) and provides a brief overview of KatrinaHealth.org. This report will be updated.


Hurricane Katrina: HIPAA Privacy and Electronic Health Records of Evacuees

HIPAA Privacy Rule

Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA)1 to improve portability and continuity of health insurance coverage. The HIPAA Privacy Rule, issued by HHS to implement section 264 of HIPAA (42 U.S.C. § 1320d-2), regulates the use and disclosure of protected health information.2

On September 4, 2005, Health and Human Services Secretary Leavitt declared a federal public health emergency for Louisiana, Alabama, Mississippi, Florida, and Texas.3 To allow health care providers in affected areas to care for patients without violating requirements of HIPAA, Medicare, Medicaid, and the State Children's Health Insurance Program, the HHS Secretary waived certain provisions. Specifically with respect to the HIPAA Privacy Rule, the Secretary waived the imposition of sanctions and penalties arising from noncompliance with the following provisions: (1) requirements to obtain a patient's agreement to speak with family members or friends or to honor a patient's request to opt out of a facility directory (45 C.F.R.164.510); (2) the requirement to distribute a notice of privacy practices (45 C.F.R.164.520); and (3) the patient's right to request privacy restrictions or confidential communications (45 C.F.R.164.522).

In the first Hurricane Katrina bulletin issued by HHS (HIPAA Privacy and Disclosures in Emergency Situations), the Department emphasized that the HIPAA Privacy Rule "allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need."4 The bulletin states that under the rule, health care providers can share patient information to provide treatment and seek payment for health care services; to identify, locate, and notify family members, guardians, or anyone responsible for the individual's care of the individual's location, general condition, or death; with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, consistent with applicable law and the provider's standards of ethical conduct. In addition, health care facilities maintaining a patient directory can tell people who call or ask about individuals whether the individual is at the facility, their location in the facility, and general condition.

On September 9, HHS issued Hurricane Katrina Bulletin #2.5 Because the medical and prescription records of many evacuees were lost or inaccessible, and because health plans and health care providers were working with other industry segments to gather and provide this information, Bulletin #2 provides guidance on how the HIPAA Privacy Rule applies to these activities and describes the HHS Office for Civil Rights' enforcement approach in light of these emergency circumstances.

Bulletin #2 discusses the use and disclosure of prescription and medical information by entities managing information on behalf of covered entities ("business associates"). In general, business associates are permitted to make disclosures "to the extent permitted by their business associate agreements with the covered entities, as provided in the Privacy Rule." The bulletin provides that covered entities or their business associates may provide health information on evacuees to another party for that party to manage the health information and share it as needed for providing health care to the evacuees. Where a covered entity provides protected health information to another for this purpose, the Privacy Rule requires the covered entity to enter into a business associate agreement with this party. If the business associate, rather than the covered entity itself, is providing this information to another party that is acting as its agent, the covered entity's business associate must enter into an agreement to protect health information with this party.6 Sample business associate agreement provisions are attached to the bulletin.

On the subject of enforcement, HHS noted that Section 1176(b) of the Social Security Act provides the agency may not impose a civil money penalty where the failure to comply is based on reasonable cause and is not due to willful neglect, and the failure to comply is cured within a 30-day period. HHS noted its authority to extend the period within which a covered entity may cure the noncompliance "based on the nature and extent of the failure to comply." HHS, in determining whether reasonable cause exists for a covered entity's failure to meet requirements and in determining the period within which noncompliance must be cured, announced that it "will consider the emergency circumstances arising from Hurricane Katrina, along with good faith efforts by covered entities, its business associates and their agents, both to protect the privacy of health information and to appropriately execute the agreements required by the Privacy Rule as soon as practicable."

Electronic Health Records

Shortly after Hurricane Katrina, the federal government began a pilot test of KatrinaHealth.org, an electronic health record (EHR) online system, sharing prescription drug information for most of the hurricane evacuees with health care professionals. The launch of KatrinaHealth.org was possible in part because of plans already made and actions taken by the Administration, the Congress, foundations, and the private sector to implement electronic health records (EHRs) as part of the national health information infrastructure.7 President Bush and the Departments of Health and Human Services, Defense, and Veterans Affairs (HHS) have focused on the importance of transforming health care delivery through the improved use of health information technology (HIT). Philanthropies such as California Health Care Foundation, Robert Wood Johnson, the Markle Foundation, and others have provided funding, leadership, and expertise to this effort. In the private sector, the medical and nursing informatics, and the medical and nursing professional societies, have also been involved.

Electronic health records are controversial among many privacy advocates and citizens who are concerned about information security and the potential for the exploitation of personal medical information by hackers, companies, or the government, and the sharing of health information without the patients' knowledge.8 Privacy advocates, in general, support the development of an interoperable national health information network built on the concepts of patient control, privacy, and participation.9

The Department of Health and Human Services has formed agreements with two organizations to plan and promote the widespread use of electronic health records in the Gulf Coast region as it rebuilds.10 The agreements supplement recently announced contracts to certify electronic health records, develop interoperability standards, evaluate variations among privacy and security requirements across the country, and create prototypes for a nationwide health information network.11 The Southern Governors Association will form the Gulf Coast Health Information Task Force, which will bring together local and national resources to help area health-care providers convert to electronic medical records. The Louisiana Department of Health and Hospitals will develop a prototype of health information sharing and electronic health record support that can be replicated in the region. The effort will not be connected with http://katrinahealth.org/, which is not expected to be a long-term undertaking.

Prescription Records of Katrina Evacuees

On September 22, 2005, KatrinaHealth.org [http://www.katrinahealth.org], a secure online service, was launched to enable authorized healthcare providers to electronically access medication and dosage information for evacuees from Hurricane Katrina to renew prescriptions, prescribe new medications, and coordinate care. The website KatrinaHealth.org was available for a 90-day period. KatrinaHealth.org was a completely new, secure online service created in three weeks to help deliver quality care and avoid medical errors. The data contain records from 150 zip codes in areas hit by Katrina. At its launch, prescription drug records on over 800,000 people from the region could be searched by health care professionals.12 The information was compiled and made accessible by private companies, public agencies, and national organizations, including medical software companies; pharmacy benefit managers; chain pharmacies; local, state, and federal agencies; and a national foundation. The effort to create KatrinaHealth.org was facilitated by the Office of the National Coordinator for Health Information, Department of Health and Human Services. With the assistance of federal, state, and local governments, KatrinaHealth.org was operated by private organizations, such as the Markle Foundation.13

Under ordinary circumstances, HIPAA privacy rules would require formal, written "business associate agreements" among KatrinaHealth.org participants before they could exchange medical information. Reportedly, many of the participants had such agreements or were able to obtain them rapidly. In addition, HHS's second bulletin clarified that considering the emergency circumstances, organizations that did not comply with the business associate requirements would not be penalized as long as they showed good faith efforts to protect the privacy of health information and to appropriately execute the agreements required by the Privacy Rule as soon as practicable.

The data or prescription information for KatrinaHealth.org was obtained from a variety of government and commercial sources. Sources include more than 150 private and public organizations' electronic databases from commercial pharmacies, government health insurance programs such as Medicaid, and private insurers such as Blue Cross and Blue Shield Association of America, and pharmacy benefits managers in the states affected by the storm. Key data and resources were contributed by the American Medical Association (AMA), Gold Standard, the Markle Foundation, RxHub and SureScripts. Data contributors also include the Medicaid programs of Louisiana and Mississippi; chain pharmacies (Albertsons, CVS, Kmart, Rite Aid, Target, Walgreens, Wal-Mart, Winn Dixie); and Pharmacy Benefit Managers (RxHub, Caremark, Express Scripts, Medco Health Solutions)). Federal agencies involved include the U.S. Departments of Commerce, Defense, Health and Human Services, Homeland Security, and Veterans Affairs. The information in KatrinaHealth.org did not exist in a central database, rather access was provided to a mix of data sets. Some of the information from chain pharmacies was aggregated while other available information was not.

Licensed doctors and pharmacists, anywhere in the United States, treating evacuees from Louisiana, Mississippi, and Alabama, were eligible to use KatrinaHealth. Patients were not permitted access to the prescription information at the online site. Authorized clinicians and pharmacists using the system could view evacuees' prescription histories online, obtain available patient allergy information and other alerts, view drug interaction reports and alerts, see therapeutic duplication reports and alerts, and query clinical pharmacology drug information. The system was only accessible to authorized health care professionals and pharmacists, who provided treatment or supported the provision of treatment to evacuees. To ensure that only authorized physicians used KatrinaHealth.org, the AMA provided physician credentialing and authentication services. The AMA validated the identity of health care providers, a key step in ensuring patient confidentiality and security. The National Community Pharmacists Association (NCPA) authenticated and provided access for independent pharmacy owners. SureScripts provided these services for chain pharmacies on behalf of the National Association of Chain Drug Stores (NACDS).

When treating an evacuee, an authorized user of KatrinaHealth.org was prompted to enter the evacuee's first name, last name, date of birth, pre-Katrina residence zip code and gender. If the evacuee's information was available in KatrinaHealth.org, the health provider would link to the following information: quantity and day supply; the pharmacy that filled the script (if available); the provider that wrote the script; and drug information, such as indication and dosage, administration and interactions. Tools to prevent unauthorized access, and audit logs of system access and records access were maintained and reviewed. The site provided "Read Only" access and information in the system could not be modified or other wise changed.

The developers acknowledged that KatrinaHealth.org did not contain information on every Katrina evacuee from Louisiana, Mississippi, and Alabama; that the information on each evacuee's prescription history might be incomplete; and that the data might contain errors or omissions or duplication. Users of KatrinaHealth were encouraged to review the data with the patient. According to the developers, privacy and security concerns were central to the design of KatrinaHealth.org. Only authorized users could access the site. Highly sensitive personal information was filtered out to comply with state privacy laws. Medication information about certain sensitive health care conditions (HIV/AIDS, mental health issues, and substance abuse or chemical dependencies) was not available. Health privacy advocates argued that evacuees should have had the option to opt out of the site14 and that the site should not become permanent.15

Lessons Learned

In June 2006, The Markle Foundation released a report titled "Lessons From KatrinaHealth."16 The report provides recommendations to ensure that medical records can be accessed and prescriptions provided quickly in a future disaster. The recommendations include engaging in advance planning, taking advantage of existing resources, addressing system and electronic health record design issues, integrating emergency systems, creating systems that are simple to access, improving communication strategies, and overcoming policy barriers to working together.

Footnotes

1.

P.L. 104-191, 110 Stat. 1936, 42 U.S.C. §§ 1320d et seq.

2.

Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164; http://www.hhs.gov/ocr/combinedregtext.pdf.

3.

U.S. Department of Health and Human Services, Hurricane Katrina: HHS Declares Public Emergency for Hurricane Katrina (Sep. 4, 2005), http://www.hhs.gov/katrina/ssawaiver.html.

4.

U.S. Department of Health and Human Services, Hurricane Katrina Bulletin: HIPAA Privacy and Disclosures in Emergency Situations, http://www.hhs.gov/ocr/hipaa/KATRINAnHIPAA.pdf.

5.

U.S. Department of Health and Human Services, Hurricane Katrina Bulletin #2: HIPAA Privacy Rule Compliance Guidance and Enforcement For Activities in Response to Hurricane Katrina, http://www.hhs.gov/ocr/hipaa/EnforcementStatement.pdf.

6.

See 45 CFR 164.504(e)(2)(ii)(D).

7.

National Committee on Vital and Health Statistics, "Assuring a Health Dimension for the National Information Infrastructure," (Oct. 14, 1998) http://www.ncvhs.hhs.gov/hii-nii.htm; In March 2003 the first set of uniform standards for the electronic exchange of clinical health information to be adopted across the federal government were announced. U.S. Department of Health and Human Services, The Consolidated Health Informatics Initiative, http://www.hhs.gov/healthit/chiinitiative.html; The Medicare Prescription Drug Improvement and Modernization Act of 2003 requires the Centers for Medicare and Medicaid Services to develop standards for electronic prescribing, and requires the establishment of a Commission on Systemic Interoperability. P.L. 108-173, 117 Stat. 2066, §§ 101(e)(4)(A) and 1012; Department of Health and Human Services, Centers for Medicare & Medicaid Services, Medicare Program; E-Prescribing and the Prescription Drug Program, 70 FR 6256 (Feb. 5, 2005); Executive Order 13335: Incentives for the Use of Health Information Technology and Establishing the Position of the National Health Information Technology Coordinator, (Apr. 27, 2004), http://www.whitehouse.gov/news/releases/2004/04/20040427-4.html; President's Information Technology Advisory Committee, Revolutionizing Health Care Through Information Technology (June 2004) http://www.nitrd.gov/pitac/meetings/2004/20040617/20040615_hit.pdf; Markle Foundation, Preliminary Roadmap for Achieving Electronic Connectivity in Healthcare, http://www.connectingforhealth.org/resources/cfh_aech_roadmap_072004.pdf; Health and Human Services and the National Coordinator for Health IT, The Decade of Health Information Technology: Delivering Consumer-centric and Information-rich Health Care, Framework for Strategic Action (July 21, 2004), http://www.hhs.gov/healthit/documents/hitframework.pdf; Health and Human Services, Commissioners Selected for American Health Information Community The Community Will Help Shape the Future of Health Care for Generations (Sep. 13, 2005) http://www.hhs.gov/news/press/2005pres/20050913.html.

8.

In January 2005, privacy advocates, the AFL-CIO, the National Association of People with AIDS, the American Mental Health Counselors Association, and the American Association of People with Disabilities collectively submitted comments to the Office of the National Coordinator for Health Information Technology urging strong privacy and security protections be built in at the outset of developing a system of electronic health records. See, Health Privacy Project, Majority of Americans Have Privacy Concerns about Electronic Medical Record System (Feb. 23, 2005), http://www.healthprivacy.org/info-url_nocat2303/info-url_nocat_show.htm?doc_id=263085.

9.

See, e.g., http://www.healthprivacy.org/usr_doc/NHIN_RFI_Response.pdf.

10.

U.S. Department of Health & Human Services, "HHS Enters Into Agreements to Support Digital Health Recovery for the Gulf Coast: Partnerships will Accelerate Electronic Health Records in Gulf States," (Nov. 17, 2005), available at http://www.hhs.gov/news/press/2005pres/20051117.html.

11.

U.S. Department of Health & Human Services, "HHS Awards Contracts to Develop Nationwide Health Information Network: Major Step Toward Secure and Portable Health Information for American Consumers," (Nov. 10, 2005), available at http://www.hhs.gov/news/press/2005pres/20051110.html.

12.

Krim, Jonathon, Health Records of Evacuees Go Online, New York Times (Sep. 14, 2005).

13.

WWW.KATRINAHEALTH.ORG Will Provide Prescription Medication Information For Katrina Evacuees to Authorized Health Professionals and Pharmacists, (Sep. 22, 2005), http://www.markle.org/resources/press_center/press_releases/2005/press_release_09222005.php.

14.

Pilot site participants included Shelter staff at Reunion Arena and Dallas County Convention Center in Dallas, Texas; Special Needs Shelters in Louisiana; Sparks Regional Medical Center; University of Mississippi Medical Center; University of South Alabama College of Medicine; University of Texas at Houston; and University of Texas Southwestern.

15.

"Medical Records Gone with the Wind," CIO Magazine (November 15, 2005).

16.

Available at http://katrinahealth.org/katrinahealth.final.pdf#search=%22katrinahealth%22.