Hurricane Katrina: HIPAA Privacy and Electronic Health Records of Evacuees
Hurricane Katrina: HIPAA Privacy and
Electronic Health Records of Evacuees
Gina Marie Stevens
Legislative Attorney
American Law Division
Summary
Shortly after Hurricane Katrina, the federal government began a pilot test of
KatrinaHealth.org, an online electronic health record (EHR) system that shared
prescription drug information for hurricane evacuees with health care professionals. The
website was available for a 90-day period. To allow health care providers in affected
areas to care for patients without violating the Health Insurance Portability and
Accountability Act (HIPAA), Health and Human Services (HHS) Secretary Leavitt
waived certain provisions of the HIPAA Privacy Rule and issued guidance to clarify
situations where the HIPAA privacy rule allows information sharing to assist in disaster
relief efforts and with patient care.
This report discusses HHS’s waiver of certain provisions of the HIPAA privacy
rule and guidance issued by HHS with respect to the use and disclosure of protected
health information under the HIPAA Privacy Rule in response to Hurricane Katrina. It
also briefly discusses the development of electronic health records (EHRs) and provides
a brief overview of KatrinaHealth.org. This report will be updated.
HIPAA Privacy Rule. Congress enacted the Health Insurance Portability and1
Accountability Act of 1996 (HIPAA) to improve portability and continuity of health
insurance coverage. The HIPAA Privacy Rule, issued by HHS to implement section 264
of HIPAA (42 U.S.C. § 1320d-2), regulates the use and disclosure of protected health
information. 2
On September 4, 2005, Health and Human Services Secretary Leavitt declared a3
federal public health emergency for Louisiana, Alabama, Mississippi, Florida, and Texas.
1 P.L. 104-191, 110 Stat. 1936, 42 U.S.C. §§ 1320d et seq.
2 Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and
3 U.S. Department of Health and Human Services, Hurricane Katrina: HHS Declares Public
(continued...)
To allow health care providers in affected areas to care for patients without violating
requirements of HIPAA, Medicare, Medicaid, and the State Children’s Health Insurance
Program, the HHS Secretary waived certain provisions. Specifically with respect to the
HIPAA Privacy Rule, the Secretary waived the imposition of sanctions and penalties
arising from noncompliance with the following provisions: (1) requirements to obtain a
patient’s agreement to speak with family members or friends or to honor a patient’s
request to opt out of a facility directory (45 C.F.R.164.510); (2) the requirement to
distribute a notice of privacy practices (45 C.F.R.164.520); and (3) the patient’s right to
request privacy restrictions or confidential communications (45 C.F.R.164.522).
In the first Hurricane Katrina bulletin issued by HHS (HIPAA Privacy and
Disclosures in Emergency Situations), the Department emphasized that the HIPAA
Privacy Rule “allows patient information to be shared to assist in disaster relief efforts,
and to assist patients in receiving the care they need.”4 The bulletin states that under the
rule, health care providers can share patient information to provide treatment and seek
payment for health care services; to identify, locate, and notify family members,
guardians, or anyone responsible for the individual’s care of the individual’s location,
general condition, or death; with anyone as necessary to prevent or lessen a serious and
imminent threat to the health and safety of a person or the public, consistent with
applicable law and the provider’s standards of ethical conduct. In addition, health care
facilities maintaining a patient directory can tell people who call or ask about individuals
whether the individual is at the facility, their location in the facility, and general condition.
On September 9, HHS issued Hurricane Katrina Bulletin #2.5 Because the medical
and prescription records of many evacuees were lost or inaccessible, and because health
plans and health care providers were working with other industry segments to gather and
provide this information, Bulletin #2 provides guidance on how the HIPAA Privacy Rule
applies to these activities and describes the HHS Office for Civil Rights’ enforcement
approach in light of these emergency circumstances.
Bulletin #2 discusses the use and disclosure of prescription and medical information
by entities managing information on behalf of covered entities (“business associates”).
In general, business associates are permitted to make disclosures “to the extent permitted
by their business associate agreements with the covered entities, as provided in the
Privacy Rule.” The bulletin provides that covered entities or their business associates
may provide health information on evacuees to another party for that party to manage the
health information and share it as needed for providing health care to the evacuees.
Where a covered entity provides protected health information to another for this purpose,
the Privacy Rule requires the covered entity to enter into a business associate agreement
with this party. If the business associate, rather than the covered entity itself, is providing
3 (...continued)
Emergency for Hurricane Katrina (Sep. 4, 2005), [http://www.hhs.gov/katrina/ssawaiver.html].
4 U.S. Department of Health and Human Services, Hurricane Katrina Bulletin: HIPAA Privacy
and Disclosures in Emergency Situations, [http://www.hhs.gov/ocr/hipaa
/ K AT RINAnHIPAA.pdf ] .
5 U.S. Department of Health and Human Services, Hurricane Katrina Bulletin #2: HIPAA Privacy
Rule Compliance Guidance and Enforcement For Activities in Response to Hurricane Katrina,
[http://www.hhs.gov/ocr/hipaa/ EnforcementStatement.pdf].
this information to another party that is acting as its agent, the covered entity’s business
associate must enter into an agreement to protect health information with this party.6
Sample business associate agreement provisions are attached to the bulletin.
On the subject of enforcement, HHS noted that Section 1176(b) of the Social
Security Act provides the agency may not impose a civil money penalty where the failure
to comply is based on reasonable cause and is not due to willful neglect, and the failure
to comply is cured within a 30-day period. HHS noted its authority to extend the period
within which a covered entity may cure the noncompliance “based on the nature and
extent of the failure to comply.” HHS, in determining whether reasonable cause exists
for a covered entity’s failure to meet requirements and in determining the period within
which noncompliance must be cured, announced that it “will consider the emergency
circumstances arising from Hurricane Katrina, along with good faith efforts by covered
entities, its business associates and their agents, both to protect the privacy of health
information and to appropriately execute the agreements required by the Privacy Rule as
soon as practicable.”
Electronic Health Records. Shortly after Hurricane Katrina, the federal
government began a pilot test of KatrinaHealth.org, an electronic health record (EHR)
online system, sharing prescription drug information for most of the hurricane evacuees
with health care professionals. The launch of KatrinaHealth.org was possible in part
because of plans already made and actions taken by the Administration, the Congress,
foundations, and the private sector to implement electronic health records (EHRs) as part
of the national health information infrastructure.7 President Bush and the Departments of
Health and Human Services, Defense, and Veterans Affairs (HHS) have focused on the
6 See 45 CFR 164.504(e)(2)(ii)(D).
7 National Committee on Vital and Health Statistics, “Assuring a Health Dimension for the
National Information Infrastructure,” (Oct. 14, 1998) [http://www.ncvhs.hhs.gov/hii-nii.htm]; In
March 2003 the first set of uniform standards for the electronic exchange of clinical health
information to be adopted across the federal government were announced. U.S. Department of
Health and Human Services, The Consolidated Health Informatics Initiative,
[http://www.hhs.gov/healthit/chiinitiative.html]; The Medicare Prescription Drug Improvement
and Modernization Act of 2003 requires the Centers for Medicare and Medicaid Services to
develop standards for electronic prescribing, and requires the establishment of a Commission on
Systemic Interoperability. P.L. 108-173, 117 Stat. 2066, §§ 101(e)(4)(A) and 1012; Department
of Health and Human Services, Centers for Medicare & Medicaid Services, Medicare Program;
E-Prescribing and the Prescription Drug Program, 70 FR 6256 (Feb. 5, 2005); Executive Order
13335: Incentives for the Use of Health Information Technology and Establishing the Position
of the National Health Information Technology Coordinator, (Apr. 27, 2004),
[http://www.whitehouse.gov/news/releases/2004/04/20040427-4.html]; President’s Information
Technology Advisory Committee, Revolutionizing Health Care Through Information Technology
(June 2004) [http://www.nitrd.gov/pitac/meetings/2004/20040617/20040615_hit.pdf]; Markle
Foundation, Preliminary Roadmap for Achieving Electronic Connectivity in Healthcare,
[http://www.connectingforhealth.org/resources/cfh_aech_roadmap_072004.pdf]; Health and
Human Services and the National Coordinator for Health IT, The Decade of Health Information
Technology: Delivering Consumer-centric and Information-rich Health Care, Framework for
Strategic Action (July 21, 2004), [http://www.hhs.gov/healthit/documents/hitframework.pdf];
Health and Human Services, Commissioners Selected for American Health Information
Community The Community Will Help Shape the Future of Health Care for Generations (Sep.
importance of transforming health care delivery through the improved use of health
information technology (HIT). Philanthropies such as California Health Care Foundation,
Robert Wood Johnson, the Markle Foundation, and others have provided funding,
leadership, and expertise to this effort. In the private sector, the medical and nursing
informatics, and the medical and nursing professional societies, have also been involved.
Electronic health records are controversial among many privacy advocates and
citizens who are concerned about information security and the potential for the
exploitation of personal medical information by hackers, companies, or the government,
and the sharing of health information without the patients’ knowledge.8 Privacy
advocates, in general, support the development of an interoperable national health
information network built on the concepts of patient control, privacy, and participation.9
The Department of Health and Human Services has formed agreements with two
organizations to plan and promote the widespread use of electronic health records in the
Gulf Coast region as it rebuilds.10 The agreements supplement recently announced
contracts to certify electronic health records, develop interoperability standards, evaluate
variations among privacy and security requirements across the country, and create
prototypes for a nationwide health information network.11 The Southern Governors
Association will form the Gulf Coast Health Information Task Force, which will bring
together local and national resources to help area health-care providers convert to
electronic medical records. The Louisiana Department of Health and Hospitals will
develop a prototype of health information sharing and electronic health record support
that can be replicated in the region. The effort will not be connected with
[http://katrinahealth.org/], which is not expected to be a long-term undertaking.
Prescription Records of Katrina Evacuees. On September 22, 2005,
KatrinaHealth.org [http://www.katrinahealth.org], a secure online service, was launched
to enable authorized healthcare providers to electronically access medication and dosage
information for evacuees from Hurricane Katrina to renew prescriptions, prescribe new
medications, and coordinate care. The website KatrinaHealth.org was available for a 90-
8 In January 2005, privacy advocates, the AFL-CIO, the National Association of People with
AIDS, the American Mental Health Counselors Association, and the American Association of
People with Disabilities collectively submitted comments to the Office of the National
Coordinator for Health Information Technology urging strong privacy and security protections
be built in at the outset of developing a system of electronic health records. See, Health Privacy
Project, Majority of Americans Have Privacy Concerns about Electronic Medical Record System
(Feb. 23, 2005), [http://www.healthprivacy.org/info-url_nocat2303/info-url_nocat
_show.htm? doc_id=263085]
9 See, e.g., [http://www.healthprivacy.org/usr_doc/NHIN_RFI_Response.pdf].
10 U.S. Department of Health & Human Services, “HHS Enters Into Agreements to Support
Digital Health Recovery for the Gulf Coast: Partnerships will Accelerate Electronic Health
Records in Gulf States,” (Nov. 17, 2005), available at [http://www.hhs.gov/news/press/
11 U.S. Department of Health & Human Services, “HHS Awards Contracts to Develop
Nationwide Health Information Network: Major Step Toward Secure and Portable Health
Information for American Consumers,” (Nov. 10, 2005), available at [http://www.hhs.gov/
news/press/2005pres/20051110.html ].
day period. KatrinaHealth.org was a completely new, secure online service created in
three weeks to help deliver quality care and avoid medical errors. The data contain records
from 150 zip codes in areas hit by Katrina. At its launch, prescription drug records on
over 800,000 people from the region could be searched by health care professionals.12 The
information was compiled and made accessible by private companies, public agencies,
and national organizations, including medical software companies; pharmacy benefit
managers; chain pharmacies; local, state, and federal agencies; and a national foundation.
The effort to create KatrinaHealth.org was facilitated by the Office of the National
Coordinator for Health Information, Department of Health and Human Services. With
the assistance of federal, state, and local governments, KatrinaHealth.org was operated
by private organizations, such as the Markle Foundation.13
Under ordinary circumstances, HIPAA privacy rules would require formal, written
“business associate agreements”among KatrinaHealth.org participants before they could
exchange medical information. Reportedly, many of the participants had such agreements
or were able to obtain them rapidly. In addition, HHS’s second bulletin clarified that
considering the emergency circumstances, organizations that did not comply with the
business associate requirements would not be penalized as long as they showed good faith
efforts to protect the privacy of health information and to appropriately execute the
agreements required by the Privacy Rule as soon as practicable.
The data or prescription information for KatrinaHealth.org was obtained from a
variety of government and commercial sources. Sources include more than 150 private
and public organizations’ electronic databases from commercial pharmacies, government
health insurance programs such as Medicaid, and private insurers such as Blue Cross and
Blue Shield Association of America, and pharmacy benefits managers in the states
affected by the storm. Key data and resources were contributed by the American Medical
Association (AMA), Gold Standard, the Markle Foundation, RxHub and SureScripts.
Data contributors also include the Medicaid programs of Louisiana and Mississippi; chain
pharmacies (Albertsons, CVS, Kmart, Rite Aid, Target, Walgreens, Wal-Mart, Winn
Dixie); and Pharmacy Benefit Managers (RxHub, Caremark, Express Scripts, Medco
Health Solutions)). Federal agencies involved include the U.S. Departments of
Commerce, Defense, Health and Human Services, Homeland Security, and Veterans
Affairs. The information in KatrinaHealth.org did not exist in a central database, rather
access was provided to a mix of data sets. Some of the information from chain
pharmacies was aggregated while other available information was not.
Licensed doctors and pharmacists, anywhere in the United States, treating evacuees
from Louisiana, Mississippi, and Alabama, were eligible to use KatrinaHealth. Patients
were not permitted access to the prescription information at the online site. Authorized
clinicians and pharmacists using the system could view evacuees’ prescription histories
online, obtain available patient allergy information and other alerts, view drug interaction
reports and alerts, see therapeutic duplication reports and alerts, and query clinical
12 Krim, Jonathon, Health Records of Evacuees Go Online, New York Times (Sep. 14, 2005).
13 WWW.KATRINAHEALTH.ORG Will Provide Prescription Medication Information For
Katrina Evacuees to Authorized Health Professionals and Pharmacists, (Sep. 22, 2005),
[ ht t p: / / www.ma r kl e . o r g/ r e s o u r c e s / p r e ss_cent er / pr e ss_r e l eases/ 2005/ pr ess_r e l ease_09222005.
php].
pharmacology drug information. The system was only accessible to authorized health care
professionals and pharmacists, who provided treatment or supported the provision of
treatment to evacuees. To ensure that only authorized physicians used KatrinaHealth.org,
the AMA provided physician credentialing and authentication services. The AMA
validated the identity of health care providers, a key step in ensuring patient
confidentiality and security. The National Community Pharmacists Association (NCPA)
authenticated and provided access for independent pharmacy owners. SureScripts
provided these services for chain pharmacies on behalf of the National Association of
Chain Drug Stores (NACDS).
When treating an evacuee, an authorized user of KatrinaHealth.org was prompted
to enter the evacuee’s first name, last name, date of birth, pre-Katrina residence zip code
and gender. If the evacuee’s information was available in KatrinaHealth.org, the health
provider would link to the following information: quantity and day supply; the pharmacy
that filled the script (if available); the provider that wrote the script; and drug information,
such as indication and dosage, administration and interactions. Tools to prevent
unauthorized access, and audit logs of system access and records access were maintained
and reviewed. The site provided “Read Only” access and information in the system could
not be modified or other wise changed.
The developers acknowledged that KatrinaHealth.org did not contain information
on every Katrina evacuee from Louisiana, Mississippi, and Alabama; that the information
on each evacuee’s prescription history might be incomplete; and that the data might
contain errors or omissions or duplication. Users of KatrinaHealth were encouraged to
review the data with the patient. According to the developers, privacy and security
concerns were central to the design of KatrinaHealth.org. Only authorized users could
access the site. Highly sensitive personal information was filtered out to comply with
state privacy laws. Medication information about certain sensitive health care conditions
(HIV/AIDS, mental health issues, and substance abuse or chemical dependencies) was not
available. Health privacy advocates argued that evacuees should have had the option to
opt out of the site14 and that the site should not become permanent.15
Lessons Learned. In June 2006, The Markle Foundation released a report titled
“Lessons From KatrinaHealth.”16 The report provides recommendations to ensure that
medical records can be accessed and prescriptions provided quickly in a future disaster.
The recommendations include engaging in advance planning, taking advantage of existing
resources, addressing system and electronic health record design issues, integrating
emergency systems, creating systems that are simple to access, improving communication
strategies, and overcoming policy barriers to working together.
14 Pilot site participants included Shelter staff at Reunion Arena and Dallas County Convention
Center in Dallas, Texas; Special Needs Shelters in Louisiana; Sparks Regional Medical Center;
University of Mississippi Medical Center; University of South Alabama College of Medicine;
University of Texas at Houston; and University of Texas Southwestern.
15 “Medical Records Gone with the Wind,” CIO Magazine (November 15, 2005).
16 Available at [http://katrinahealth.org/katrinahealth.final.pdf#search=%22katrinahealth%22].