The Department of Health and Human Services, Office of Civil Rights (“OCR”), published two bulletins on September 2, 2005 and September 9, 2005 to discuss the application of HIPAA in the wake of Hurricane Katrina. The bulletins expressed the need for persons displaced by the hurricane to obtain ready access to health care and a means of contacting family and caregivers.
OCR stated that the HIPAA Privacy Rule allows the sharing of patient information to assist in disaster relief efforts, and to assist patients in receiving the care they need.
In order to facilitate this, OCR explained that patient information could be shared by health care providers as necessary to provide treatment; to identify, locate and notify family members, guardians, or anyone else responsible for the individual’s care of the individual’s location, general condition, or death. Additionally, providers do not need a patient’s permission to share their personal health information (“PHI”) with disaster relief organizations, such as the American Red Cross, if doing so would interfere with the organization’s ability to respond to the emergency. OCR reconfirmed that the HIPAA Privacy Rule only applies to covered entities and does not restrict organizations such as the American Red Cross from sharing patient information.
Finally, OCR stated that HHS may not impose a civil money penalty where failure to comply with the provisions of the Privacy Rule are based on reasonable causes and are not due to willful neglect, and the failure to comply is cured within a 30-day period, unless HHS has granted an extension.