|The US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) recently issued two bulletins to assist covered entities with the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) as a result of Hurricane Katrina.
The first bulletin, "HIPAA Privacy and Disclosures in Emergency Situations", emphasizes how the HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts and to assist patients in receiving the care they need. Health care providers can share patient information as necessary to provide treatment. They may also share patient information as necessary to identify, locate and notify family members, guardians, or anyone else responsible for the individual's care of the individual's location, general condition or death.
The second bulletin, "HIPAA Privacy Rule Compliance Guidance and Enforcement Statement for Activities in Response to Hurricane Katrina", emphasizes the broad range of permissible disclosures that covered entities may make to respond to the needs of evacuees in these situations. It outlines the enforcement approach OCR will consider in light of the emergency circumstances arising from Hurricane Katrina. The bulletin affirms that business associates (BAs) may make the same disclosures that a covered entity could make, but only if there is a contract in place between the covered entity and the BA permitting those disclosures. Sample business associate agreements are also included in this bulletin.
You may view the complete text of these bulletins on the following links:
(September 2, 2005)
(September 9, 2005)