Skip to main content
With so many patients evacuated and arriving at other facilities for care after Hurricane Katrina, one of the first questions posed to health care providers was how to comply with the Health Insurance Portability and Accountability Act (HIPAA).

Lack of medical data, HIPAA no hindrance

December 1, 2005

Special Report: Lessons from Hurricane Katrina

Lack of medical data, HIPAA no hindrance

With so many patients evacuated and arriving at other facilities for care after Hurricane Katrina, one of the first questions posed to health care providers was how to comply with the Health Insurance Portability and Accountability Act (HIPAA). Some of those concerns were dispelled when the Department of Health and Human Services issued a special bulletin explaining that HIPAA should not be seen as any impediment to the hurricane response. However, risk managers can learn more about everyday compliance with HIPAA from the Katrina experience, says Kevin Lyles, JD, an attorney with the law firm Jones Day in Columbus, OH.

The main HIPAA-related problem was that people were calling hospitals to look for displaced relatives and the receiving hospitals didn't know if they could release the information under HIPAA. The HHS bulletin made it clear that they could.

"HHS really wasn't covering any new ground with that. HIPAA already allowed hospitals to make information available if they deemed it helpful to the patient," Lyles explains. "They were pointing out what HIPAA already said. They did suspend some provisions of HIPAA, such as the requirement of a business associate agreement."

HHS also made clear that the government would pay hospitals for treatment even if they did not follow all provisions of HIPAA. And most importantly for risk managers, HHS stated that it would not take an aggressive enforcement approach in the wake of Hurricane Katrina.

"They basically said that if you act in good faith and have good intentions, we're not going to hold you liable for any HIPAA violations during this emergency," he says. "The agency is the only one that can enforce HIPAA, and they were saying they would not nitpick about HIPAA violations and you should go out and do what you need to do for your community."

Risk managers who didn't experience Hurricane Katrina still can learn lessons about HIPAA compliance, Lyles says. For one thing, he says, the experience shows a need for flexibility in how you write HIPAA policies.

"You need some flexibility in how you will respond to an emergency like this and how you will bend your standard procedures for notification of family members and giving out information," he says. "If you have a policy that assures patients you will not give out any information without their permission, you might want to build in some leeway with a phrase such as 'except in the case of an emergency or when a public health crisis requires the release of information.'"

That type of language is consistent with HIPAA rules, Lyles notes, but putting it into your own policy is better than having such an ironclad policy that your staff is bound to violate it when they are in a crisis.

"You never want a policy that you don't follow, so it's best to outline those potential exceptions in your own policies," he says.

Even without government enforcement for HIPAA violations, civil lawsuits still could arise, says Patricia A. Trites, MPA, CHBC, CPC, CHCC, CHCO, CEO of Healthcare Compliance Resources, a consulting firm in Augusta, MI.

Trites says civil actions could arise because of the lack of compliance with the Security Rule more than the Privacy Rule. Patients whose information was lost or destroyed, and which could have been reasonably safeguarded, could file a complaint with HHS and sue the hospital because important information that may have been, or could be in the future, important to their continuity of care is unavailable.

"There is also the possibility of information that was literally scattered to the winds could fall into the wrong hands and that could bring a claim of violation of the Privacy Rule," she says. "In both of these situations, there would have to be substantiation that the facility did not take reasonable precautions to protect the information."

Such lawsuits are inevitable in the wake of such wide scale data loss, Lyles says, but providers will have a good defense in almost every case.

Risk managers at hospitals throughout the country also have wondered about potential liability risks from the patients transferred for care from the New Orleans area, since many of them arrive without a medical history and unable to describe their past treatment or medications. Treating a patient with so little information may seem like an invitation to liability, but that should not be a problem, Lyles says.

"It sounds like a risky thing, but in reality, this is no different from what every emergency department faces every day if someone is in a car accident and arrives with no history," he says. "They might have a medical record somewhere that says they are deathly allergic to codeine, but you can't be held liable if you had no way to access that information and did the best you could under the circumstances."

The experience of hospitals in the wake of Katrina should be a huge reminder of the need for electronic records in health care, Lyles says. Hospitals would not have lost patient records in the same way if there were electronic records that were backed up off site or accessible through an electronic network, he says.

Sources

For more information, contact:

  • Kevin Lyles, Attorney, Jones Day, P.O. Box 165017, Columbus, OH 43216-5017. Telephone: (614) 281-3821. E-mail: kdlyles@jonesday.com.
  • Patricia A. Trites, Healthcare Compliance Resources, 507 W. Jefferson St., Augusta, MI 49012. Telephone: (800) 973-1081. E-mail: info@complianceresources.com.