In the first document, HHS outlined how the HIPAA medical information privacy rule allows a health plan or a health care provider to share protected health information (PHI) for disaster relief efforts and to assist patients in receiving care. For example, health plans may disclose PHI to health care providers at shelters to facilitate treatment of evacuees, officials said.
In the second bulletin, HHS asserted that business associates (BAs) may make the same disclosures that a covered entity could make, but only if there is a contract in place between the covered entity and the BA permitting those disclosures. In addition, if a BA uses an agent to assist in making disclosures of PHI, the BA must ensure that a contract is in place by which the agent agrees to the same privacy restrictions and conditions that apply to the BA and that permits the agent to make the disclosures in question.
The second bulletin also provides information on HHS’s enforcement approach when dealing with action taken by covered entities in response to Hurricane Katrina.
When considering a complaint arising from disclosures of PHI that would have been permissible had a BA contract been in place, HHS will not take enforcement action if a covered entity and its BA were unable to formalize the necessary contract because of the urgency of the circumstances arising from the hurricane, so long as the parties execute the required contract as soon as practicable.
In the guidance documents, HHS said that:
- Health care providers can share patient information as necessary to provide treatment .
- Health care providers can share patient information as necessary to identify, locate and notify family members, guardians, or anyone else responsible for the individual’s care of the individual’s location, general condition, or death.
- Providers can share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public — consistent with applicable law and the provider’s standards of ethical conduct.
- Health care facilities maintaining a directory of patients can tell people who call or ask about individuals whether the individual is at the facility, their location in the facility, and general condition.
The HHS documents are here .