Special AHIMA Update: Locating Patients during a Disaster

September 7, 2005

The following information is provided by the American Health Information Management Association to assist healthcare professionals in the aftermath of Hurricane Katrina.

Question: The evacuation of patients during a disaster can leave providers and loved ones without knowledge of a patient's location. How can health information management (HIM) professionals assist the industry in locating individuals housed within their facilities without compromising privacy responsibilities?

Answer: The Department of Health and Human Services released a special bulletin on September 2, 2005, addressing privacy and disclosure in emergency situations. "Hurricane Katrina Bulletin: HIPAA Privacy and Disclosures in Emergency Situations" can be accessed at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/katrinanhipaa.pdf.

The bulletin places privacy issues in perspective as it recognizes the intensity of the Hurricane Katrina disaster while treatment must be rendered and displaced patients must be located by caregivers, families, and friends. It stresses good judgment, paralleling the privacy rule's fundamental message of reasonableness.

HIM practitioners can release identifying patient information to support patient location disaster efforts without fear of privacy compliance reprisal when good judgment is exercised in the face of disaster realities. In consideration of the bulletin's advisement, AHIMA recommends:

1. Use good judgment in all privacy-related decisions during times of disaster, always acting in the patient's best interest.
2. When possible and reasonable, providers should obtain patient permission to release patient name, location, and general condition. When permission is not possible, judgment should be made in the patient's best interest.
3. Providers can share patient information with legal or chartered disaster relief organizations without patient permission if obtaining permission interferes with emergency response.
4. Providers can respond to families, guardians, or caregivers who offer specific names. Providers can identify an individual and verify the individual's presence in a facility, general condition, or death. Telephone or e-mail can be used. Optimally, a Web site provides an e-mail address and publicizes a telephone number for searchers. Permission from the patient is not required.
5. Providers "may notify the police, the press, or the public at large to the extent necessary to help locate, identify or otherwise notify…as to the location and general condition of their loved ones." Patient permission is not required to utilize a Web site to post names of victims received from the disaster sites. A judicious approach to the extent of the information posted should be exercised. Names and location only are recommended. A mechanism for further investigation can be offered to searchers needing further identification and information.
6. As soon as circumstances warrant, a healthcare organization should return to pre-disaster privacy protection processes.

Other Resources
Department of Health and Human Services. "Health Information Privacy and Civil Rights Questions & Answers: Can healthcare information be shared in a severe disaster?" Available online at http://www.hhs.gov/ocr/privacy/hipaa/faq/disclosures_in_emergency_situations/960.html.