First, HIPAA specifically allows for the sharing of protected health information (PHI) about a patient when it must be shared among healthcare providers for treatment purposes, even where the patient doesn’t give permission to do so. So it’s permissible to share PHI among fire and EMS agencies or others involved at the scene in the care of patients of an MCI.
Second, HIPAA also allows for “incidental” uses and disclosures of PHI in many healthcare situations—even in cases where other patients and those not involved in a patient’s care may hear or view a patient’s PHI. These incidental disclosures are recognized as a “byproduct of an otherwise permitted disclosure.”
The Office of Civil Rights, which enforces HIPAA, states it very well in a Q-and-A posted on its web site: “Many customary healthcare communications and practices play an important or even essential role in ensuring that individuals receive prompt and effective care. Due to the nature of these communications and practices, as well as the various environments in which individuals receive healthcare or other services from covered entities, the potential exists for an individual’s health information to be disclosed ‘incidentally.’” The OCR notes this can occur where a patient overhears conversations between and among healthcare providers and other patients that are unrelated to that patient’s care or sees PHI that’s about other patients.
Examples of incidental disclosures the OCR gives are a hospital visitor who overhears a discussion about a patient, or where one patient glimpses another patient’s information on a sign-in sheet or nursing station whiteboard. All HIPAA requires is that the covered entity have “reasonable safeguards” and minimum necessary policies and procedures to protect the patient’s privacy in place. This means that EMS agencies should take practical steps to limit the likelihood of the incidental disclosure and when there’s a disclosure, to only disclose the minimum amount of PHI necessary for treatment.
So how does this apply in an MCI? Use common sense, but don’t let HIPAA interfere with the standard practices used to manage the situation and to deal with the victims or treat the patients involved. There will be victims involved in the MCI (injured and uninjured) who are walking around interacting with EMS providers. You can’t usually keep them separated or set up “HIPAA safe zones” or go out and buy portable “cones of silence.” You do what you need to do to effectively deal with those involved and use common sense when it comes to on scene communications and information sharing. Follow your agency’s privacy policies, which should recognize that the likelihood of incidental disclosures of PHI are more likely and, in some cases, can’t be prevented in an MCI.
Another example of an incidental disclosure in an MCI is the use of a “multiple person refusal form,” when it’s simply impractical (and could interfere with patient care) to get a separate refusal form signed on every victim of the MCI. A.J. Heightman, MPA, EMTP, editor-in-chief of JEMS, has been using this type of form for years in his nationallyacclaimed MCI courses. This simple form has a refusal statement at the top of the form, and numbered rows below the statement where basic information about each victim is recorded, such as the person’s name, address, phone number and vital signs, the initials of the person processing the refusal, and the person’s signature acknowledging they’re refusing further treatment and/or transportation. It’s simple, easy to use, and keeps the paperwork to a minimum at a time when paperwork shouldn’t be the priority. Yes, the person signing the multiple refusal form may glimpse at the names of others listed and maybe some information about them, but the risk of PHI escaping is low since that person is unlikely to remember the names or retain the information seen. And in our view, the use of this form would clearly fit within the permissible incidental disclosure provisions of HIPAA. Can there be some reasonable safeguards to minimize this HIPAA risk? Sure, use a blank piece of paper to cover the names of other patients who signed the form when you present it for the next signature. If a patient later requests a copy of the form, you can redact the names and information of the other signers before releasing the copy.
The key point here is that HIPAA regulations are flexible and recognize that not every patient situation can be treated the same in terms of HIPAA. These regulations and OCR enforcement policy allow for unique situations like this and don’t set up strict limits. It’s also clear that those who wrote the regulations never anticipated the unique problems confronted by EMS in MCI responses.
It all comes down to common sense and what’s reasonable given the particular situation. With one or two patients, it’s certainly the reasonable approach to obtain separate refusal forms for each person refusing care and keep any identifable patient information separate. But by their very nature, incidental disclosures should be expected in an MCI more often than in a typical non-MCI situation and the multiple person refusal form may be a reasonable approach that shouldn’t run afoul of HIPAA. The key is to have clear privacy policies that make good sense. Educate your EMS staff on the practical steps to minimize the improper disclosure of patient information in all types of responses that they’ll confront, including MCI.