Pro Bono: Privacy within Mass Casualty Incidents

We all know federal privacy regulations limit the use and disclosure of patient information by EMS agencies that are “covered entities” under HIPAA. But how does HIPAA apply to the mass casualty incident (MCI) where there are multiple victims, our resources are taxed and the situation isn’t as controlled as with a traditional EMS patient situation? HIPAA was never intended to interfere with the provision of patient care and the “customary and essential communications” necessary for patient care in any situation–including MCIs.

First, HIPAA specifically allows for the sharing of protected health information (PHI) about a patient when it must be shared among healthcare providers for treatment purposes, even where the patient doesn’t give permission to do so. So it’s permissible to share PHI among fire and EMS agencies or others involved at the scene in the care of patients of an MCI.

Second, HIPAA also allows for “incidental” uses and disclosures of PHI in many healthcare situations–even in cases where other patients and those not involved in a patient’s care may hear or view a patient’s PHI. These incidental disclosures are recognized as a “byproduct of an otherwise permitted disclosure.”

The Office of Civil Rights, which enforces HIPAA, states it very well in a Q-and-A posted on its website: “Many customary healthcare communications and practices play an important or even essential role in ensuring that individuals receive prompt and effective care. Due to the nature of these communications and practices, as well as the various environments in which individuals receive healthcare or other services from covered entities, the potential exists for an individual’s health information to be disclosed ‘incidentally.'” The OCR notes this can occur where a patient overhears conversations between and among healthcare providers and other patients who are unrelated to that patient’s care or sees PHI about other patients.

Examples of incidental disclosures the OCR gives are a hospital visitor who overhears a discussion about a patient, or where one patient glimpses another patient’s information on a sign-in sheet or nursing station whiteboard. All HIPAA requires is that the covered entity have “reasonable safeguards” and minimum necessary policies and procedures to protect the patient’s privacy in place. This means that EMS agencies should take practical steps to limit the likelihood of the incidental disclosure and when there’s a disclosure, to only disclose the minimum amount of PHI necessary for treatment.

So how does this apply in an MCI? Use common sense, but don’t let HIPAA interfere with the standard practices used to manage the situation and to deal with the victims or treat the patients involved. There will be victims involved in the MCI (injured and uninjured) who are walking around interacting with EMS providers. You can’t usually keep them separated or set up “HIPAA safe zones” or go out and buy portable “cones of silence.” You do what you need to do to effectively deal with those involved and use common sense when it comes to on-scene communications and information sharing. Follow your agency’s privacy policies, which should recognize that the likelihood of incidental disclosures of PHI are more likely and, in some cases, can’t be prevented in an MCI.

Another example of an incidental disclosure in an MCI is the use of a “multiple person refusal form,” when it’s simply impractical (and could interfere with patient care) to get a separate refusal form signed on every victim of the MCI. A.J. Heightman, MPA, EMT-P, editor-in-chief of JEMS, has been using this type of form for years in his nationally-acclaimed MCI courses. This simple form has a refusal statement at the top and numbered rows below the statement where basic information about each victim is recorded, such as the person’s name, address, phone number and vital signs as well as the initials of the person processing the refusal and the person’s signature acknowledging they’re refusing further treatment and/or transportation. It’s simple, easy to use, and keeps the paperwork to a minimum at a time when paperwork shouldn’t be the priority. Yes, the person signing the multiple refusal form may glimpse at the names of others listed and maybe some information about them, but the risk of PHI escaping is low since that person is unlikely to remember the names or retain the information seen. And in our view, the use of this form would clearly fit within the permissible incidental disclosure provisions of HIPAA. Can there be some reasonable safeguards to minimize this HIPAA risk? Sure, use a blank piece of paper to cover the names of other patients who signed the form when you present it for the next signature. If a patient later requests a copy of the form, you can redact the names and information of the other signers before releasing the copy.

The key point here is that HIPAA regulations are flexible and recognize that not every patient situation can be treated the same in terms of HIPAA. These regulations and OCR enforcement policy allow for unique situations like this and don’t set up strict limits. It’s also clear that those who wrote the regulations never anticipated the unique problems confronted by EMS in MCI responses.

It all comes down to common sense and what’s reasonable given the particular situation. With one or two patients, it’s certainly the reasonable approach to obtain separate refusal forms for each person refusing care and keep any identifiable patient information separate. But by their very nature, incidental disclosures should be expected in an MCI more often than in a typical non-MCI situation, and the multiple-person refusal form may be a reasonable approach that shouldn’t run afoul of HIPAA. The key is to have clear privacy policies that make good sense. Educate your EMS staff on the practical steps to minimize the improper disclosure of patient information in all types of responses that they’ll confront, including an MCI.

Pro Bono is written by attorneys Doug Wolfberg and Steve Wirth, founding partners of Page, Wolfberg & Wirth, LLC, a national EMS industry law firm. Visit the firm’s website at Check out the all-new Fourth Edition of The Ambulance Service Guide to HIPAA Compliance recently released and now available from PWW.

Awards Presented at the 2015 EMS Today Conference & Exposition

Ronald D. Stuart honored with James O. Page/JEMS Leadership Award

The James O. Page/JEMS Leadership Award, presented annually at the EMS Today Conference & Exposition, is given to individuals or agencies who’ve exhibited the drive and tenacious effort necessary to develop improved EMS systems, resolve important EMS issues and bring about positive EMS system changes. For his impact on the design, development, implementation and evaluation of EMS systems, as well as his efforts on individuals and organizations to enhance the care of millions by influencing the models of methods of healthcare employed in the prehospital arena, Ronald D. Stuart, MD, FACEP, was selected as this year’s James O. Page Award recipient.

Other award winners honored at EMS Today included:

John P. Pryor/Street Medicine Society Awards

  •  James J. Augustine, MD, FACEP

Nicholas Rosecrans Award for Excellence in Injury Prevention

  • American Medical Response River Safety Program in Clackamas County, Ore.

James O. Page/JEMS Award recipient Ronald D. Stuart, MD, FACEP, second from left, and, from left, Walt Stoy, PhD, EMT-P, CCEMTP; Baxter Larmon, PhD, MICP and JEMS Editor-in-Chief A.J. Heightman, MPA, EMT-P. Photo Glen E. Ellman


No posts to display