html xmlns=”http://www.w3.org/1999/xhtml” xmlns:mml=”http://www.w3.org/1998/Math/MathML” xmlns:epub=”http://www.idpf.org/2007/ops”>
Overview
Catastrophic disasters disrupt the health and medical system in a variety of different ways. The event itself – a hurricane or earthquake – may cause physical damage to medical infrastructure (e.g., hospitals, clinics, doctors’ offices, laboratories, pharmacies, and medical suppliers). The event can also disrupt electrical power or communications capabilities such as Internet and computer services. A disaster can also create new requirements for medical care by injuring large numbers of people when buildings or other structures collapse. Similarly, a pandemic outbreak of infectious disease, or widespread exposure to chemical, radiological, or biological contamination, can overwhelm medical infrastructure and medical providers with the number of patients requiring treatment. Finally, as demonstrated by the 2004 Indian Ocean Tsunami, Hurricane Katrina in the United States (2005), and more recently, in 2012, Hurricane Sandy on the east coast of the United States, a disaster can force the evacuation of hundreds of thousands of people who then become separated from their regular medical care network (e.g., doctors, nurses, prescription medications, and medical records). These evacuees arrive in relocation areas with medical systems unprepared to treat the baseline health and medical needs of so many additional patients, in addition to any traumatic and psychological conditions caused by the disaster.
Catastrophic disasters also challenge the legal basis of the health and medical system. Practitioners may be familiar with legal and regulatory requirements applicable to the provision of medical care in normal times, but in a disaster environment, compliance with some legal requirements becomes problematic. Are regulatory requirements relaxed or changed under emergency conditions, or are practitioners left simply to do the best they can and trust that regulators will choose not to enforce standards? The following scenarios illustrate this dilemma:
In the United States, federal rules require clinicians to perform a medical screening examination and stabilization of any patient who arrives on hospital grounds requesting medical care. How does this regulation apply when there is a physical plant disruption such as a hospital flood or fire, or a chemical, biological, or radiological contamination on site?
Virtually all sovereign governments ensure the competence of medical professionals by issuing certificates or licenses to those authorized to practice medicine within their respective borders – yet, in a disaster, medical volunteers and medical providers from other jurisdictions will cross state or national boundaries to treat disaster victims. Under what circumstances do their medical or other health professional licenses allow them to treat casualties? Should they be concerned about violating geographic restrictions contained in their professional malpractice insurance policies?
Sovereign nations, and provincial and states within sovereign nations, bestow on designated officials broad emergency powers over healthcare and public health systems – upon some sort of designation or declaration of a state of emergency or disaster. Yet, exactly what those powers are, who can exercise them, how timely they can be executed, and how those powers affect institutions and professionals providing medical care can vary dramatically.
This chapter will review disaster legal issues primarily from the perspective of persons or institutions – including individual doctors or nurses, medical practices, laboratories, clinics, and hospitals – who collectively provide medical care to patients in the midst of a catastrophic disaster or other public health emergency. This chapter summarizes the key areas where the legal environment of medical care may change as a result of disasters and other catastrophic events. Some of these changes occur in the specific requirements imposed on practitioners by national, state/provincial and, in some cases, local governments and agencies. Providers must be alert to how those changed requirements will be communicated to them.
Providers must also be familiar with how a disaster may create exposure to economic penalties and liabilities where the care provided in emergencies does not meet normal standards of medical practice. This exposure may be experienced, after the fact, through judicial award of money judgments based on malpractice of medical providers. Providers must also be cognizant of requirements existing with third-party payers and private credentialing organizations and vendors.
Despite what some may view as a minefield of legal risks – risks of criminal or civil penalties, revocation of critical licenses or credentials, and malpractice or breach of contract judgments – disaster medicine creates an extraordinary and rewarding opportunity to provide medical care to people when they need it most.
Current State of the Art
Medical Malpractice and Disaster Medicine
Just as they do during non-disaster times, medical care providers must manage the liability risk (for improper or inadequate treatment) during catastrophic events. In litigious countries like the United States, the tort liability system may have as much or more effect on how medicine is practiced than do regulatory standards imposed by the government. Under this tort system, liability attaches to any persons or institutions who participated in care provided to an individual patient who has suffered a significant injury or illness – if the injury or illness can be proven, in court after the fact, to be wholly or partially their “fault.” Damages awarded can range in the millions of dollars for individual patients, including both “compensatory damages” (such as current and future medical expenses, lost wages, projected future losses in wages, or a monetary reward for pain and suffering), and, in egregious situations, “punitive damages.” The impact of malpractice liability on individual practitioners is reduced in nations where medical care is provided by government. In England and Wales, for example, practitioners employed by the National Health Service (NHS) are indemnified from liability; practitioners outside the NHS must arrange for liability protection through a medical defense society or union, and the NHS itself may be vicariously liable for negligent acts of its practitioners.1
The liability system is intended to make “tortfeasors” (the label given to the persons whose improper actions or failure to act caused a patient’s injuries and illness) pay money damages to make that patient (or the patient’s estate) “whole,” to the extent possible. The liability system is also intended to create a strong incentive to persons and institutions to act with appropriate care – that is, prudent and reasonable care in accordance with accepted medical practice in the circumstances in which that care is provided.
Medical care providers are generally familiar with the liability system as it applies to the day-to-day practice of medicine. The same principles also apply to the practice of medicine under disaster conditions. In fact, one of the main issues discussed by public health officials and emergency planners is how to assure that medical providers can assist in the response to a catastrophic event without incurring debilitating liability judgments.2 Liability systems vary considerably in different nations and even in different states or provinces within nations – but it is useful to provide at least an overview of key characteristics of liability systems. An individual or institution can be found “liable” for an injury to a person if the individual or institution owes a duty to provide treatment, fails to fulfill that duty, and thereby causes harm to that person.3 In many jurisdictions, however, the government – using doctrines like “sovereign immunity” – has limited or even completely immunized not only itself from liability for actions taken during emergencies, but has also immunized other persons or institutions providing medical care in the midst of emergencies.4
The “duty” described previously, whose breach leads to liability, can arise from several sources. These include: 1) an agreement (in which a medical provider promises to perform certain services in a particular manner); 2) statutes (in which the legislature has declared that a person has a duty, or responsibility, to act in a particular way); or 3) “common law” resulting from judgments of courts in individual cases determining or denying liability in particular situations and establishing legal precedents.
For medical malpractice liability, the most significant “duty” owed by a medical provider is a duty to diagnose and treat patients without negligence, in accordance with a standard of care. Normally this is the care which is reasonable for a qualified professional providing treatment in similar circumstances.5 In “normal,” non-disaster times, providers generally manage the risk that they might be found negligent by establishing and following standard procedures and protocols. Following these procedures minimizes the likelihood that their actions could, in hindsight, be characterized as “negligent.” Providers also protect themselves by purchasing medical malpractice insurance.6
During a disaster, however, medical providers’ ability to use non-disaster standard procedures and protocols is severely compromised because:
Facilities are not fully functional due to infrastructure or operational damage.
Facilities are crowded.
Care may be provided under austere conditions and in non-traditional settings like alternate care facilities or even the field.
Supplies and drugs are in short supply.
Staff is short-handed and fatigued.
Staff has been imported from other jurisdictions that use different procedures and protocols.
Medical records are missing or temporarily unavailable.
Volunteer medical providers are working in unfamiliar facilities and jurisdictions.
The circumstances under which the conduct occurs determine whether it can be classified as “negligent” medical care. A doctor operating in a tent field hospital established by government officials or in an airport concourse may not have the equipment necessary for certain tests that in “normal times” would be standard medical procedure. It would not be “negligence” for a doctor to treat a patient requiring care during this emergency without using unavailable equipment, even if the patient experienced life-threatening complications that would have been avoided had that equipment been used. Rather, the care provided would be reasonable given the environment and situation.
There are, nonetheless, significant liability risks that providers face in providing care during an emergency. For example, a patient’s attorney may agree that a doctor did the best he or she could in the middle of a catastrophic event – but argue that the event became catastrophic because of negligence. For example, a medical facility could be found negligent in the development of its emergency plan which led to the loss of electrical power during a surgical procedure and that this negligence – not the heroic efforts taken after disaster had struck – is what led to injury. Proper pre-event preparation might have ensured that necessary test equipment was available or training was provided on substitute tests that did not require the equipment. Moreover, whether the particular care provided was “negligent” even under emergency conditions will likely be a question that a court would decide after the fact. Some medical providers are, accordingly, concerned that actions taken in a catastrophic environment could lead to large malpractice judgments based not on true negligence, but rather on their inability to provide the care that would be considered appropriate under normal conditions. Even though practitioners are held to the standard that care must be reasonable given the circumstances in which it was provided, this may be insufficient protection. Given the delay inherent in litigation, the memory of emergency conditions will fade long before practitioners will be judged for possible negligence.
Malpractice insurance may not provide protection to providers in the disaster environment. To limit an insurer’s malpractice exposure, malpractice insurance is typically written to cover a particular type of practice in a particular geographic location. Yet, in a disaster, medical providers may be needed in other jurisdictions, perhaps even in another state or country. They may be asked to practice in temporary or substandard facilities and may perform procedures that are not normally within their scope of practice. Standard malpractice insurance may exclude from coverage medical care provided under any of these circumstances.
To address some of these concerns in the United States, most states and the federal government have enacted legislation that provides some immunity to medical professionals providing care during disasters. State “Good Samaritan” legislation and the Federal Volunteer Protection Act of 19977 provide significant immunity protection. For example, in California’s Good Samaritan Law, there is “no liability where the licensee in good faith renders emergency care at the scene of an emergency.”8 In many states, liability protection is also extended to medical professionals who volunteer to help state or local public health or emergency management officials. California also has this type of provision: “health providers…who render services during any state of…emergency, at the express or implied request of any responsible state or local official or agency, shall have no liability for any injury sustained by reason of such services, regardless of how or under what circumstances or by what cause such injuries were sustained.”9 This immunity does not apply when the injury was intentional or resulted from actions (or failures to act) that were clearly likely to cause harm – that is, where the injury results from a “willful” act or omission. Similarly, the Federal Volunteer Protection Act provides that “no volunteer of a nonprofit organization or governmental entity shall be liable for harm caused by an act or omission of the volunteer if…the harm was not caused by willful or criminal misconduct, gross negligence, reckless misconduct, or a conscious, flagrant indifference to the rights or safety of the individual harmed by the volunteer.”10 Note that protection under this law extends only to the actual volunteer – and not to any organization that dispatches or supports the work of volunteers (e.g., nongovernmental organizations such as the American Red Cross).
Furthermore, providers should be aware that the liability protection offered by Good Samaritan legislation and the Federal Volunteer Protection Act typically does not extend to those who receive compensation for their efforts. Is a physician who is part of a group medical practice, and who receives a fixed share of the profits from that practice, even though much of the profits were earned while the practitioner was “volunteering” in a disaster, covered? Could the immunity provided by a Good Samaritan Act be challenged if a medical care provider receives an allowance for meals and living expenses while serving in a disaster field hospital? Is a pharmacist in the employ of a corporation a “volunteer” if the corporation allows the pharmacist, during his paid vacation, to travel to a disaster and serve as a pharmacist at a shelter for evacuees? The answers to these questions are unclear and make the extent of liability risk uncertain.
Immunity is also provided under the laws of some U.S. states to contractors providing emergency response services “in coordination with” or “under contract to” emergency response authorities.11 Other statutes may provide immunity to responders in particular circumstances – such as in the administration of smallpox vaccine.12
There are often limitations on the scope of immunity. For example, no immunity extends to: 1) caregivers receiving compensation; 2) persons who are unlicensed; and 3) for-profit businesses (such as incorporated providers of medical care). Furthermore, the immunity from liability given to government contractors may also be limited. Although contractors are generally not liable when operating under a government contract that precisely describes the required duties, contractors can be liable if they are permitted to use judgment in performing the contracted work.13 This exception can be significant, because the provision of medical services frequently requires the application of judgment.
Although liability for volunteers practicing disaster medicine is very limited, there is uncertainty about the definition of “volunteer” and the scope of liability protection provided by existing immunity statutes. There is also controversy about whether the public is served by extending immunity from liability to practitioners whose actions are found to have caused unnecessary injury or even death to patients. For example, to address liability (and other issues), a model law called the Uniform Emergency Volunteer Health Professionals Act, was developed in the United States in 2007. While the intent was to encourage states to provide for legislative immunity, 6 years later, the primary provisions of this model act had been enacted in only twelve of the fifty-two U.S. states and territories, and some states rejected the liability provisions.14 The accelerated pace of legislative changes and the variety of approaches adopted in many U.S. states illustrate the challenges in finding solutions to the many liability issues.
Despite a lack of clarity under existing law, medical providers can take actions that will eliminate or significantly reduce their exposure to liability when providing volunteer medical services in an emergency. Within the United States, virtually all of these solutions require that a medical provider be registered with an official governmental response organization and become a part of the government response. Government officials increasingly view the coordination of volunteer and private sector response efforts (i.e., public–private partnerships) to be a critical part of disaster preparedness and response efforts. In many U.S. states, statutes immunize actions taken at the direction of state emergency management officials.15 In some state and federal government programs, volunteer individual practitioners are “hired” as temporary employees for minimal or no salary and the government extends its immunity protection to them and becomes the defendant to pay judgments arising from any remaining liability.16 For example, if an individual is deployed to assist at a disaster site as part of a national Disaster Medical Assistance Team, the provider becomes “federalized” and is allowed to practice in any U.S. state or territory and has federal liability protections.
The liability protections available under current law and under a number of legislative proposals are primarily directed to individuals, and particularly to individual volunteers, rather than to the nonprofit organizations and private businesses that may participate in response efforts. Some of the organizations that will assist in medical care provision during disaster events are not traditionally part of the medical system. For example, during a pandemic influenza event, public health officials may request a major employer in a community to assist in the distribution of pharmaceuticals and administration of vaccines to its employees and their families. Current law may provide only limited protection to these businesses. They may refuse to participate in planning and actual response unless they can obtain liability protection or indemnity.
Registration with an official government response organization provides other important benefits, particularly where medical providers will be working in facilities, communities, and states different from those in which their home practice is located. These benefits – discussed in greater detail later – include recognizing the provider’s medical license in the new state, generating identification documents and credentials that allow the provider entry into the disaster area, and logistical support.
Healthcare facilities are also exposed to liability should they fail to provide quality care and meet the needs of their patients after a disaster. One type of negligence is corporate negligence, which hospitals face when managing liability claims. Hospitals have four duties: “[1] a duty to use reasonable care in the maintenance of safe and adequate facilities and equipment; [2] a duty to select and retain only competent physicians; [3] a duty to oversee all persons who practice medicine within its walls; and [4] a duty to formulate, adopt, and enforce adequate rules and policies to ensure quality care for the patients.”17 Accordingly, healthcare organizations that hold these duties may be found liable if they fail to safeguard the welfare and safety of patients, employees, and occupants.
Healthcare facilities are further at risk via vicarious liability in that “the negligent acts of a health care provider may be directly imputed to the hospital in which the care is given.”18 Vicarious liability is based on the legal doctrines of respondeat superior and ostensible agency. It extends liability to employers based on an assumption that the employer has control over the actions of its employees.19 Therefore, hospitals may be held liable for the conduct of nurses, residents, interns, and other health professionals. Typically, only negligent acts committed within the “scope of employment” are subject to liability. In addition, most courts will not hold a hospital liable for the negligence of an employee if the contract specifically negates an employment or agency relationship. Accordingly, physicians are considered independent contractors in many instances, and this status shields hospitals from any liable acts that they may commit. However, “courts have found that a hospital’s imposition of rules and regulations upon staff physicians is enough to undercut the doctors’ independent contractor status and expose the hospital to liability.”20
Even where there is no actual agency, liability can be based on ostensible agency. This occurs when: 1) the patient looks to the entity rather than the specific physician for care and the patient reasonably believes that the healthcare provider is an agent or employee of the hospital; and 2) the hospital affirmatively “holds out” the doctor as its employee or agent, or knowingly permits the provider to project himself or herself as such. This theory applies to care in the emergency department since patients are unaware of and unconcerned with the technical complexities that define the employment relationship and generally seek medical treatment without regard to who the physician will be. Accordingly, “public has every right to assume and expect that the hospital is the medical provider it purports to be.”21 Consequently, since few patients presenting for care will specifically request an individual physician and patients during a disaster are likely to seek treatment in emergency departments rather than from individual physicians, the ostensible agency theory is likely to be relevant in litigation cases arising from crises.
As noted previously, legal protections for volunteer health professionals rarely extend to hospitals and other organizational entities providing healthcare and health services. Some hospitals may possess civil liability protections in their role as government entities or emergency care providers through specific grants of immunity during public health emergencies. These protections would grant these hospitals sovereign immunity because of their status as public institutions or as hospitals affiliated with state government. Sovereign immunity essentially removes the legal routes through which these facilities may be sued. City- or county-run hospitals may be considered state entities by some courts, effectively granting them the same protection from liability as healthcare facilities affiliated with the state. However, other courts consider hospital administration as a corporate undertaking, and therefore not within the sphere of state action and not protected by sovereign immunity. In addition, some states have greatly reduced or even eliminated this type of protection. Furthermore, sovereign immunity is curbed in many states through tort claims acts, which effectively waive sovereign immunity for government actors and agents acting within their official capacities.22
As demonstrated by some U.S. states, hospitals do not entirely lack safeguards. In Oregon, designated emergency healthcare facilities enjoy immunity as state agents for any claim arising out of the provision of uncompensated medical care in response to a declared emergency. In Minnesota, the governor can “grant immunity to organizations and individuals providing health care services during a declared emergency when good faith acts or omissions cause harm during emergency care, advice, or assistance.” The Department of Health in Hawaii is statutorily empowered to enter into agreements with healthcare providers, including healthcare entities, to control infectious epidemics that require more resources than the department itself can provide. When a hospital acts pursuant to such an agreement, they “are not liable for any personal injuries or property damage resulting from the performance of their duties, absent willful misconduct.” The state legislation in Louisiana immunizes hospitals and healthcare entities from liability resulting from injury or damage to people or property during a state-declared emergency, except in cases of gross negligence or willful misconduct. However, the lack of adequate planning for disasters could be considered gross negligence.23
Legal Framework for Disaster Medicine and Public Health Emergencies: Public Health Powers
In the United States, the foundation of both the “normal” and “disaster” legal system is the Constitution that created the federal system of government. In this system, it is state governments, and not the federal government, that have primary authority and responsibility to protect public welfare. In the Constitution, states granted enumerated powers to the federal government, including authority over interstate and foreign commerce, national defense, and the right to tax and spend for the public welfare. Yet the states retain their basic police power – the power to place restrictions on people and property and business to protect the public.
The U.S. system of federalism devised by its founders is reflected throughout the medical system. Acting under its police power authority, states have created licensing and certification requirements for hospitals, physicians, nurses, pharmacists, and other medical professionals. State statutes specify rules for reporting of communicable diseases and other public health concerns (such as unsafe conditions in restaurants), and empower public health officials to take action (impose quarantine, or close restaurants) to protect the public. State law is also generally responsible for determining the standards of care applicable to the medical system and these standards are enforced through state court judgments in the medical malpractice system.
The federal government nonetheless also exerts extraordinary power over the medical care system. Communicable diseases can spread across state and international boundaries – allowing the federal government to exercise its power over international and interstate commerce and impose federal rules to prevent transmission of disease. For example, federal legislation authorizes federal quarantine within a state on findings that a state’s quarantine efforts are ineffective.24 Similarly, because pharmaceuticals and medical supplies are sold in interstate commerce, the federal government has authority to regulate drug manufacture and use. Federal taxes fund the Medicare and Medicaid programs that pay for 23% and 17%25 of the medical care provided in the United States, respectively. As a result, federal requirements placed on medical care providers who treat Medicare or Medicaid patients are enforced by federal civil and even criminal penalties. These requirements include protection of patient records and service obligations in addition to billing and reimbursement procedures.
In the United States, officials at all levels of government have broadly worded authority to take action in the face of “imminent threats,” to “save lives, defend property, and protect the public health and safety.” This authority can extend to actions that would normally be viewed as blatant violations of constitutionally protected rights to “life, property and the pursuit of happiness.” These actions include seizure or destruction of property (including hospitals, medical supplies, or even animals); voluntary or mandatory evacuation of people from (or detention of people in) a facility or geographic area; or even mandatory treatment of persons.26,27 For some of these actions, the government may be required to provide compensation. For others, the government may provide discretionary disaster assistance, and for still others, individuals and businesses are not provided any additional resources.
Mandatory evacuation may be difficult to enforce in some societies. There are a wide range of enforcement schemes for mandatory evacuation orders. For example, mandatory detention of tuberculosis patients who refuse to complete a drug regimen may include physical restraints. A “mandatory” evacuation in advance of a hurricane or a fire can be enforced by forcibly transporting evacuees to safe areas or by simply notifying residents of the danger and, if they refuse to leave, requesting them to provide authorities with contact information for their next of kin.
As demonstrated during the 2009 H1N1 influenza pandemic, the U.S. federal government has a procedure to waive federal requirements applicable to healthcare facilities during public health emergencies. At the time, President Obama declared H1N1 influenza a national emergency given that “the rapid increase in illness across the Nation may overburden healthcare resources and that the temporary waiver of certain standard Federal requirements may be warranted in order to enable U.S. healthcare facilities to implement emergency operations plans.”28 This declaration, combined with the Department of Health and Human Services (HHS) secretary’s declaration of H1N1 as a public health emergency, allowed healthcare facilities to petition HHS under Section 1135 of the Social Security Act29 for waivers of regulatory requirements implicated by the emergency.
Provider Obligation to Protect Patient Rights
Privacy
The patient-doctor relationship is a sacred trust and medical files contain a great deal of highly personal information. These files contain data not just about the state of a patient’s health, but about the patient’s habits, family, finances, sexual practices, and sexual orientation. Proper sharing of patient information (with multiple medical specialists and with third-party payers) is critical to achieve appropriate medical care and for successful healthcare system operations. In the United States, however, disclosure without patient consent in accordance with specific provisions is prohibited, frequently by multiple statutory and regulatory provisions. Most medical providers use well-developed procedures to assure that any exchange of patient information complies with law.
During disasters, sufficient resources to comply with these procedures may be lacking. Circumstances may force additional disclosures, and trigger exceptions to “normal” disclosure requirements. For example, in the aftermath of a catastrophic disaster, locating missing persons, while respecting patient privacy, can be difficult. Finding relatives of family members to authorize treatment and determining what medical information to provide family members and the general public are additional challenges. Disaster conditions also require hospitals and medical personnel to operate in stressful, rapidly changing, and uncertain situations. Despite this environment, the need to share information and keep the public informed must be weighed against the privacy rights of patients and their families. Federal and state laws governing the release of patient information are generally unchanged in the setting of a disaster; however, there are provisions for information sharing in emergent settings. Typically, a provider should obtain patients’ verbal permission for a disclosure of health information, and patients should be “informed in advance of the use of the disclosure,” when possible.30
Federal Health Insurance Portability and Accountability Act Requirements and Protected Health Information in the United States
One of the more detailed regulatory systems governing protection of personal healthcare information is that in the United States. A detailed discussion of this system and its provisions for public health emergencies illustrates the issues that any healthcare system must address. The U.S. regulations on confidentiality were developed in the year 2000 pursuant to the Health Insurance Portability and Accountability Act (HIPAA). This act was primarily intended to address difficulties experienced when employees with employer-provided health insurance changed jobs – but this required regulators to address how to protect patient privacy when transferring health records to the new employer. This requirement for protecting privacy while addressing the portability of insurance led to a comprehensive federal regulation governing how participants in the medical care system – care providers, laboratories, and third-party payers, such as insurance companies – maintain, protect, and disclose what is defined as protected health information (PHI). To assure appropriate attention to the privacy interest of patients, HIPAA requires that medical care providers and payers have a documented privacy policy and appoint a privacy official and contact person responsible for training the workforce in PHI privacy policy.31
HIPAA allows healthcare providers to share a patient’s PHI as necessary to provide treatment, payment, or healthcare operations; this sharing of information applies during disaster events just as it does in “normal” times.32 Treatment includes coordinating patient care with others, such as emergency relief workers or personnel at potential referral receiving sites. Furthermore, where required or necessary to prevent or control disease, injury, or disability, disclosure to a public health authority is expressly authorized by HIPAA.33
State legislation largely echoes the provisions of federal HIPAA regulations. Some states further delineate permissible activities for sharing PHI. For example, California legislation expressly permits the communication of PHI between emergency medical personnel by radio transmission or other means.34
Location/Health Status
HIPAA generally permits providers to share very limited information concerning a patient’s location and general condition (including death) as necessary to identify, locate, and notify family members or guardians.35 Therefore, if necessary, a hospital may inform the police, press, or the public at large to the extent necessary to help locate, identify, or otherwise notify family members as to the location and general condition of the patient. Federal regulations also permit the sharing of basic information, including the patient’s identity, residence, age, sex, and condition, to disaster relief organizations without patient consent if necessary to facilitate disaster response.36 Even when disclosures are permitted by HIPAA, however, providers must be aware of any state statutes that might restrict release of patient information. California law expressly permits disclosure of basic patient information to state or federally recognized disaster relief organizations,37 and Arkansas has adopted basic HIPAA disclosure provisions,38 but other states have not done so and may have more stringent restrictions on disclosure. There is some confusion about whether HIPAA rules permitting disclosures preempt state laws.39 What is clear is that, under normal circumstances, when a patient incapable of communication arrives at a hospital, the facility must attempt to make contact with a family member or surrogate within 24 hours – a requirement that is suspended during periods of disaster.40
Hurricane Katrina in August 2005 in the United States forced the rapid evacuation of more than 1 million residents. In the process of evacuation, many families were separated. Isolated individuals included parents and other caregivers, children, and grandparents. This disaster exposed the challenges associated with effective federal government evacuee tracking and family member reunification. As a result, in the post-Katrina Emergency Management Reform Act of 2006,41 Congress enacted legislation requiring the Federal Emergency Management Agency (FEMA) administrator to establish a: 1) National Emergency Child Locator Center (in cooperation with the U.S. Attorney General) within the National Center for Missing and Exploited Children; and 2) National Emergency Family Registry and Locator System. The former provides information about displaced children and serves as a resource for adults who have information about displaced children; the latter focuses on allowing displaced adults to register, furnish personal information to a database, and make this personal information accessible to “those individuals named by displaced individuals.”41 Implementation of this section requires a memorandum of understanding with the Department of Justice, and HHS, the American Red Cross, and “other relevant private organizations.”41 This system should help medical providers in their efforts to locate a patient’s next of kin.
Public Health Officials
In the United States, HIPAA allows disclosure of PHI to a “public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions.” This authorization also permits disclosures to “a person or entity other than a public health authority” if it can demonstrate that it is acting “to comply with requirements of a public health authority.” PHI can also be disclosed to a person who may have been exposed to a communicable disease or is at risk of spreading a disease (for example, sexually transmitted disease), “and is authorized by (state) law to be notified as part of public health intervention or investigation.” These specific provisions governing disclosure to public health officials that facilitate public health interventions are even more important during a public health emergency than during “normal” times. The provision in the HIPAA rule authorizing disclosure of PHI to law enforcement officials “to help identify or locate a suspect, fugitive, missing person,” and “to provide information related to victim of crime” is even more critical during public health emergencies, particularly those that are triggered by criminal or terrorist activity.42
Immediate Danger
HIPAA further permits the disclosure of PHI without consent or prior notification when “necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.”43 This exception is particularly important when communicable disease is involved; it allows disclosure of a patient’s communicable disease status without the patient’s consent to other persons (such as a patient’s spouse or partner) to protect them from exposure.
Reporting and Recordkeeping Requirements
Even where disclosures of PHI are fully authorized, and even if those disclosures are in the midst of a public health emergency, HIPAA requires that the entity making the disclosure track when the disclosure was made, and to whom. Authorities must make this information available to the patient on request.44 As a result, when developing their emergency plans, medical providers in the United States must pay special attention to ensuring that they will have systems to document the disclosures that they make, whether required or permitted, of a patient’s PHI.
Related posts:
Full access? Get Clinical Tree
