Orlando shooting: No HIPAA waiver needed or granted
EMS organizations must have a HIPAA policy to direct when and who can provide information about a patient
By Margaret Keavney
After the mass murder in an Orlando night club, many injured patients were taken to Orlando Regional Medical Center, a level-one trauma center. According to reports, the hospital CEO contacted Orlando Mayor Buddy Dyer, requesting that the mayor's office ask the White House to waive the HIPAA regulations to allow the hospital to communicate with the families of the injured and dead.
It has been widely reported that a HIPAA waiver was granted. It was not. A HIPAA waiver wasn’t needed in the immediate aftermath of this mass shooting.
One purpose of HIPAA is preserving the privacy of a patient's health information. After a sudden traumatic injury, like an auto collision or the tragic shootings at the Orlando nightclub, families rush to or call the hospital to see if their loved one was among the injured or killed.
Unlike when family members arrive at the hospital with the patient, it is not clear to hospital staff who is related to the patient and who might be a news reporter or person otherwise not entitled to the patient's information.
In such circumstances, hospitals often default to giving out no information. If you’ve ever had a hospital not want to share information on a patient you are transporting "because of HIPAA," you have experienced this yourself.
The CEO’s plea to the mayor shows how ingrained the HIPAA mindset is in health care. The hospital wanted to release information to family members, but felt it was prohibited by HIPAA. However, it is not.
Reading the law
The ability to share patient information with family already exists within the HIPAA regulations. Here's what it says from 42 CFR 164.510(b)(3).
"If ... the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual's incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is ... needed for notification purposes."
EMS organizations should have clear, written policies and instructions for release of information in the event a patient does not have family or friends present upon EMS arrival. The policy should identify who within the agency is allowed to give out information of patient destination and disclose other information that would be in the patient’s best interest.
Since we deal with emergencies every day, we need that policy every day, not just in the case of a mass-casualty incident like the Orlando shooting. The daily use or potential use of a written policy makes following the policy in the event of a disaster more likely.
EMS projects confidence and calm to patients and their families when we know what we can say and who can say it.
About the author:
Margaret Keavney, JD, MHA, NAAC Certified Ambulance Compliance Officer, is a partner with the New Jersey law firm of Keavney & Streger, providing counsel to EMS agencies on employment law issues, compliance, HIPAA, and regulatory issues. For more information, visit the website, connect with Ms. Keavney on Facebook, or follow her on Twitter @keavneylaw.