Thursday, September 3, 2009

Navigating HIPAA and FERPA in an Interoperable Emergency Communications World

By: Joe Mazzarella, Chief Legal Counsel

The current United States homeland security and national emergency response policy as reflected in the National Response Framework (NRF), National Emergency Communications Plan (“NECP”) and National Incident Management System (NIMS) is correctly focused on implementing a scalable and cohesive “all hazards and all disciplines” emergency planning and incident response capability across all levels of government. The implementation of this policy is facilitated through a seamless interoperable communications continuum and information environment. Through this environment public safety agencies and other critical or key community assets can collaborate and coordinate in real time during incidents to achieve force and resource multiplication, greater situational awareness and enhanced response. In this world first responder agencies are linked with important community assets including schools, hospitals, utilities and other key private entities. The implementation of such a cohesively linked emergency communications sharing environment (which is nothing short of essential to improving overall national emergency preparedness and response capabilities to deal with an increasing array of natural and manmade incidents) must also coexist within a framework of privacy laws such as the Health Insurance and Portability and Accountability Act (HIPAA) and the Family Education Rights and Privacy Act (“FERPA”).

HIPAA is designed to protect medical privacy of individuals and limit the unnecessary sharing and disclosure of personal medical information through or by covered groups that routinely house, access and transmit health information, such as hospitals, medical facilities and medical clearinghouse and billing services. Yet, hospitals and medical facilities play vital roles in emergency incident response and crisis recovery efforts. FERPA, like its HIPAA counterpart, also is a privacy law which is directed at protecting privacy of students and their educational records. Notably, student educational records often contain important family and health information. Like hospitals, schools (albeit for different reasons) are also at the center of emergency planning and response initiatives. It is well recognized that school populations are high priority, vulnerable community assets and close coordination and communication between schools and public safety agencies is essential to improving overall emergency readiness. In both cases, we see two key participants in the overall homeland security and emergency response landscape that have unique information privacy laws that may limit the disclosure and sharing of important information in the event of a crisis.

Fortunately, however, this is not the case. Simply put, neither HIPAA nor FERPA interfere with or hamper emergency response efforts. In fact, in each case, they are narrowly drawn in this area and provide ample room to enable both public and private emergency response entities, including “covered entities”, to communicate and share necessary information to carry out emergency response and crisis management functions.

Within the context of interoperable communications systems the operative function and effect is to enable many diverse parties to communicate and share information across boundaries. In the minds of some, this aspect of multiparty participation raises the concern whether participants within a communications group may not be privy to private or protected information and disclosure within this context raises the potential for inadvertent violation of these laws. This question naturally leads to the next. Do these laws require authorization levels to be established to ensure only certain participants join in group communications where certain types of protected information are to be shared? Further, must the type and scope of information that may be shared or disclosed be tailored based upon the identity of the parties that are participating in joint communication session? Thankfully, the reality is that these questions and concerns are implicitly handled in emergency contexts, assuming covered entities under HIPAA employ standard operating policies that they already have in place and good faith reasonable judgment is used by all in light of the circumstances at hand. As a general proposition, neither privacy law restrains or prevents the flow of important information where it will protect the health, welfare, or safety of the subject individual whose privacy is being protected or those in logical and circumstantial proximity to the individual.

HIPAA. HIPAA, along with imposing uniform data coding practices, generally prohibits the unauthorized electronic disclosure of a patient’s protected health information (PHI). This prohibition is comprised of two main thrusts, one aimed at transactional privacy, and the other at ensuring data security. The rules in this area are manifold and complex. However, HIPPA is limited only to “covered entities” and there are safe harbor exceptions for various circumstances where the public interest outweighs individual privacy.

Generally speaking, covered entities are hospitals, medical facilities, health providers, and medical billing entities. HIPAA does not apply to public safety responders and agencies, including EMS (however private ambulances and those owned by, or affiliated with, a covered entity are subject to the law). Non-health care related entities and schools (except in limited cases of on-site school health clinics) are not covered. Moreover, entities that may store medical information as part of their overall function, such as independent living centers, social agencies, public health care agencies, transit organizations, and non-governmental organizations like the Red Cross, are not covered entities. Thus, most participants within any community-wide or pervasive interoperable communications environment are not subject to HIPAA. Yet, as noted, health and medical entities do play a major role within the emergency response environment and are covered by HIPAA.

Covered Entities. Given that many covered entities would participate within an interoperable emergency response communication system, an issue that does arise is how covered entities can participate without running afoul of HIPAA. The most likely circumstance where concerns would arise is in the case of emergencies or incidents where responding or participating parties may be requesting medical or health status information on one or more individuals from a covered entity (such as a hospital or medical provider). However, HIPAA makes provision for the disclosure of necessary information in emergencies.

HIPAA Safe Harbors for Emergencies.

Disclosure During Emergencies. The Department of Health and Human Services (“HHS”), the agency responsible for the administration and enforcement of HIPAA, has reaffirmed its position that HIPAA does not prevent the disclosure of medical information in the case of severe emergencies in order to enable necessary medical treatment and related logistical matters. The applicability of HIPAA became a significant issue during Katrina, and HHS acted swiftly and with clarity to provide guidance that HIPAA does not compromise emergency response and relief efforts. Specifically, HHS has articulated the following guidelines:

Treatment Information. Patient medical information may be shared in times of serious emergency

· with other medical providers (hospitals, clinics, etc.) to aid in the delivery of treatment,

- to enable patient referral and linking with available treatment centers, and

· to coordinate care with emergency relief workers.

Notification. Patient information may be shared as is necessary to enable family members, guardians and others charged with the care of an individual to be identified, located and notified of that patient’s condition and whereabouts. However, to the extent verbal permission can be obtained from the patient, it should be obtained.

Imminent Danger. Providers can share patient information with anyone where it is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public -- consistent with applicable law and the provider’s standards of ethical conduct.

See, Department of Health and Human Services-Office of Human Rights, Hurricane Katrina Bulletin: HIPAA Privacy and Disclosure During Emergency Situations, Sep. 2, 2005, and Hurricane Katrina Bulletin 2: Compliance Guidance and Enforcement Statement, Sept. 9, 2005

Hospitals and health care providers, however, should take note that emergencies do not relieve covered entities from establishing appropriate agreements in advance with respect to its business associates (i.e., agents) that house, store, maintain or administer information on its behalf. The HSS makes it clear that business associates and covered entities, must have a business associate agreement in place to ensure general compliance with HIPAA privacy requirements. Within these agreements provision and consideration can be made for information sharing in cases of emergency. HHS has published a sample business associate’s contract that may be used and adapted to meet the relationship that may exist between the covered entity and its business associate. See 45 CFR 164.504(e)(2)(ii)(D). The sample contract can be found on the internet at:

Accordingly, as part of any hospital’s or other health care provider’s emergency preparedness efforts, appropriate due diligence should be undertaken to identify whether any third party agents hold or provide information that may be required to be disseminated or shared during a crisis, and make sure a business associate’s agreement is in place to avoid a possible disruption or delay in furnishing key information during an emergency.

FERPA Safe Harbor for Emergencies

While HIPAA governs protected health care information, it does not cover health care information that is part of a student’s educational records. Health care information that is stored and maintained by schools (with the exception of on-site health clinics which process and seek insurance payments), although medical in nature, is considered part of a student’s “educational records” under FERPA rather than HIPAA. See, Department of Health and Human Services and U.S. Department of Education, Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records, Nov., 2008. Consequently, one must look to FERPA in regards to disclosure of student information in times of emergency.

Again, like HIPAA, under FERPA the disclosure of information within educational records to appropriate third parties is permitted without any consent in connection with an emergency. The information that is permitted to be disclosed however must be necessary to protect the health or safety of the student or other individuals. See 34 CFR §§ 99.31(a)(10) and 99.36.

See, also,

Conclusion. Overall, neither HIPAA nor FERPA offer any serious obstacles to the implementation of cohesive, real time interoperable communications and information sharing systems for emergency preparedness and response and can coexist quite well with the broad goals of pervasive interoperable communications collaboration envisioned within homeland security and emergency preparedness realms. Express safe harbor provisions are made to accommodate the reasonable disclosure and sharing of information among entities that are participating within the context of an emergency incident. In each case, the protection of the health and safety of individuals under the exigent circumstances of an emergency is the operable standard by which agencies and participants may collaborate.

As is the case with any subjective standard regarding what circumstances constitute an “emergency” and “necessary” information, good faith and reasonable judgments must prevail. In this regard, for entities that are covered under HIPAA and in the case of student educational records, establishing clear guidelines and policies that assist in evaluating a request for information within the context of any emergency is important. Integrating these policies into an emergency preparedness and response plan may help to support any subsequent challenge to the necessity and propriety of any disclosure by showing they were undertaken based on a well reasoned policy and on a good faith belief that the disclosure was appropriate and necessary. Perhaps even more importantly, in times of emergency the effective mitigation of harm and a successful aid response may turn on the speed with which critical information is shared with responding parties. Delays in responding to information requests caused by uncertainty or time consuming ad hoc legal or unplanned administrative reviews could adversely impact a timely emergency response effort.

Overall, while participants should be vigilant and make proper efforts to prepare for emergencies and integrate sound and lawful information sharing policies into their plans, it should be fundamentally recognized that neither FERPA nor HIPAA should serve as any obstacle to hospitals and schools participating in an interoperable emergency communications platform with other critical community participants. In fact, based upon the prevailing emergency preparedness and homeland security recommendations and policies, the failure to reasonably do so may be viewed as unreasonable in light of generally accepted standards of good security and emergency preparedness practices to the extent participation is available within your community.

Special Note. This article is provided for general information purposes only and does not constitute legal advice upon which a reader may rely. Interested parties are encouraged to consult with their legal advisers. FERPA and HIPAA are not the only privacy laws which may be applicable to you. Many states also have privacy laws which may apply to you.