Skip Navigation U.S. Department of Health and Human Services
Agency for Healthcare Research Quality
Archive print banner
Recommendations for a National Mass Patient and Evacuee Movement, Regulating, and Tracking System

This resource was developed by AHRQ as part of its Public Health Emergency Preparedness program, which was discontinued on June 30, 2011. Many of AHRQ's PHEP materials and activities will be supported by other Federal agencies. Notice of transfer to another agency will be posted on this site.

This information is for reference purposes only. It was current when produced and may now be outdated. Archive material is no longer maintained, and some links may not work. Persons with disabilities having difficulty accessing this information should contact us at: Let us know the nature of the problem, the Web address of what you want, and your contact information.

Please go to for current information.

Appendix B: Legal Issues

When the National System is activated, feeder systems (i.e., local institutional records systems and tracking systems) will transmit identifying information on patients and evacuees to the National System, where this information will be accessible to authorized users.  While the rules as to which users can view identifying information, as opposed to aggregate data, are to be determined later, the exchange of identifying information presents various legal and regulatory issues.  In brief, these issues are:

  • Protection of identifiable health information (HIPAA) and other privacy standards.
  • Patient information systems and retention of records.
  • Complaint and incident reporting.
  • Hospital requirements for discharge planning.
  • Reportable diseases, isolation and quarantine, and contact tracing.

The sections below present Federal legal and regulatory issues, as well as State and local issues.  The States vary somewhat and this variation is revealed through analysis of four States' relevant regulations.

Relevant Federal Legal and Regulatory Issues

Patient Information and Privacy Standards

Patient information and privacy of health information are addressed in the regulations pertaining to the Medicare conditions of participation (COP) for hospitals and the Health Insurance Portability and Accessibility Act of 1996 (HIPAA).  This section describes the standards provided in these two sets of regulations.16

The COP requires that hospitals have a medical record service that maintains patient records for every patient in the hospital and that allows for easy and timely retrieval of patient records.17  The regulations relate to the organization and staffing of the medical record service, the form and retention of the medical record, and the content of the record. 

Form and retention of record. "The hospital must maintain a medical record for each inpatient and outpatient. Medical records must be accurately written, promptly completed, properly filed and retained, and accessible. The hospital must use a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries."  The regulations also contain specific requirements concerning the content of the medical record for hospital inpatient stays.  The hospital must have an indexing system for timely retrieval of records by diagnosis.  The regulations further stipulate that medical records must be retained in their original or legally produced form for a period of at least 5 years.   In addition, the hospital must have a procedure to ensure the confidentiality of records.

The patient and evacuee tracking system will contain health status information.  It may also contain more detailed medical information (when available).  In the event that anyone questions/challenges the way the system contributed to patient care, or should there be litigation on behalf of one or more patients, all medical information should be retained for a time following a mass evacuation event.  It is not clear how long the data should be retained, but the system will need to be designed to save all the patient-level records and retrieve them (by patient name).  Hospitals that treat patient-evacuees might also want to be able to merge the records from the national tracking system into the patients' electronic medical records.

Health Information Privacy. The HIPAA privacy regulations require protection of individually identifiable health data.  The regulations protect every data element of a patient's individually identifiable health information when the patient is in custody of a covered facility.  The data elements that must be removed from each record to meet minimum standards under the privacy rule include:

  • Names.
  • Geographic subdivisions smaller than a State.
  • Dates related to an individual except month.
  • Age except when grouped into categories.
  • Telephone and fax numbers.
  • Electronic mail addresses and URLs.
  • Social Security numbers.
  • Medical record numbers.
  • Account numbers.
  • Health insurance beneficiary numbers.
  • Certificate and license numbers.
  • Vehicle serial numbers and license plate numbers.
  • Biometric identifiers.
  • Full-face photographs.
  • Other unique identifying codes and characteristics.

The HIPAA Privacy Rule applies to 'covered entities' that are generally defined as health care providers, health plans including private entities and government programs such as Medicare and Medicaid, and health care clearing houses such as billing services.18 We assume that the rule would also apply to the patient and evacuee tracking system. 

While the Privacy Rule encompasses a large number of data elements and applies to numerous entities that transfer health information, the Privacy Rule attempts to balance the protection of individual health information with the need to protect the public's health.19  The Rule contains special provisions for circumstances when private health information may be disclosed.  First, the rule permits the use and disclosure of certain protected health information to public health authorities for public health purposes including but not limited to public health surveillance, investigations, and interventions.20  Second, HIPAA permits disclosure of protected health information when required by other Federal, State, tribal, or local laws.21  Third, certain types of private health information may be disclosed for the purpose of research. 

It is not clear whether these exceptions would apply during a mass-casualty evacuation event—but probably not. Each exception is very specific and legal analysis may be needed. Clarification from the Federal government would be helpful for communities actively involved in disaster preparedness planning.

Return to Contents

Relevant State Legal and Regulatory Issues

Patient Information and Privacy Standards

We examined related regulations in four States to understand the variability and issues that might arise in a multi-State evacuation.  We chose States likely to have different regulatory environments: Massachusetts, Illinois, Texas and Kansas.

Massachusetts:  Every licensed hospital, including the surge facility, must maintain medical records for each of its patients in accordance with Massachusetts General Laws (MGL) Chapter 111, Section 70 (see above) for a period of at least 30 years.  A copy of the medical record must be made available to the patient or the patient's authorized representative for a reasonable fee.

Illinois:  Illinois requires that every licensed hospital must maintain an "adequate, accurate, timely, and complete" medical record for each patient.22   The regulations specify that these records must be housed safely to prevent unauthorized use and to protect the records from damage by water or fire.  The State requires that a registered medical record administrator or accredited medical record technician be responsible for overseeing the hospital's record department.  Medical records or photographs of such records must be preserved in accordance with the American Hospital Association's recommendation and legal opinion on record retention and preservation.  In addition, each licensed hospital would need to have a policy for preservation of records should the hospital close.  As in Massachusetts, a surge facility would need to comply with these requirements.  

Kansas:  Kansas regulations require that patient records be kept on file for 10 years after the date of last discharge of the patient and a summary be kept on file for 25 years.  The regulations further stipulate that the records are the property of the hospital and should not be removed from the premises except as authorized by the governing body of the hospital or for purposes of litigation.23  These requirements may pose a challenge for a surge facility, particularly with respect to the on-site storage of the medical records.  The hospital's governing body would need to permit the removal of the records at the conclusion of the disaster. 

Texas:  Texas requires that patient records be kept on file for at least ten years.  Films and other image records must be retained for 5 years.  The regulations specify that if the hospital should close, the hospital must notify the Department of Health about the location where the records are stored and contact information for the custodian of the records.  As described above, a surge facility would need to comply with these requirements.

Return to Contents

Complaints and Incident Reports

We examined the procedures for complaints and incident reports in the same four States, to understand how State laws vary in ways that could be important during a multi-jurisdictional mass evacuation event.


Complaints.  Every hospital must develop a written procedure for investigating serious complaints against hospital employees or members of the medical staff.24  A senior member of the hospital staff must serve as a complaint officer and oversee the investigations.  There must be a clear, written procedure for reporting and investigation of complaints.  A similar procedure may need to be established for the tracking system, in case there are complaints about care provided during a mass evacuation—either at a facility or in transit.

Incident Reports.  In Massachusetts, health care providers are required to report immediately by telephone to Massachusetts Department of Public Health (MDPH) any of the following serious incidents and accidents that take place on the hospital premises:25

  • Fire.
  • Suicide.
  • Serious criminal acts.
  • Pending or actual strike action by its employees and contingency plans for operation of the hospital.
  • Serious physical injury to a patient resulting from an accident or unknown cause.

In addition, a written report must be filed with the MDPH of any serious incidents occurring on the licensed premises of the hospital that seriously affect the health and safety of its patients.  All of these requirements may apply to incidents like these that take place in shelters or other evacuation facilities, or during transit.

Illinois:  Illinois requires that each hospital report to the Department of Public Health any incidents or occurrence that puts patients at immediate jeopardy that requires the transfer of patients to other parts of the facility or to other facilities.  Each report must be filed within 2 working days of the incident.  Occurrences requiring reporting include but are not limited to fire, flood, and power failure.26 In addition, Illinois requires reporting the death of a pregnant woman or the death of a woman within 1 year of the termination of a pregnancy27 and special circumstances related to mothers and infants and discharges of children released to someone other than their natural parent,28 such as communicable diseases.29 These requirements would probably apply during the evacuation of patients and others.

Kansas:  Kansas also requires hospital risk management committees to review all clinical concerns raised by hospital employees, evaluate the level of risk, and report those meeting certain requirements to the licensing agency.30

Texas:  Texas regulations require reporting of fire and other safety-related incidents.  In addition, Texas hospitals must develop emergency plans to be put into effect if an incident affecting patient safety were to occur.31  Incidents that occur during a mass evacuation may require reporting, but emergency plans to prevent future occurrences are unlikely during a mass evacuation.

Return to Contents

Patient Rights

We similarly examined the four States' regulations concerning patient rights.

Massachusetts: MGL Chapter 111, Section 70E, confers certain legal rights upon patients at hospitals and other health care facilities, including the right of every patient to choose the facility at which the patient will be treated.  Although this right is suspended in the event a patient requires emergency medical treatment, the patient ordinarily may refuse to be transferred from one health care facility to another (e.g., transfer from a hospital to a skilled nursing facility or another hospital).  Exercise of this right may interrupt the flow of patients during an evacuation, but this is unlikely as patients will wish to be evacuated out of harm's way.  However, this right to choose one's health care facility is embedded in a statute; there is no waiver available that would allow officials to override the patient's decision.

Illinois:  Section 250.260 of Title 77 of the Illinois Administrative Code "recommends" that hospitals adopt a written policy on patients' rights and that should be available to all patients.  That section requires that hospitals have a written plan for the provision of spiritual, emotional, and attitudinal health of the patient, patients' families, and hospital personnel.  These required plans may need to be waived during a mass evacuation.

Kansas:  Kansas' Hospital Regulations 28-34-3b confers legal rights to inpatients and outpatients at Kansas hospitals. The regulations do not include provisions for choosing the facility at which the patient is treated.

Texas: Texas Hospital Licensing Rules provide detailed requirements for hospitals regarding patient rights, however, these requirements do not include provisions for selecting the facility at which the patient is treated.32

Return to Contents

Discharge Planning; Advocacy Office


Discharge Planning.  Massachusetts requires every licensed hospital to develop a comprehensive discharge planning service for its patients.33  Medicare rules for discharge planning are incorporated directly into the Massachusetts regulations.  The regulations are unusually specific about certain requirements for the discharge planning service (e.g., for Medicare patients, the regulations set forth the minimum size of the type to be used on the front page of every individual patient discharge plan).  The discharge planning service must be multi-disciplinary and responsible for coordinating the transfer of patients to either an independent living situation or another institution.  As with any hospital, patients may be discharged from a surge hospital facility for a variety of reasons, including a need for a more acute level of care than is available from the surge hospital, to return home if medical care is no longer needed, or to transfer to another type of health care facility, such as a skilled nursing facility.  Traditional discharge planning will not occur during a mass evacuation.  The patient and evacuee tracking system will be designed to assist transportation of patients so that those needing hospitals services are transported to a hospital.  In a sense it will be used to support appropriate discharges from imperiled hospitals; but it will not comply entirely with these Massachusetts regulations.

Advocacy Office. Acute care hospitals that serve Medicare patients in Massachusetts are required to take certain steps to protect the rights of Medicare beneficiaries.34  Hospitals are prohibited from taking any discriminatory action against any patient based upon the patient's status as a Medicare beneficiary.  A notice of rights must be distributed to every Medicare beneficiary.  In the event a Medicare beneficiary believes a hospital engages in discriminatory behavior or provides inadequate discharge planning, the beneficiary has a right to file a complaint with the Advocacy Office within the MDPH.  The Advocacy Office has the authority to investigate complaints from Medicare beneficiaries, encourage negotiated resolution of complaints and issue Notices of Final Disposition in the event negotiated resolutions cannot be achieved.  Although this report does not discuss payment issues, Medicare beneficiaries are almost certainly going to be in the patient population being evacuated and any complaints about patients not being transported to appropriate health care facilities could be investigated.  Again, the tracking system's records will need to be retained in case they are needed during any subsequent investigation. 

Illinois:  Illinois requires that hospitals have written policies for admission, discharge, and referral of all patients who present themselves for care.  In addition, Illinois regulations include the Medicare requirement that hospitals provide 24-hour notice to Medicare beneficiaries prior to discharge along with information concerning their right to appeal.35  Otherwise, Illinois regulations regarding patient rights do not include provisions for filing a complaint or complaint resolution.36 

Kansas: Kansas regulations include requirements for maternity and infant discharges but are silent with respect to other discharges.  Kansas regulations require the hospital to develop a procedure for responding to patient grievances.37

Texas:  Hospitals in Texas must comply with a detailed list of requirements concerning patient transfers from one hospital to another.  The regulations provide definitions of patients who may be transferred, conditions under which a patient may be transferred, notification requirements regarding the transfer, and parties responsible for the patient during and after the transfer.  The regulations describe transfer from one hospital to another but are silent with regard to discharges home or to another institution.38 Texas regulations also include requirements that all hospitals develop and implement policies to ensure patients' rights, including informing the patient of the hospital's policy for resolving patient complaints.39

Return to Contents

Reportable Diseases, Isolation and Quarantine

The Federal Government (Centers for Disease Control and Prevention [CDC]) requires reporting of certain diseases.  The list is updated periodically; the 2006 list can be found at

The CDC also has guidance regarding patient isolation and quarantine.  A fact sheet can be found at:

The most recent example of patient isolation employed in the U.S. was in 2003 during the SARS outbreak.  The CDC has also created "model" legislation that States can employ to craft their own regulations regarding isolation and quarantine, which can be found at:

States have a variety of regulations which could, in some circumstances, come into play during a multi-jurisdictional mass evacuation event.


Reportable Diseases.  Massachusetts health care providers are required to report certain diseases and medical conditions to their local boards of health.40  The term "health care providers" is broadly defined to include hospitals, physicians, registered nurses and others.  The list of diseases reportable to local health authorities is published at 105 CMR 300.100.  A much shorter list of diseases that are directly reportable to the MDPH by any health care provider is set forth at 105 CMR 300.180(A)-(C).  Finally, the MDPH requires that any unusual illness or any illness that is part of an outbreak or cluster be reported to the appropriate local board of health.  See 105 CMR 300.133-134.  It is possible that someone being evacuated could come down with a reportable infectious disease.  The national tracking system will need a policy regarding reporting, or whether instead the reporting function will remain with the eventual health care provider.  

Isolation and Quarantine.  105 CMR 300.200 authorizes isolation and quarantine for diseases identified as dangerous to the public health.  Local boards of health are usually the entities charged with enforcing these provisions.  The isolation and quarantine requirements, in general, focus on issues of infection control in the overall population and are not limited to, or even intended for, the hospital setting.  For example, the most common restrictions are on food handlers who have contagious infections.  Standard medical reasons for isolating a patient, such as the patient having an open wound or a compromised immune system, are not addressed in the isolation and quarantine regulations.  However, in the event an infectious agent causes a mass casualty event, the Governor and the Commissioner of Public Health, using the governor's emergency powers, have authority to impose isolation and quarantine restrictions beyond those expressed in the regulations. If isolation or quarantine is ordered mid-evacuation, the tracking system would need to be able to find the person(s) to be isolated, and all their contacts—other evacuees and staff—to complete case-finding and institute a quarantine.

Local Authority.  A series of statutes that authorize local authorities to take police action in the event of an outbreak of infectious disease remain in effect even though they have not been enforced for many years41.  These laws allow, in part, for local authorities to break into houses to seize infected persons, to seize hotels, rooming houses and other non-public buildings to house infected persons, and to quarantine individuals in isolation as may be required to protect the public health.  In the event of a mass casualty, some of these laws may be resurrected and enforced.  A possible "touchpoint" might therefore be some sort of quarantine shelter/facility.

Waivers.  105 CMR 300.000 does not have a waiver provision. 

Illinois:  Illinois has very detailed rules for reporting suspected or confirmed cases of infectious, contagious, and dangerous diseases.42  The regulations also place responsibility on an array of health care providers and school personnel for reporting the suspected or diagnosed cases. 

Isolation and Quarantine. Unlike Massachusetts, Illinois regulations refer hospital personnel to the CDC's guidelines for isolation precautions in hospitals.  The regulations follow the CDC's recommendations with respect to the duration of isolation, except for a few specific diseases for which Illinois has developed different requirements.

Local Authority.  The regulations also give authority to the local health authority having jurisdiction over the area in which the suspected or known carrier of a communicable disease resides.  Only the local health authority may establish isolation and quarantine of contacts to a case, carrier, or suspected case of a communicable disease and terminate the isolation and quarantine period.  Like Massachusetts, Illinois law gives the health authorities the right to close to the public any private property in the event of an emergency involving communicable diseases.43 

Kansas:  Kansas regulations require notification of the State department of health and environment by laboratories that yield positive tests for certain diseases.  The regulations define a positive test result and prescribe the information to be reported. It is unlikely that a State department of health would waive this reporting in the case of a mass casualty event, particularly one related to a biologic outbreak.

Isolation and Quarantine. Kansas regulations contain detailed provisions for isolation and quarantine of specific infections and contagious diseases, as well as general provisions for conditions of isolation and quarantine that are not specified in the regulations.44  Like Massachusetts regulations, the regulations in Kansas do not make specific reference to isolation and quarantine in hospital settings.

Local Authority. The general provisions will be ordered and enforced by a local health officer or the secretary of health and environment. 

Texas:  Texas regulations also include detailed provisions for reporting of certain conditions and suspected conditions.  The regulations provide detailed instructions about who must report a condition; timeliness of reporting; information to be reported; and communication between local, regional, and State health authorities.45  These requirements are unlikely to be waived in the case of a mass casualty event.

Isolation and Quarantine. The regulations concerning isolation and quarantine are very general. A health authority may declare a house, building, or apartment to be a place of quarantine.  The regulations do not provide specific requirements for particular diseases nor do they make reference to any specific rules for hospitals. The local health authority will determine the length of quarantine.

Local Authority.  The local health authority has jurisdiction over any events relating to isolation and quarantine. 

There are other laws and regulations on these or other related matters, in various States around the Nation.

16. 42 CFR §482.24; 45 CFR Parts 160 and 164.
17. 42 CFR § 482.24.
18. 45 CFR §160.102.
19. Centers for Disease Control and Prevention. HIPAA Privacy Rule and public health: guidance from CDC and the U.S. Department of Health and Human Services. MMWR 2003;52 (Early Release): page 1.
20. 45 CFR §164.512(b).
21. 45 CFR §164.512(a).
22. 77 Ill. Admin. Code 250.1510.
23. Kansas Hospital Regulations, 28-34-9.
24. 105 CMR 130.330.
25. 105 CMR 130.331.
26. 77 Ill., Admin. Code, Chapter 1, Subchapter b, Section 250.1520.
27. 77 Ill. Adm. Code 657, 77 Ill., 77 Ill. Adm. Code. Subchapter b, Section 250.1830 (i)(2).
28. 77 Ill. Admin. Code, Subchapter b, Section 250.1830 and Section 250.1840.
29. 77 Ill. Adm. Code 690.
30. KAR 28-52-1
31. 25 TAC 133.
32. 25 TAC 133.42.
33. 105 CMR 342-349A.
34. 105 CMR 130.345.
35. 77 Ill Adm. Code 250.240.
36. 77 Ill Adm. Code 250.260.
37. KAR 28-34-3b.
38. 25 TAC 133.44.
39. 25 TAC 133.41.
40. See, generally, 105 CMR 300.000.
41. See, generally, MGL chapter 111, Sections 92-109.
42. 77 Ill. Adm. Code. Section 690.100.
43. 20 UKCS 2105-400.
44. Kansas Disease Control Regulations, 28-1-5 through 28-1-12.
45. 25 TAC 97.1-97.13.

Return to Contents
Proceed to Next Section


The information on this page is archived and provided for reference purposes only.


AHRQ Advancing Excellence in Health Care