This resource was developed by AHRQ as part of its Public Health Emergency Preparedness program, which was discontinued on June 30, 2011. Many of AHRQ's PHEP materials and activities will be supported by other Federal agencies. Notice of transfer to another agency will be posted on this site.
This information is for reference purposes only. It was current when produced and may now be outdated. Archive material is no longer maintained, and some links may not work. Persons with disabilities having difficulty accessing this information should contact us at: https://info.ahrq.gov. Let us know the nature of the problem, the Web address of what you want, and your contact information.
Please go to www.ahrq.gov for current information.
Appendix B: Legal Issues
When the National System is activated, feeder systems (i.e., local institutional records systems and
tracking systems) will transmit identifying information on patients and evacuees
to the National System, where this information will be accessible to authorized
users. While the rules as to which users can view identifying information, as
opposed to aggregate data, are to be determined later, the exchange of
identifying information presents various legal and regulatory issues. In brief, these issues are:
- Protection of identifiable health information (HIPAA) and other privacy standards.
- Patient information systems and retention of records.
- Complaint and incident reporting.
- Hospital requirements for discharge planning.
- Reportable diseases, isolation and quarantine, and contact tracing.
The sections below present Federal legal and regulatory issues, as well as State and local issues. The States vary somewhat and this variation is revealed through analysis of four States' relevant regulations.
Relevant Federal Legal and Regulatory Issues
Patient Information and Privacy Standards
Patient information and privacy of health information are
addressed in the regulations pertaining to the Medicare conditions of
participation (COP) for hospitals and the Health Insurance Portability and
Accessibility Act of 1996 (HIPAA). This section describes the standards
provided in these two sets of regulations.16
The COP requires that hospitals have a medical record
service that maintains patient records for every patient in the hospital and
that allows for easy and timely retrieval of patient records.17 The regulations relate to the organization and staffing of the medical record service, the form
and retention of the medical record, and the content of the record.
Form and retention of record. "The hospital
must maintain a medical record for each inpatient and outpatient. Medical
records must be accurately written, promptly completed, properly filed and retained,
and accessible. The hospital must use a system of author identification and
record maintenance that ensures the integrity of the authentication and
protects the security of all record entries." The regulations also contain
specific requirements concerning the content of the medical record for hospital
inpatient stays. The hospital must have an indexing system for timely
retrieval of records by diagnosis. The regulations further stipulate that
medical records must be retained in their original or legally produced form for
a period of at least 5 years. In addition, the hospital must have a procedure
to ensure the confidentiality of records.
The patient and evacuee tracking system will contain health status information. It may also contain more detailed medical information (when available). In the event that anyone
questions/challenges the way the system contributed to patient care, or should
there be litigation on behalf of one or more patients, all medical information
should be retained for a time following a mass evacuation event. It is not
clear how long the data should be retained, but the system will need to be
designed to save all the patient-level records and retrieve them (by patient
name). Hospitals that treat patient-evacuees might also want to be able
to merge the records from the national tracking system into the patients'
electronic medical records.
Health Information Privacy. The HIPAA privacy regulations require protection of individually identifiable health data. The regulations protect every data
element of a patient's individually identifiable health information when the
patient is in custody of a covered facility. The data elements that must be
removed from each record to meet minimum standards under the privacy rule include:
Geographic subdivisions smaller than a State.
Dates related to an individual except month.
Age except when grouped into categories.
Telephone and fax numbers.
Electronic mail addresses and URLs.
Social Security numbers.
Medical record numbers.
Health insurance beneficiary numbers.
Certificate and license numbers.
Vehicle serial numbers and license plate numbers.
- Other unique identifying codes and characteristics.
The HIPAA Privacy Rule applies to 'covered entities' that are generally defined as health care providers, health plans including private entities and government programs such as
Medicare and Medicaid, and health care clearing houses such as billing services.18 We assume that the rule would also apply to the patient and evacuee tracking system.
While the Privacy Rule encompasses a large number of data elements and applies to numerous entities
that transfer health information, the Privacy Rule attempts to balance the
protection of individual health information with the need to protect the
public's health.19 The Rule contains special
provisions for circumstances when private health information may be disclosed.
First, the rule permits the use and disclosure of certain protected health
information to public health authorities for public health purposes including
but not limited to public health surveillance, investigations, and
interventions.20 Second, HIPAA permits disclosure of
protected health information when required by other Federal, State, tribal, or
local laws.21 Third, certain types of private
health information may be disclosed for the purpose of research.
It is not clear whether these exceptions would apply during a mass-casualty evacuation event—but probably not. Each exception is very specific and legal analysis may be needed. Clarification from the Federal government would be helpful for communities actively involved in disaster preparedness planning.
Return to Contents
Relevant State Legal and Regulatory Issues
Patient Information and Privacy Standards
We examined related regulations in four States to
understand the variability and issues that might arise in a multi-State
evacuation. We chose States likely to have different regulatory environments: Massachusetts, Illinois, Texas and Kansas.
Massachusetts: Every licensed hospital, including
the surge facility, must maintain medical records for each of its patients in
accordance with Massachusetts General Laws (MGL) Chapter 111, Section 70 (see above) for a period of at
least 30 years. A copy of the medical record must be made available to the
patient or the patient's authorized representative for a reasonable fee.
Illinois: Illinois requires that every licensed
hospital must maintain an "adequate, accurate, timely, and complete" medical
record for each patient.22
The regulations specify that these records must be housed safely to prevent
unauthorized use and to protect the records from damage by water or fire. The State
requires that a registered medical record administrator or accredited medical
record technician be responsible for overseeing the hospital's record
department. Medical records or photographs of such records must be preserved
in accordance with the American Hospital Association's recommendation and legal
opinion on record retention and preservation. In addition, each licensed
hospital would need to have a policy for preservation of records should the
hospital close. As in Massachusetts, a surge facility would need to comply
with these requirements.
Kansas: Kansas regulations require that
patient records be kept on file for 10 years after the date of last discharge
of the patient and a summary be kept on file for 25 years. The regulations
further stipulate that the records are the property of the hospital and should
not be removed from the premises except as authorized by the governing body of
the hospital or for purposes of litigation.23
These requirements may pose a challenge for a surge facility, particularly with
respect to the on-site storage of the medical records. The hospital's
governing body would need to permit the removal of the records at the conclusion of the disaster.
Texas: Texas requires that patient records
be kept on file for at least ten years. Films and other image records must be
retained for 5 years. The regulations specify that if the hospital should
close, the hospital must notify the Department of Health about the location
where the records are stored and contact information for the custodian of the
records. As described above, a surge facility would need to comply with these requirements.
Return to Contents
Complaints and Incident Reports
We examined the procedures for complaints and incident reports in the same four States, to understand how State laws vary in ways that could be important during a multi-jurisdictional mass evacuation event.
Complaints. Every hospital must develop a written
procedure for investigating serious complaints against hospital employees or
members of the medical staff.24
A senior member of the hospital staff must serve as a complaint officer and
oversee the investigations. There must be a clear, written procedure for
reporting and investigation of complaints. A similar procedure may need to be
established for the tracking system, in case there are complaints about care
provided during a mass evacuation—either at a facility or in transit.
Incident Reports. In Massachusetts, health care
providers are required to report immediately by telephone to Massachusetts
Department of Public Health (MDPH) any of the following serious incidents and
accidents that take place on the hospital premises:25
- Serious criminal acts.
- Pending or actual strike action by its employees and contingency plans for operation of the hospital.
- Serious physical injury to a patient resulting from an accident or unknown cause.
In addition, a written report must be filed with the MDPH
of any serious incidents occurring on the licensed premises of the hospital
that seriously affect the health and safety of its patients. All of these
requirements may apply to incidents like these that take place in shelters or
other evacuation facilities, or during transit.
Illinois: Illinois requires that each
hospital report to the Department of Public Health any incidents or occurrence
that puts patients at immediate jeopardy that requires the transfer of patients
to other parts of the facility or to other facilities. Each report must be
filed within 2 working days of the incident. Occurrences requiring reporting
include but are not limited to fire, flood, and power failure.26 In addition, Illinois requires reporting the death of a pregnant woman or the death of a woman within 1
year of the termination of a pregnancy27
and special circumstances related to mothers and infants and discharges of
children released to someone other than their natural parent,28 such as
communicable diseases.29 These requirements would probably apply during the evacuation of patients and others.
Kansas: Kansas also requires hospital risk
management committees to review all clinical concerns raised by hospital
employees, evaluate the level of risk, and report those meeting certain
requirements to the licensing agency.30
Texas: Texas regulations require reporting
of fire and other safety-related incidents. In addition, Texas hospitals must
develop emergency plans to be put into effect if an incident affecting patient
safety were to occur.31
Incidents that occur during a mass evacuation may require reporting, but
emergency plans to prevent future occurrences are unlikely during a mass evacuation.
Return to Contents
We similarly examined the four States' regulations concerning patient rights.
Massachusetts: MGL Chapter 111, Section 70E,
confers certain legal rights upon patients at hospitals and other health care
facilities, including the right of every patient to choose the facility at
which the patient will be treated. Although this right is suspended in the
event a patient requires emergency medical treatment, the patient ordinarily
may refuse to be transferred from one health care facility to another (e.g.,
transfer from a hospital to a skilled nursing facility or another hospital).
Exercise of this right may interrupt the flow of patients during an evacuation,
but this is unlikely as patients will wish to be evacuated out of harm's way.
However, this right to choose one's health care facility is embedded in a
statute; there is no waiver available that would allow officials to override the patient's decision.
Illinois: Section 250.260 of Title 77 of the
Illinois Administrative Code "recommends" that hospitals adopt a written policy
on patients' rights and that should be available to all patients. That section
requires that hospitals have a written plan for the provision of spiritual,
emotional, and attitudinal health of the patient, patients' families, and
hospital personnel. These required plans may need to be waived during a mass evacuation.
Kansas: Kansas' Hospital Regulations 28-34-3b confers legal rights to inpatients and outpatients at Kansas hospitals. The regulations do not include provisions for choosing the facility at
which the patient is treated.
Texas: Texas Hospital Licensing Rules provide detailed requirements for hospitals regarding patient rights, however, these requirements do not include provisions for selecting the facility at which the patient is treated.32
Return to Contents
Discharge Planning; Advocacy Office
Discharge Planning. Massachusetts requires every licensed hospital to develop a comprehensive discharge planning service for its patients.33
Medicare rules for discharge planning are incorporated directly into the Massachusetts regulations. The regulations are unusually specific about certain requirements for the discharge planning service (e.g., for Medicare patients, the regulations set forth the minimum size of the type to be used on the front
page of every individual patient discharge plan). The discharge planning
service must be multi-disciplinary and responsible for coordinating the
transfer of patients to either an independent living situation or another
institution. As with any hospital, patients may be discharged from a surge
hospital facility for a variety of reasons, including a need for a more acute
level of care than is available from the surge hospital, to return home if
medical care is no longer needed, or to transfer to another type of health care
facility, such as a skilled nursing facility. Traditional discharge planning
will not occur during a mass evacuation. The patient and evacuee tracking system
will be designed to assist transportation of patients so that those needing
hospitals services are transported to a hospital. In a sense it will be used
to support appropriate discharges from imperiled hospitals; but it will not
comply entirely with these Massachusetts regulations.
Advocacy Office. Acute care hospitals that serve
Medicare patients in Massachusetts are required to take certain steps to
protect the rights of Medicare beneficiaries.34
Hospitals are prohibited from taking any discriminatory action against any
patient based upon the patient's status as a Medicare beneficiary. A notice of
rights must be distributed to every Medicare beneficiary. In the event a
Medicare beneficiary believes a hospital engages in discriminatory behavior or provides
inadequate discharge planning, the beneficiary has a right to file a complaint
with the Advocacy Office within the MDPH. The Advocacy Office has the
authority to investigate complaints from Medicare beneficiaries, encourage
negotiated resolution of complaints and issue Notices of Final Disposition in
the event negotiated resolutions cannot be achieved. Although this report does
not discuss payment issues, Medicare beneficiaries are almost certainly going
to be in the patient population being evacuated and any complaints about
patients not being transported to appropriate health care facilities could be
investigated. Again, the tracking system's records will need to be retained in
case they are needed during any subsequent investigation.
Illinois: Illinois requires that hospitals
have written policies for admission, discharge, and referral of all patients
who present themselves for care. In addition, Illinois regulations include the
Medicare requirement that hospitals provide 24-hour notice to Medicare
beneficiaries prior to discharge along with information concerning their right
Otherwise, Illinois regulations regarding patient rights do not include
provisions for filing a complaint or complaint resolution.36
Kansas: Kansas regulations include
requirements for maternity and infant discharges but are silent with respect to
other discharges. Kansas regulations require the hospital to develop a
procedure for responding to patient grievances.37
Texas: Hospitals in Texas must comply with
a detailed list of requirements concerning patient transfers from one hospital
to another. The regulations provide definitions of patients who may be
transferred, conditions under which a patient may be transferred, notification
requirements regarding the transfer, and parties responsible for the patient
during and after the transfer. The regulations describe transfer from one
hospital to another but are silent with regard to discharges home or to another
institution.38 Texas regulations also include requirements that all hospitals develop and implement policies to ensure patients' rights, including informing the patient
of the hospital's policy for resolving patient complaints.39
Return to Contents
Reportable Diseases, Isolation and Quarantine
The Federal Government (Centers for Disease Control and Prevention [CDC]) requires reporting of certain diseases. The list is updated periodically; the 2006 list can be found at http://www.cdc.gov/EPO/DPHSI/phs/infdis2006.htm.
The CDC also has guidance regarding patient isolation and quarantine. A fact sheet can be found at: http://www.cdc.gov/ncidod/sars/guidance/index.htm.
The most recent example of patient isolation employed in
the U.S. was in 2003 during the SARS outbreak. The CDC has also created
"model" legislation that States can employ to craft their own regulations
regarding isolation and quarantine, which can be found at: http://www.aclu.org/FilesPDFs/msehpa2.pdf
States have a variety of regulations which could, in some circumstances, come into play during a multi-jurisdictional mass evacuation event.
Reportable Diseases. Massachusetts health care
providers are required to report certain diseases and medical conditions to
their local boards of health.40
The term "health care providers" is broadly defined to include hospitals,
physicians, registered nurses and others. The list of diseases reportable to
local health authorities is published at 105 CMR 300.100. A much shorter list
of diseases that are directly reportable to the MDPH by any health care
provider is set forth at 105 CMR 300.180(A)-(C). Finally, the MDPH requires
that any unusual illness or any illness that is part of an outbreak or cluster
be reported to the appropriate local board of health. See 105 CMR
300.133-134. It is possible that someone being evacuated could come down with
a reportable infectious disease. The national tracking system will need a
policy regarding reporting, or whether instead the reporting function will
remain with the eventual health care provider.
Isolation and Quarantine. 105 CMR 300.200
authorizes isolation and quarantine for diseases identified as dangerous to the
public health. Local boards of health are usually the entities charged with
enforcing these provisions. The isolation and quarantine requirements, in
general, focus on issues of infection control in the overall population and are
not limited to, or even intended for, the hospital setting. For example, the
most common restrictions are on food handlers who have contagious infections.
Standard medical reasons for isolating a patient, such as the patient having an
open wound or a compromised immune system, are not addressed in the isolation
and quarantine regulations. However, in the event an infectious agent causes a
mass casualty event, the Governor and the Commissioner of Public Health, using
the governor's emergency powers, have authority to impose isolation and
quarantine restrictions beyond those expressed in the regulations. If isolation
or quarantine is ordered mid-evacuation, the tracking system would need to be
able to find the person(s) to be isolated, and all their contacts—other
evacuees and staff—to complete case-finding and institute a quarantine.
Local Authority. A series of statutes that
authorize local authorities to take police action in the event of an outbreak
of infectious disease remain in effect even though they have not been enforced
for many years41.
These laws allow, in part, for local authorities to break into houses to seize
infected persons, to seize hotels, rooming houses and other non-public
buildings to house infected persons, and to quarantine individuals in isolation
as may be required to protect the public health. In the event of a mass
casualty, some of these laws may be resurrected and enforced. A possible
"touchpoint" might therefore be some sort of quarantine shelter/facility.
Waivers. 105 CMR 300.000 does not have a waiver provision.
Illinois: Illinois has very detailed rules
for reporting suspected or confirmed cases of infectious, contagious, and
The regulations also place responsibility on an array of health care providers
and school personnel for reporting the suspected or diagnosed cases.
Isolation and Quarantine. Unlike Massachusetts, Illinois regulations refer hospital personnel to the CDC's guidelines for isolation precautions in hospitals. The regulations follow the CDC's recommendations with respect to the duration of isolation, except for a few specific diseases for
which Illinois has developed different requirements.
Local Authority. The regulations also give
authority to the local health authority having jurisdiction over the area in
which the suspected or known carrier of a communicable disease resides. Only
the local health authority may establish isolation and quarantine of contacts
to a case, carrier, or suspected case of a communicable disease and terminate
the isolation and quarantine period. Like Massachusetts, Illinois law gives
the health authorities the right to close to the public any private property in
the event of an emergency involving communicable diseases.43
Kansas: Kansas regulations require
notification of the State department of health and environment by laboratories
that yield positive tests for certain diseases. The regulations define a
positive test result and prescribe the information to be reported. It is
unlikely that a State department of health would waive this reporting in the case
of a mass casualty event, particularly one related to a biologic outbreak.
Isolation and Quarantine. Kansas regulations
contain detailed provisions for isolation and quarantine of specific infections
and contagious diseases, as well as general provisions for conditions of
isolation and quarantine that are not specified in the regulations.44 Like Massachusetts regulations, the regulations in Kansas do not make specific reference to
isolation and quarantine in hospital settings.
Local Authority. The general provisions will be ordered and enforced by a local health officer or the secretary of health and environment.
Texas: Texas regulations also include
detailed provisions for reporting of certain conditions and suspected
conditions. The regulations provide detailed instructions about who must
report a condition; timeliness of reporting; information to be reported; and
communication between local, regional, and State health authorities.45 These requirements are unlikely to be waived in the case of a mass casualty event.
Isolation and Quarantine. The regulations concerning isolation and quarantine are very general. A health authority may declare a house, building, or apartment to be a place of quarantine. The regulations do not provide specific requirements for particular diseases nor do they make reference to any specific rules for hospitals. The local health authority will determine the length of quarantine.
Local Authority. The local health authority has jurisdiction over any events relating to isolation and quarantine.
There are other laws and regulations on these or other related matters, in various States around the Nation.
16. 42 CFR §482.24; 45 CFR Parts 160 and 164.
17. 42 CFR § 482.24.
18. 45 CFR §160.102.
Centers for Disease Control and Prevention. HIPAA Privacy Rule and public health: guidance from CDC and the U.S. Department of Health and Human Services. MMWR 2003;52 (Early Release): page 1.
20. 45 CFR §164.512(b).
21. 45 CFR §164.512(a).
22. 77 Ill. Admin. Code 250.1510.
23. Kansas Hospital Regulations, 28-34-9.
24. 105 CMR 130.330.
25. 105 CMR 130.331.
26. 77 Ill., Admin. Code, Chapter 1, Subchapter b, Section 250.1520.
27. 77 Ill. Adm. Code 657, 77 Ill., 77 Ill. Adm. Code. Subchapter b, Section 250.1830 (i)(2).
28. 77 Ill. Admin. Code, Subchapter b, Section 250.1830 and Section 250.1840.
29. 77 Ill. Adm. Code 690.
30. KAR 28-52-1
31. 25 TAC 133.
32. 25 TAC 133.42.
33. 105 CMR 342-349A.
34. 105 CMR 130.345.
35. 77 Ill Adm. Code 250.240.
36. 77 Ill Adm. Code 250.260.
37. KAR 28-34-3b.
38. 25 TAC 133.44.
39. 25 TAC 133.41.
40. See, generally, 105 CMR 300.000.
41. See, generally, MGL chapter 111, Sections 92-109.
42. 77 Ill. Adm. Code. Section 690.100.
43. 20 UKCS 2105-400.
44. Kansas Disease Control Regulations, 28-1-5 through 28-1-12.
45. 25 TAC 97.1-97.13.
Return to Contents
Proceed to Next Section