Boston Marathon bombing response offers insight into HIPAA needs

Make sure that your hospital’s emergency preparedness plan includes compliance with the Health Insurance Portability and Accountability Act (HIPAA). A mass casualty event will impact patient privacy rights, said Nickie Braxton, compliance and privacy officer for Boston Medical Center (BMC), which was one of the hospitals that treated victims of the Boston Marathon bombing in April 2013.

“HIPAA was a subpart of patient concern and protection. We were protective of the patients not only from a HIPAA [perspective], but that this event was enormous in their lives,” she said, speaking at the 26th National HIPAA Summit in Washington, D.C., in March.

HIPAA integral to incident response

BMC had an emergency preparedness program, which included an emergency incident response team and emergency response plan. Moreover, the city of Boston has a medical intelligence center with an electronic system to alert facilities that they are receiving victims of a disaster.

However, the Boston Marathon bombing occurred so quickly that BMC began receiving victims before the city alert system was even activated.

By chance, one of BMC’s surgeons happened to be volunteering in the marathon’s medical tent at the race finish line, and he called BMC when the bombs went off so that it could initiate its emergency procedures. The first bombing victim patient arrived eight minutes later.

BMC ultimately received 31 victims and ended up with 19 admissions, 12 in the ICU.

BMC took several steps to maintain HIPAA compliance:

• An area of the emergency department (ED) was sectioned off to keep bombing victims away from other patients, visitors, and other prying eyes.
• Several incident command personnel were stationed in the ED to help communicate with law enforcement, interpreters, and clergy, all of whom are allowed some information under HIPAA.
• Access controls were increased because BMC officials were not only unsure whether more bombs would be detonated but also because of the increased flow of people and supplies, such as blood and amputation kits, arriving to deal with the crisis.

Patient advocates and social workers were used as intermediaries to handle communications and visits from the media, foreign embassies looking for their citizens, dignitaries who wanted to help, and even celebrities. “Only those who made it clear that they should have access got access,” said Braxton.

Incident created HIPAA challenges

The hospital also had to deal with several additional issues affecting patient privacy and HIPAA compliance:

Sharing information with other hospitals. BMC knew that HIPAA allowed it to share information about patients with other providers for treatment purposes; this was vital since family members who had both been injured sometimes ended up separated from each other. For instance, one BMC patient had been separated from his toddler son; BMC called around and was able to locate the child who had been taken to Children’s Hospital. BMC was also able to find another BMC patient’s spouse who was being treated at a different hospital.

Sharing information with friends and family members. HIPAA allows the disclosure of limited patient information to the patient’s friends and family members (IJC 10/3/16); the challenge is determining who is entitled to the information. BMC designated several people to screen visitors and calls to determine if they really were a friend or family member of a patient, such as whether a caller knew the patient’s date of birth and other demographic information. However, it could not divulge information to a bystander if that person was a stranger to the patient—even if the bystander had brought the patient to BMC for treatment, Braxton said.

Respecting individual patient privacy. There was an outpouring of concern not only from patients’ family and friends but from people around the world. Many individuals arrived at BMC offering help and wanting to speak with patients; others sent gifts and cards. However, not all patients were ready or willing to have visitors or even read the cards. “The nurses were integral to who was ready [for outside interaction] and who was not,” Braxton said. Patient advocates collected and reviewed all cards and gifts to determine whether they were appropriate to distribute and to which patients.
“BMC made sure that patients knew BMC was there for them and it was up to the patient if he wanted to speak to anybody, and if so, BMC would arrange it,” she said.

Controlling reporter access. BMC held media briefings twice a day to reduce the number of questions and phone calls. It also had personnel walking through the hospital to ensure that only appropriate people were there. Just one reporter ended up on a hospital floor; he was escorted out when discovered.

Other crisis management steps helped

BMC has to its knowledge suffered no HIPAA breach stemming from the bombing. “We were very careful,” said Braxton.

HIPAA, of course, is just one issue that had to be dealt with; there were other issues to deal with as well, said Braxton. For example, since the bombing resulted in so many amputations, BMC arranged for Marine amputees to come to the hospital and talk to those patients.

The hospital’s patient advocates and social workers also went to the non-bombing patients in the hospital to assure them that their care was not being impacted.

Lessons learned after Boston Marathon bombing

Boston Medical Center (BMC) was one of several Boston-area hospitals that treated victims after the Boston Marathon bombing in April 2013.

While the hospital’s incident response plan worked well, particularly in protecting patient privacy, there were several other issues raised, many of them unanticipated, said Nickie Braxton, BMC’s compliance and privacy officer, speaking at the 26th National HIPAA Summit in Washington, D.C., in March.
Consider these 10 tips:

Preparation, including HIPAA training, is key to an emergency. “HIPAA provisions for this often sit on a shelf. There is no time to go to HIPAA and look at policy [during a mass casualty event]. A culture of HIPAA knowledge is a wonderful basis. People knew about HIPAA and not to give information out unnecessarily,” Braxton said.

Be flexible about meeting needs. For instance, BMC had established a family support center, with coffee, food, social services, and mental health counselors, that was convenient to the emergency department (ED) but away from victim triage. However, the hospital did not anticipate that these visitors, who had rushed to the hospital, would need cell phone chargers. BMC had someone run to Best Buy and purchase several for use in the center.

Expect all departments to be involved in the emergency. For example, both the environmental services and transport departments were instrumental in facilitating quick turnover of operating rooms, which was particularly difficult due to the terrible shrapnel injuries and number of amputations victims suffered.

Be prepared for a large law enforcement presence. BMC had not only two FBI agents set up camp, but also the Boston homicide department, the Massachusetts regional SWAT team, and an armored tank with soldiers.

Watch for players who might not have the best of intentions. There were prosthetics manufacturers who tried to gain access to the hospital to sell their products. BMC would not allow them to do so.

Expect additional safety/security problems. Until it was determined that there were only two bombs, BMC had to consider the possibility that more of them would detonate, and it was unknown where or when. After one bomber had been killed but the other was still at large, the mayor of Boston called for “shelter in place,” which meant that BMC could not discharge patients, causing them even more stress. The hospital also received a bomb threat, requiring the incident response team and law enforcement to take time to search for one. No bomb was discovered.

Anticipate communication issues. While BMC had designated management in the ED so that there was sufficient communication, it was sometimes difficult to identify who was whom and what role people played. BMC has talked about using different-colored vests to ascertain each individual’s function to improve communication.

Clue in your telephone operators. Inform them where to direct different kinds of calls.

Expect an emotional toll on staff. Personnel were not only exhausted from the work but also very stressed. BMC decided to bring in a therapy dog to allay that stress. It worked so well that BMC has created a therapy dog program for patients. “You don’t go through this without being touched by it yourself. There’s a rawness of emotions even now,” Braxton said. The crisis forged several friendships between doctors and bombing patients.

Conduct a follow-up debriefing to ascertain what went right and what went wrong. “None of us is immune to this kind of risk,” said Braxton.

Editor’s note: This article originally appeared in Inside The Joint Commission.