PREPAREDNESS TODAY - A Mutualink Newsletter
Summer 2009 COMMUNITY-WIDE INTEROPERABILITY Vol. 2, Issue 2
 
Mutualink on Scene
Mutualink Multimedia Interoperability at Inauguration

Trenton City, NJ - A fast moving fire struck a three story apartment building with 10 families, resulting in the rescue of 6 people and requiring a mutual aid response from fire departments from nearby Hamilton, Ewing and Lawrence were called in to cover city fire stations. Mutualink Interoperability Community Solutions allowed responding agencies to operating on a VHF conventional frequency and to seamlessly coordinate with City Units on the City's 800 Trunk Radio System. City operators participate in Mutualink Roll Call Readiness Program through exercising and standardized Incident Command training allowing smooth coordination.

Mutualink Multimedia Interoperability at Inauguration

Hudson River NY & NJ - "The Miracle on the Hudson. "Mutualink Interoperability Solutions were used by University Medicine and Dentistry Regional Emergency Medical Center, Newark NJ, and Jersey City Office of Emergency Management for notification and coordination of the US Airways Flight 1549 ditching in the Hudson River across from Jersey City.

Culture of Preparedness

In the old days, one person from each agency was tasked to develop their agency’s emergency operations annexes. The culture has changed. No longer can agencies plan their operations without considering the whole picture. Now, a holistic and structured process must be in order to reduce costs, avoid duplication of services, and maximally leverage response assets. The National Response Framework (NRF) is an excellent guide identifying local, regional, state and federal response and support partners that can assist your community when an incident or disaster occurs. These incidents can range from small scale emergencies that can be handled with local assets to major incidents which may involve mass casualties and/or large geographic areas. The NRF defines the roles and responsibilities that level of government and private entities must play in order to ensure a flexible and scalable emergency preparedness and response capability. It is important that the local emergency management coordinators, coop directors, safety directors, business leaders, and elected officials embrace these elements. NIMS works in conjunction with the NRF in defining a scalable incident command system (ICS) that can be routinely implemented and enables a universal incident driven multi-discipline organization structure, command and control, and goal driven outcomes. If the principles of NRF & NIMS are consistently applied across all relevant organizations and agencies and parties coordinate, practice and exercise them in a coordinated and collaborative manner, your community assets and partners can jell into a highly functional coordinated, multi-disciplinary response team capable of safely, efficiently and effectively handling an incident or disaster.

Identifying emergency preparedness and response partners within your community is important. Response assets include more than traditional public safety agencies. First responders need the help of an active community response network. Community partners can come in many shapes and forms. They can include local businesses, educational institutions, utilities, transportation companies, chamber of commerce, faith based associations, financial and educational institutions, health care entities and medical associations, municipal services, housing providers, food distribution partners, and more. Additionally, many of these entities form the basic fabric of your community and interruption of the services they provide can significantly disrupt and exacerbate the impacts of a disaster. Ensuring these important organizations can function is important to recovery efforts. So, the golden rule of modern emergency preparedness doctrine is “plan together, practice together and respond as one.”

Behind any collaborative and coordinated undertaking, there must be effective communications. There is a misconception that the government can quickly and effectively respond in all incidents. In reality, a wide range of situations can occur in your community that requires varied degrees of response at different times of the situations. This is most often true in long running or unfolding emergencies such as large natural and manmade disasters. In these situations, often the need for communications continuity across functions and sectors, such as communications among tactical, logistical, and public outreach, is often overlooked. This can hamper response, mitigation and recovery efforts in many ways. This includes unnecessary traffic congestion or key transit points being blocked, medical, food, and shelter services being overwhelmed, and/or improperly located. During incidents many communications channels will reach peak capacity and alternate means of communication will be required to alleviate or supplement first line communications resources. Enabling interoperable communications among disparate communications assets plays an important role in ensuring both seamless communications among different agencies and entities, regardless of their communications resources, but also provides the needed flexibility to supplement availability and circumvent communications limitations when primary communications resources are unavailable. A wide variety of communications resources are available and used within your community. These include a plethora of two-way radio systems, the public telephone system, mobile telephone, satellite, and broadband data networks providing IP communications. With advanced and affordable interoperable communications resource sharing, these assets can be harnessed to provide a resilient and ubiquitous communications environment that will enable seamless communications across a multitude of partners, and provide critical communications paths among them. Developing partnerships, engaging in planning and practice, and utilizing new and affordable communications bridging technology to facilitate communications among partners is essential to modern day emergency preparedness and response best practices. For more information go to: http://www.fema.gov/emergency/nrf/ or www.mutualink.net.

 
Mutualink
REDEFINING INTEROPERABILITY
 
Table of Contents
Culture of Preparedness 1
Roll Call 2
Twitter For Public Safety & Emergency Management 3
Navigating HIPAA and FERPA In An Interoperable Emergency Communications World 5
FEMA Certifications 7
NRF Resource Guide 7
About Mutualink 7
Educational Materials
Ask us about our community-wide emergency preparedness educational materials and how we can assist you in organizing community-level outreach and participation meetings.

Educational Materials
Copyright © 2009 Mutualink, Inc. 866-957-5465 (866-957-LINK)   |   www.mutualink.net
Top Page One
 
 
 

ROLL CALL

More Agencies are active with field-to-field linked exercises

Welcome to the 22 new agencies brought into the Roll Call Program since February!

Organization City D2D D2D-R D2D-M 3DM Total
Roll Calls
             
February / July 2009            
             
Atlantic City Police Department Atlantic City, NJ 9 5 8 1 23
Bayonne Hospital Bayonne, NJ 6 - 3 - 9
Bergen Regional Medical Center Paramus, NJ 1 - 1 - 2
Berlin Police Department Berlin, CT 11 2 1 11 25
Berlin Public Schools Berlin, CT 15 3 1 9 28
Christ Hospital Jersey City, NJ 2 - 3 - 5
Cromwell Police Department Cromwell, CT 7 1 2 6 16
Cromwell Fire Department Cromwell, CT 4 - - 1 5
East Orange General Hospital East Orange, NJ 1 - 1 - 2
Englewood Hospital and Medical Center Englewood, NJ - - 2 - 2
Essex Valley Visiting Nurse Associatio Newark, NJ 2 - 2 2 6
Hackensack University Medical Center Hackensack, NJ 2 - 1 - 3
Hoboken University Medical Center Hoboken, NJ 1 - 1 - 2
Holy Name Hospital Teaneck, NJ 4 - 1 - 5
Jersey City Office of Emergency Management Jersey City, NJ 2 1 3 - 6
Kessler Institute for Rehabilitation West Orange, NJ 1 - 1 - 2
Meadowlands Hospital Secaucus, NJ 2 - 2 - 4
Michael Stapleton Associates - NY Office New York, NY 20 4 14 5 43
New Jersey Transit Police Deparment Newark, NJ 8 2 1 - 11
Newark Police Department Newark, NJ 19 7 2 9 37
Newark Arena - Prudential Center Newark, NJ 10 4 1 1 16
Newark Community Health Centers, Inc. Newark, NJ 5 - 4 1 10
Newark Homeless Health Care Newark, NJ 4 2 1 2 9
Northwest Bergen Central Dispatch Ridgewood, NJ 10 1 9 6 26
Palisades Medical Center North Bergen, NJ 4 1 1 - 6
Palisades Park Police Department Palisades Park, NJ 20 3 2 8 33
Paramus Police Department Paramus, NJ 17 6 4 9 36
Rocky Hill Police Department Rocky Hill, CT 13 2 3 5 23
Saint Francis Hospital and Medical Center Hartford, CT 3 1 4 3 11
Saint Michael's Medical Center Newark, NJ 1 - - 1 2
Sonitrol Communications Rocky Hill, CT 27 1 6 3 37
Stamford Hospital Stamford, CT 21 9 2 5 37
Stamford Police Department Stamford, CT 9 1 - 6 16
The Valley Hospital Ridgewood, NJ 1 - 1 - 2
Town of Huntington Huntington, NY 15 5 9 3 32
Trenton Police Department Trenton, NJ 16 12 5 4 37
UMDNJ - University of Medicine & Dentistry of NJ Newark, NJ 14 5 4 8 31
University Hospital Newark, NJ 3 - 2 1 6
             
February / July 2009 Total   -   38 Agencies 310 78 108 110 606
 
D2D - Dispatch to dispatch
D2D-R - Dispatch to dispatch with field radios
New agencies
D2D-M - Dispatch to dispatch with multi-media sharing
3DM - 3 or more dispatch participants with multi-media sharing
   
   
Copyright © 2009 Mutualink, Inc. 866-957-5465 (866-957-LINK)   |   www.mutualink.net
Top Page Two
 
 
  TWITTER ® FOR PUBLIC SAFETY AND EMERGENCY MANAGEMENT
 

By Joseph Mazzarella, Chief Legal Counsel
April 28, 2009

 

In the world of public safety, obtaining and communicating important information in real time can save lives. In this regard, new communications tools are continually be deployed to improve emergency preparedness and response capabilities within a collaborative “all hazards, all disciplines’” paradigm that implicitly requires coordinated planning and response among responders, supporting agencies and other critical assets. These communications improvements range from employing mass alerting and reverse 9-1-1 solutions to advanced multi-agency communications interoperability solutions that link together an array of disparate systems and equipment. While the emergency management sector forges ahead with innovation, the world at large is also blazing new paths and ways of communicating through internet and mobile data driven social networking utilities. Despite the natural temptation to dismiss them as pedestrian at best and frivolous at worst, these social networks may offer something of value to the public safety and emergency management sector. After all, literally millions of users cannot be all that wrong. One of the fastest growing social networking utilities among them, and the focus of this article, is Twitter®, which may offer emergency management and public safety organizations with another potentially powerful and effective communications utility to add to their communications tool chest.

Twitter® is a deceptively simple, yet powerful social networking based communications tool. As described on its web site, “Twitter is a service for friends, family and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?” See, http://www.twitter.com. With Twitter®, people can follow one another and receive messages from their network of friends in real time. What makes Twitter powerful is it that it links people together around a topic, cause or person, and it provides an easy way to quickly disseminate and share messages among “followers” in the listening group. It is proving to be a popular and particularly attractive communications medium because it intersects with the “always on and available” status created by data enabled consumer mobile devices. Availability or presence is not limited to whether a user logs on to his or her computer anymore. You are always within range of your friend’s “tweet” (Twitter parlance for a message) courtesy of your Blackberry®, iPhone®, cell phone or other mobile device strapped to your hip.

Before you dismiss its potential utility, consider that Twitter is already being used in certain public safety contexts in both planned and spontaneous ways. This April, the Garden City, Kansas Police Department started using Twitter as a free public messaging tool to send out information on events, missing persons and other community advisories, as did the Franklin, Massachusetts Police Department some 1,000 miles away a few days later. In fact, a recent search of Twitter® reveals over 200 police related Twitter® micro-blogs, the largest being the Boston Police Department with over 2,100 followers. Additionally a number of local and state Offices of Emergency Management have rolled out their own Twitter alert based sites, such as Oregon OEM and University of Medicine and Dentistry of New Jersey’s (UMDNJ) Office of Emergency Management to name a few. Beyond state and local agencies, even federal agencies have jumped on board. The Department of Homeland Security (DHS) has its own Twitter® micro-blog which is used for news and announcements, and another micro-blog at twitter.com/LLIS for its Lessons Learned Information Sharing web site (www.LLIS.gov) which is a community repository of best practices information for state and local homeland security and emergency response personnel. The Center for Disease Control (CDC) Emergency Preparedness and Response site uses Twitter as a mass communications tool and has over 2,000 followers. Similarly, the FDA has employed its own Twitter feed at twitter.com/FDARecalls to alert over 3,000 people of its recall of salmonella-tainted pistachio products. See, “Twitter to the rescue: Agencies apply high-tech tools in crisis response” by Elise Castelli, Federal Times (April 06, 2009). While overall use as measured by followership remains relatively small, most of these initiatives are new and they will likely gain popularity as Twitter® becomes better known as a community alerting and information dissemination point.

While mass outbound public communication is a natural use for Twitter®, it may also serve potentially other equally useful purposes. Twitter® is not a one way conversation utility. Namely, it is a tool for information gathering and quick interactive information updating. Followers can send messages too. In fact, Twitter® was reportedly used in the aid of a Swiss Alps mountain rescue operation. As the Alpine rescue unfolded, members of a snowboarding party were sending “tweets” to friends who were, in turn, passing on information to aid in finding their location and providing updated status details regarding their condition. See, “Mountain rescue played out on Twitter; 1 dead”, Associated Press (March 3, 2009). In one the earliest celebrated cases of “Twitter to the rescue”, it was widely used during the 2007 Southern California wildfires to track and report fire movements in real time and alert people of potential oncoming danger. See, “California Fire Followers Set Twitter Ablaze” by Michael Calore, Wired Blog Network (Oct. 2007).

In this vein of emerging communications and cooperation, it is worth noting one particular Twitter micro-blog that is very interesting – twitter.com/HoustonFireDept. The Houston Fire Department is sending out incidents generated from its CAD system as “tweets” with hypertext linked mapped location information. It is quite easy to imagine extending this type of alert into an interactive web based information gathering portal through which the public can contribute information, and also follow incident updates at an incident defined level.

The above examples provide a glimpse into the potential utility that Twitter® may offer in the realm of emergency response and public safety. Imagine what thousands of eyes and typing hands can do to provide important information to public safety agencies during a large distributed, evolving crisis such as a natural disaster. Or, perhaps what a handful of people in the right place and at the right time can offer in the case of a manmade disaster or terrorist attack. In the case of Citizen Corps, 2,342 local councils have formed across that United States. These Corps are local citizen based civic emergency preparedness organizations designed to assist local communities with civilian emergency planning and response. Twitter might play a constructive role in providing quick updates to diverse members. Or, consider how Twitter® or a secure private Twitter-like service might be used for NIMS Incident Command System (ICS) communications functions for providing quick updates from branches, divisions, tactical units or groups. Each of these applications presents potentially useful benefits. Like any good communication tool, it has the ability to act as a force multiplier by increasing information flow and raising real time situational awareness.

Copyright © 2009 Mutualink, Inc. 866-957-5465 (866-957-LINK)   |   www.mutualink.net
Top Page Three
 
 

"Twitter ® For Public Safety And Emergency Management" Continued from page 3

As is the case with many new communications tools, functional or pseudo-functional overlap with legacy systems is not uncommon. In the area of crisis information management, for example, there are a variety of web-enabled emergency operations center solutions which purport to offer real time information sharing for emergency management personnel. These solutions range from highly sophisticated environments with extensive integrated data views to rudimentary topic driven message boards, many of which purport to comply with Incident Command System (ICS) and Emergency Support Functions (ESF) standards. However, in reality, ICS and ESF are not technology standards or explicit functional requirements inasmuch as they are organizational and process frameworks with rules meant to rationalize and organize command and control, drive coordinated planning, foster continuing training, prompt exercises, assess results, and make improvements, all within a uniformly understandable and scalable way. In this regard, any system claiming or asserting ICS standards compliance (and by implication “completeness or suitability”) misses the mark in that the very essence of the thing they purport to meet contemplates a dynamic and continuing cycle of evolutionary improvement towards an increasingly better state of active preparedness. Improving, replacing and supplementing legacy communications systems and methods to advance efficient, cohesive, real time coordinated communications and information sharing is a core principle of NIMS and ICS. So, the mere fact the there may exist other modalities of communication in use providing “similar” functions should not necessarily preclude an examination as to how the overall environment can be improved by cohesively integrating or introducing new modes of communication such as micro-blogging capabilities.

Of course, integrating Twitter® or a Twitter-like capability into a public safety or emergency management environment raises unique suitability considerations based upon its use context. These considerations include security and privacy, user identity management and authentication, evidence preservation and chain of custody, and practical possession and control matters. In the context of public alerting, for example, maintaining a permanent record of the alert content, its time of dissemination and the party who sent it are all important. These records must be maintained in a secure and controlled environment to ensure their integrity in the event of subsequent litigation or an investigation. Moreover, as with any alerting mechanism, the actual credentials and permissions of the person authorized to send alerts must be carefully managed. While external threats and breaches from hackers may permit unauthorized users to send out fraudulent alerting messages, unauthorized messaging can also occur from within the agency through lax credentials access and control procedures.

Finally, as with any official public communications outlet, an integrated administrative review and approval workflow component is important to ensure that appropriate quality control standards, legal review requirements, and internal policies are followed, obtained and recorded. In the case where Twitter® might be used to collect information from the public, concerns are present that are similar to those that arise in the context of tip lines and other inbound telephone calls. Chiefly among them is being able to process potentially large volumes of information that may be submitted as well as being able to determine its relevancy, verify or assess its likely accuracy and truthfulness, and assess its actionable value in a timely manner. Finally, in the case of internal communications for crisis or emergency management purposes, a broad array of considerations are at play, including the security, authentication and records management issues previously described along with evidentiary and chain of custody matters associated with communications logs. Finally, the use of third party systems where the agency is not in possession and control of its communications data records also leaves the information vulnerable to legal discovery. If information resides in another party’s possession, the agency may have no or limited opportunity to contest or challenge a demand for disclosure, particularly since the party in possession of the data may have no duty to notify the agency, or worse yet, voluntarily chooses to disclose data without due consideration for the agency’s rights or concerns.

Finally, beyond these particular considerations, there are more rudimentary issues that must be addressed when dealing with public safety communications, namely reliability. As this article was being written, Twitter served up a page at 9:39PM EST on April 19, 2009 stating “Twitter is over capacity. Please Wait and try again”. In the public safety, those aren’t welcome words.

Notwithstanding the above, it is reasonable to expect the use of Twitter® to continue to rapidly grow within the public safety and emergency management space primarily as an adjunct to existing mass alerting modalities. It is further likely that Twitter® can and will be used by innovative agencies as a means to enhance information gathering through public participation - in essence enabling “virtual neighborhood watch” capabilities. However, it is very unlikely Twitter® could be adopted for any internal public safety and emergency management communications use because of the additional security, data integrity assurance, information management and control, and most importantly, reliability needs. Instead, it is more likely that private, in-house “Twitter-like” communications utilities will be created that are more suitable for public safety needs that could augment existing internal communications and information management environments, particularly where resources and assets are geographically diverse. But even within a more robust private framework, the public Twitter® environment still can play an important role as a public interface through integration and the application of appropriate information vetting and verification filters to allow relevant two-way information sharing.

Do these things like Twitter® matter? You bet. For someone, somewhere it just might make all the difference in the world. Here is one of my favorite tweets which came from the Oregon Office of Emergency Management (twitter.com/baileyjn):

"Here's the scenario - You are at work, kids at school. Big earthquake. No phone service or power. Roads closed. Tell me your plan."

3:46 PM Mar 13th

Post Script: As this article was completed and waiting for general publishing, Microsoft announced a beta release of Vine, a new Twitter-like service for emergency communications. As they say “timing is everything” but then again there is a certain obviousness for the reasons described above. See,
http://www.pcworld.com/article/163974/microsofts_vine_emergency_social_networking.html

 

The author is not affiliated with Twitter, and the assessments and characterizations made within the article reflect the author’s opinions and do not constitute any endorsement of Twitter or its suitability or reliability for public safety or any other use. Neither the author nor publisher of this article asserts any claim or rights in or to the trade names or marks of Twitter, Inc., all of which are expressly reserved to Twitter. You can follow the Author’s updates and commentary on Twitter at "Interoperable".

Copyright © 2009 Mutualink, Inc. 866-957-5465 (866-957-LINK)   |   www.mutualink.net
Top Page Four
 
 
  NAVIGATING HIPAA AND FERPA IN AN  INTEROPERABLE EMERGENCY COMMUNICATIONS WORLD
 

By Joseph Mazzarella, Chief Legal Counsel
February 26, 2009

 

The current United States homeland security and national emergency response policy as reflected in the National Response Framework (NRF), National Emergency Communications Plan (“NECP”) and National Incident Management System (NIMS) is correctly focused on implementing a scalable and cohesive “all hazards and all disciplines” emergency planning and incident response capability across all levels of government. The implementation of this policy is facilitated through a seamless interoperable communications continuum and information environment. Through this environment public safety agencies and other critical or key community assets can collaborate and coordinate in real time during incidents to achieve force and resource multiplication, greater situational awareness and enhanced response. In this world first responder agencies are linked with important community assets including schools, hospitals, utilities and other key private entities. The implementation of such a cohesively linked emergency communications sharing environment (which is nothing short of essential to improving overall national emergency preparedness and response capabilities to deal with an increasing array of natural and man made incidents) must also coexist within a framework of privacy laws such as the Health Insurance and Portability and Accountability Act (HIPAA) and the Family Education Rights and Privacy Act (“FERPA”).

HIPAA is designed to protect medical privacy of individuals and limit the unnecessary sharing and disclosure of personal medical information through or by covered groups that routinely house, access and transmit health information, such as hospitals, medical facilities and medical clearinghouse and billing services. Yet, hospitals and medical facilities play vital roles in emergency incident response and crisis recovery efforts. FERPA, like its HIPAA counterpart, also is a privacy law which is directed at protecting privacy of students and their educational records. Notably, student educational records often contain important family and health information. Like hospitals, schools (albeit for different reasons) are also at the center of emergency planning and response initiatives. It is well recognized that school populations are high priority, vulnerable community assets and close coordination and communication between schools and public safety agencies is essential to improving overall emergency readiness. In both cases, we see two key participants in the overall homeland security and emergency response landscape that have unique information privacy laws that may limit the disclosure and sharing of important information in the event of a crisis.

Fortunately, however, this is not the case. Simply put, neither HIPAA nor FERPA interfere with or hamper emergency response efforts. In fact, in each case, they are narrowly drawn in this area and provide ample room to enable both public and private emergency response entities, including “covered entities”, to communicate and share necessary information to carry out emergency response and crisis management functions.

Within the context of interoperable communications systems the operative function and effect is enable many diverse parties to communicate and share information across boundaries. In the minds of some, this aspect of multiparty participation raises the concern whether participants within a communications group may not be privy to private or protected information and disclosure within this context raises the potential for inadvertent violation of these laws. This question naturally leads to the next. Do these laws require authorization levels to be established to ensure only certain participants join in group communications where certain types of protected information are to be shared? Further, must the type and scope of information that may be shared or disclosed be tailored based upon the identity of the parties that are participating in joint communication session? Thankfully, the reality is that these questions and concerns are implicitly handled in emergency contexts, assuming covered entities under HIPAA employ standard operating policies that they already have in place and good faith reasonable judgment is used by all in light of the circumstances at hand. As a general proposition, neither privacy law restrains or prevents the flow of important information where it will protect the health, welfare, or safety of the subject individual whose privacy is being protected or those in logical and circumstantial proximity to the individual.

HIPAA

HIPAA, along with imposing uniform data coding practices, generally prohibits the unauthorized electronic disclosure of a patient’s protected health information (PHI). This prohibition is comprised of two main thrusts, one aimed at transactional privacy, and the other at ensuring data security. The rules in this area are manifold and complex. However, HIPAA is limited only to “covered entities” and there are safe harbor exceptions for various circumstances where the public interest outweighs individual privacy.

Generally speaking, covered entities are hospitals, medical facilities, health providers, and medical billing entities. HIPAA does not apply to public safety responders and agencies, including EMS (however private ambulances and those owned by, or affiliated with, a covered entity are subject to the law). Non-healthcare related entities and schools (except in limited cases of on-site school health clinics) are not covered. Moreover, entities that may store medical information as part of their overall function, such as independent living centers, social agencies, public health care agencies, transit organizations, and non-governmental organizations like the Red Cross, are not covered entities. Thus, most participants within any community-wide or pervasive interoperable communications environment are not subject to HIPAA. Yet, as noted, health and medical entities do play a major role within the emergency response environment and are covered by HIPAA.

Covered Entities. Given that many covered entities would participate within an interoperable emergency response communication system, an issue that does arise is how covered entities can participate without running afoul of HIPAA. The most likely circumstance where concerns would arise is in the case of emergencies or incidents where responding or participating parties may be requesting medical or health status information on one or more individuals from a covered entity (such as a hospital or medical provider). However, HIPAA makes provision for the disclosure of necessary information in emergencies.

HIPAA Safe Harbors for Emergencies.

Disclosure During Emergencies. The Department of Health and Human Services (“HHS”), the agency responsible for the administration and enforcement of HIPAA, has reaffirmed its position that HIPAA does not prevent the disclosure of medical information in the case of severe emergencies in order to enable necessary medical treatment and related logistical matters. The applicability of HIPAA became a significant issue during Katrina, and HHS acted swiftly and with clarity to provide guidance that HIPAA does not compromise emergency response and relief efforts. Specifically, HHS has articulated the following guidelines:

Copyright © 2009 Mutualink, Inc. 866-957-5465 (866-957-LINK)   |   www.mutualink.net
Top Page Five
 
 

"Navigating Hipaa And Ferpa In An Interoperable Emergency Communications World" Continued from page 4

Treatment Information. Patient medical information may be shared in times of serious emergency with other medical providers (hospitals, clinics, etc.) to aid in the delivery of treatment, to enable patient referral and linking with available treatment centers, and to coordinate care with emergency relief workers.

Notification. Patient information may be shared as is necessary to enable family members, guardians and others charged with the care of an individual to be identified, located and notified of that patient’s condition and whereabouts. However, to the extent verbal permission can be obtained from the patient, it should be obtained.

Imminent Danger. Providers can share patient information with anyone where it is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public - consistent with applicable law and the provider’s standards of ethical conduct.

See, Department of Health and Human Services - Office of Human Rights, Hurricane Katrina Bulletin: HIPAA Privacy and Disclosure During Emergency Situations, Sept. 2, 2005, and Hurricane Katrina Bulletin 2: Compliance Guidance and Enforcement Statement, Sept. 9, 2005

Hospitals and healthcare providers, however, should take note that emergencies do not relive covered entities from establishing appropriate agreements in advance with respect to its business associates (i.e., agents) that house, store, maintain or administer information on its behalf. The HSS makes it clear that business associates and covered entities, must have a business associate agreement in place to ensure general compliance with HIPAA privacy requirements. Within these agreements provision and consideration can be made for information sharing in cases of emergency. HHS has published a sample business associate’s contract that may be used and adapted to meet the relationship that may exist between the covered entity and its business associate. See 45 CFR 164.504(e)(2)(ii)(D). The sample contract can be found on the internet at: “http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/enforcement-statement.pdf”.

Accordingly, as part of any hospital’s or other healthcare provider’s emergency preparedness efforts, appropriate due diligence should be undertaken to identify whether any third party agents hold or provide information that may be required to be disseminated or shared during a crisis, and make sure a business associate’s agreement is in place to avoid a possible disruption or delay in furnishing key information during an emergency.

FERPA Safe Harbor for Emergencies

While HIPAA governs protected healthcare information, it does not cover healthcare information that is part of a student’s educational records. Healthcare information that is stored and maintained by schools (with the exception of on-site health clinics which process and seek insurance payments), although medical in nature, is considered part of a student’s “educational records” under FERPA rather than HIPAA. See, Department of Health and Human Services and U.S. Department of Education, Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records, Nov., 2008. Consequently, one must look to FERPA in regards to disclosure of student information in times of emergency.

Again, like HIPAA, under FERPA the disclosure of information within educational records to appropriate third parties is permitted without any consent in connection with an emergency. The information that is permitted to be disclosed however must be necessary to protect the health or safety of the student or other individuals. See 34 CFR §§ 99.31(a)(10) and 99.36.

See, also, “http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf”.

Conclusion. Overall, neither HIPAA nor FERPA offer any serious obstacles to the implementation of cohesive, real time interoperable communications and information sharing systems for emergency preparedness and response and can coexist quite well with the broad goals of pervasive interoperable communications collaboration envisioned within homeland security and emergency preparedness realms. Express safe harbor provisions are made to accommodate the reasonable disclosure and sharing of information among entities that are participating within the context of an emergency incident. In each case, the protection of the health and safety of individuals under the exigent circumstances of an emergency is the operable standard by which agencies and participants may collaborate.

As is the case with any subjective standard regarding what circumstances constitute an “emergency” and “necessary” information, good faith and reasonable judgments must prevail. In this regard, for entities that are covered under HIPAA and in the case of student educational records, establishing clear guidelines and policies that assist in evaluating a request for information within the context of any emergency is important. Integrating these policies into an emergency preparedness and response plan may help to support any subsequent challenge to the necessity and propriety of any disclosure by showing they were undertaken based on a well reasoned policy and on a good faith belief that the disclosure was appropriate and necessary. Perhaps even more importantly, in times of emergency the effective mitigation of harm and a successful aid response may turn on the speed with which critical information is shared with responding parties. Delays in responding to information requests caused by uncertainty or time consuming ad hoc legal or unplanned administrative reviews could adversely impact a timely emergency response effort.

Overall, while participants should be vigilant and make proper efforts to prepare for emergencies and integrate sound and lawful information sharing policies into their plans, it should be fundamentally recognized that neither FERPA nor HIPAA should serve as any obstacle to hospitals and schools participating in an interoperable emergency communications platform with other critical community participants. In fact, based upon the prevailing emergency preparedness and homeland security recommendations and policies, the failure to reasonably do so may be viewed as unreasonable in light of generally accepted standards of good security and emergency preparedness practices to the extent participation is available within your community.

 

Disclaimer. This article is provided for general information purposes only and does not constitute legal advice upon which a reader may rely. Interested parties are encouraged to consult with their legal advisors. FERPA and HIPAA are not the only privacy laws which may be applicable to you. Many states also have privacy laws which may apply to you.

Copyright © 2009 Mutualink, Inc. 866-957-5465 (866-957-LINK)   |   www.mutualink.net
Top Page Six
 
 

New FEMA Certifications

Congratulations to those who completed their FEMA certifications in June!

Mutualink provides guidance and assistance to customers in meeting the goals of the National Incident Management System (NIMS) through ICS-100 and ICS-700a training.

PHONE

Please call Craig Martin (856) 685-9298 or email: cmartin@mutualink.net for information on scheduling and training.

First Name Last Name Agency City State ICS-700
Certified
           
Rodney Andrews Saint Francis Hospital and Medical Center Hartford CT Jun-09
Rommel Durham Saint Francis Hospital and Medical Center Hartford CT Jun-09
Charlie Esquilin Saint Francis Hospital and Medical Center Hartford CT Jun-09
Frank Faust III Saint Francis Hospital and Medical Center Hartford CT Jun-09
Tiffany Jones Saint Francis Hospital and Medical Center Hartford CT Jun-09
David Kumnick Saint Francis Hospital and Medical Center Hartford CT Jun-09
Cresford Laing Saint Francis Hospital and Medical Center Hartford CT Jun-09
Robert J Massicotte Saint Francis Hospital and Medical Center Hartford CT Jun-09
Greg Skrzypek Saint Francis Hospital and Medical Center Hartford CT Jun-09
Mohamed Suliman Saint Francis Hospital and Medical Center Hartford CT Jun-09
Niketta Watson Saint Francis Hospital and Medical Center Hartford CT Jun-09
Emil A Zanetti Saint Francis Hospital and Medical Center Hartford CT Jun-09

Three New Mutualink Employees received their IS-700a certifications with one of them also passing the ICS-100. Congratulations to all the New FEMA certified personnel.

Note: There have been revisions and updates to the FEMA NIMS IS-700 course materials. Please begin using the IS-700.a materials immediately. If you have previously started the IS-700 course and need to take the final exam, you must complete the exam and obtain a passing score before February 13, 2009. After February 13, 2009, the IS 700 exam will no longer be available and you must take the IS-700.a  exam.

The current FEMA NIMS IS-700a on-line course can be accessed at: http://training.fema.gov/EMIWeb/IS/IS700a.asp.

 
NRF RESOURCE GUIDE
RESOURCE   WEB SITE ADDRESS
     
NRF Resource Center   http://www.fema.gov/emergency/nrf/
National Response Framework (NRF)   http://www.fema.gov/pdf/emergency/nrf/nrf-core.pdf
NIMS Compliance Center   http://www.fema.gov/emergency/nims
Incident Command System (ICS)   http://www.fema.gov/pdf/emergency/nims/erfog.pdf
FCC Public Safety and Homeland Security Bureau   http://www.fcc.gov/pshs/
PRIVATE ENTITIES    
National Infrastructure Protection Plan (NIPP)   http://www.dhs.gov/xprevprot/programs/editorial_0827.shtm
Critical Infrastructure and Key Resources (CIKR)   http://www.dhs.gov/xprevprot/programs/gc_1189168948944.shtm
SCHOOLS    
ICS-100SC.a – I-100 For Schools   http://training.fema.gov/EMIWeb/IS/IS100SCA.asp
US Dept. of Education – Practical Information on Crisis Planning Guide   http://www.ed.gov/admins/lead/safety/emergencyplan/crisisplanning.pdf
US Dept. of Education – Emergency Planning Resource Center   http://www.ed.gov/admins/lead/safety/emergencyplan/index.html
MEDICAL    
ICS-100HC for Hospitals   http://training.fema.gov/EMIWeb/IS/IS100hc.asp
ABOUT MUTUALINK
 

Mutualink is an affordable community-wide interoperable multi-media communications platform that links together police, fire, EMS, hospitals, schools, utilities, malls and other key community assets.

Through Mutualink, two-way radios, telephones, public address systems, video, and data files can be shared among parties on a real time incident basis providing critical communications that enhance preparedness and effective emergency management, coordination and response.

Mutualink’s pragmatic and affordable approach makes interoperable communications accessible to all high-value community assets such as schools and hospitals and places of massed gathering, creating completely interoperable communities.

Mutualink is an essential tool enabling NRF compliance and improving your community’s safety and readiness.

Architecture Overview
Copyright © 2009 Mutualink, Inc. 866-957-5465 (866-957-LINK)   |   www.mutualink.net
Top Page Seven

Please click here to unsubscribe from future newsletters.