Shooting, God Forbid, on the Premises of a Health Care Provider or Business Associate, Including HIPAA Aspects: HIPAA & HITECH Act Blog by Jonathan P. Tomes

jon picYet another mass shooting, this one in a Social Services Agency in San Bernardino, CA, coupled with my being asked to weigh in on protecting a local church here in Kansas City from a potential active shooter, caused me to write this blog post in hopes of helping entities providing health services to decide what, if anything, they may need to do in the event of a shooting or bomb threat.

An initial caveat: I am not a Certified Healthcare Protection Administrator or otherwise certified as a professional in that field. But I have enough of a legal and practical background to offer some (hopefully) helpful ideas for you to consider. My practical experience came from being an Infantry platoon leader in combat, a military intelligence officer charged with counterintelligence and anti-terrorism duties, having been trained by one of the best (he trains Navy SEALS) for my concealed carry permit, and having served as an armed guard for a local church when it had a function where a lot of money came into the church. And performing a risk analysis for workplace violence or terrorist attacks is not that different from performing a HIPAA risk analysis.

Just as with HIPAA’s health information security risk analysis in 45 C.F.R. § 164.308(a)(1)(ii)(A), no government law or regulation specifies how to conduct a risk analysis. I used a method taken from the British Medical Association (See Ross John Anderson. “Security in Clinical Information Systems”. BMA Report, British Medical Association, Jan 1996. ISBN 0-7279- 1048-5) to develop my HIPAA health information risk analysis methodology, and it should work for this area, as well.

Note that a risk analysis may be called a number of things: security survey, risk assessment, security assessment, as well as risk assessment. See my January 20, 2015, blog post, “Risk Analysis and Risk Assessment: Are They Different?” But no matter what you call it, it is a systematic assessment and analysis of the threats facing you, your existing security measures, and what, if any additional security measures are necessary. Often, risk analysis is broken down into physical security, technical security, and system security.

My HIPAA risk analysis has five components: assemble a risk analysis team, identify assets, identify risks to those assets, select reasonable, cost-effective security measures, and test and revise the security measures.

I start by assembling the risk analysis team. For analysis of HIPAA risks, the risk analysis team consists of medical records professionals, IT specialists, clinicians, human resources, finance department, legal specialists, and risk managers. For analysis of the threat of an active shooter and related threats, consider the following for your risk analysis team:

·         Law enforcement representative.

·         Representative from your facility police or similar individuals.

·         Representative from your buildings and grounds insurer.

·         Information systems expert.

·         Building security expert.

·         Legal expert.

·         Concealed carry or other qualified firearms instructor.

If you are a very small practice and have only an office manager instead of all of these people, it still helps to look at this list to view the risks and the security measures from the points of view of those representatives. And I would be very surprised if you could not get law enforcement and a representative from your insurer to meet with you.

The next step is to inventory assets—that is, that which you have to protect and what you already have available to do so. Such assets could include, among others, the following:

·         Patients/clients.

·         Staff.

·         Other individuals onsite, including but not limited to vendors, visitors, outside contractors, students, and the like.

·         Property that could be damaged by an active shooter or vandalized.

Security assets could include, among others, the following:

·         Security personnel.

·         Alarm systems.

·         Surveillance cameras.

·         Locks (old-fashioned locks and keys or electronic locks).

·         Nightsticks or other weapons.

·         Policies and procedures already in place.

Next comes identifying threats to those assets. As one security consultant noted, “One, as far as people safety is concerned, I worry about the safety of all of our patients, visitors and associates,” he says. There are “the threats of infant abductions, assaults against our associates and violent behavior including the possibility of having an active shooter situation. Second, in regard to the facility, “risks include theft of personal or hospital property, damage to valuable equipment and vandalism to property. With information services, obvious threats include the theft of patient or associate personal information and the compromise of our computer network.” (See Ohio Health’s Harry Trombitas quoted in Bill Zalud “How to Stay Welcoming Yet Secure in Healthcare,” Security Magazine, August 15, 2015 at

Threats include but are not necessarily limited to the following, but you may have a unique practice or be in a unique environment that poses other threats:

·         Bomb threats.

·         Workplace violence, including active shooters.

·         Disruptive, aggressive, or violent patents/clients or family members and other visitors.

·         Theft.

·         Property damage by vandalism or as a byproduct of violence.

·         Inability to access or compromise of health information.

Now comes the hard part—that is, selecting security measures. HIPAA does not specify any particular security measure, and what encryption package you select as being reasonable and appropriate will not be prohibited by any state or federal laws as firearms may be. Nor will you be likely to face a lawsuit or lose it if you do face it for selecting one firewall over another so long as you selected it as a result of a risk analysis. But if you shoot someone, even if it is justifiable self-defense or defense of another, you may well face a lawsuit and even lose one. Would you want to be the officer in Ferguson, Missouri, who will likely face a civil lawsuit even though a grand jury refused to indict him for a criminal offense? Or one of the officers in Baltimore facing criminal charges? And if an employee of yours does the shooting, your entity may be civilly liable even if it was justifiable. Yes, selecting security measures to protect against an active shooter or some other assailant presents many more legal hurdles than choosing a firewall.

You should consider two areas of security measures. One is prevention or deterrence, and the other is taking action to neutralize the threat and protect your people if it does occur. Among preventative measures are these:

·         Visible security personnel. Such assets could be disclosed at the front desk or ride around the parking lots of a large hospital.

·         Alarm systems. Hearing the alarm go off and believing that law enforcement will respond may scare off an active shooter unless he is on a jihad and doesn’t mind getting killed so that he can have his 77 promised virgins.

·         Surveillance cameras. These may deter a potential shooter out of a fear that he will be easily convicted from the videotape unless he is, again, actively seeking out his 77 virgins.

·         Signs. Some states require that places that do not want to permit concealed carry on the premises must have a sign so stating conspicuously posted. I do not put my faith in such signs or “Gun-Free Zone” signs. If a person is going to murder perhaps a dozen or more people, what does he care about the lesser penalty (in some cases just a fine) for carrying a concealed handgun? Why not simply put up a sign saying “Active Shooters Have Nothing to Fear Here!” A bank in Virginia took another tack. After it had repeatedly been robbed, it put up a sign, “Concealed Carry Welcome,” and has had no more robberies. I’m not certain that such a tack would be wise for a health care practice because, for example, a mental health client might take it the wrong way. A “Beware of the Dog” sign might be some deterrent for a small practice after everybody leaves.

·         A social media policy limiting what staff may post on social media. Such communications could provide a prospective shooter or a burglar helpful information or cause a patient or client to become outraged when his embarrassing condition was posted in violation of HIPAA, resulting in dire consequences.

·         Increased lighting.

·         Placement of emergency call boxes.

·         Upgraded locks.

·         Visitor control, including screening, badging, and tracking visitors.

·         Having alarm buttons installed in clinicians’ offices, nurses’ stations, and the like.

·         A code word that alerts a staff to a threat.

·         Relevant policies, such as an overall security policy, a visitor policy, access policies, bomb threat policy, portable electronic equipment and media policy, and the like. Many of these polices, such as access policies, are required or addressable (you must implement them if reasonable and appropriate) under HIPAA. See my book, The Complete HIPAA Policies and Procedures Guide, with editable sample policies on the accompanying CD, available at

·         A procedure specifying what to do when an active shooter is on the premises, such as having a lockdown. I don’t believe in always having lockdowns because, as happened in Sandy Hook, that plan just puts potential victims in an enclosed area where if the shooter finds them they are easy targets. My Concealed Carry Permit instructor said that if the intruder got through the locked or barricaded entrance, it was like shooting fish in barrel, much easier than shooting a bunch of people running in different directions outside. Of course, if you have patients in beds or wheelchairs, that might leave a lockdown as your only choice.

·         Frequent coordination with law enforcement to get advance warning of potential threats.

·         Others?

Taking action to neutralize the threat may be more problematical because critical decisions must be made quickly under a high stress level. It’s one thing for a rent-a-cop from a local security service to drive a golf cart around the parking lot and quite another to decide in a split second whether to shoot an active shooter. If you miss, which is quite likely unless you are an expert and have had extensive training and/or experience in such scenarios, are you likely to add to the body count by hitting a bystander. You should develop policies and procedures as stated above and train on them.

Before deciding on whether you are going to have firearms on the premises, you must determine what the federal, state, and local laws say about whether you can do so and under what conditions.

A comprehensive discussion of those laws (and court decisions) is beyond the scope of this blog post, but you should determine the following:

·         What are the laws concerning open carry of firearms?

·         What are the laws concerning concealed carry of firearms?

·         What are the laws specifying where handguns are prohibited?

·         What are the laws regarding shooting in self-defense, defense of others, and/or defense of property?

·         What liability does a shooter in self-defense, defense of another, or of property face?

·         What liability does an entity face when a workforce member shoots another?

What are the HIPAA implications of an attack other than its effect, if any, on your protected health information (“PHI”), such as by damaging your server? First, if you don’t have to disclose PHI to report the crime, HIPAA does not apply. If you somehow need to disclose PHI, HIPAA permits a covered entity, consistent with applicable laws and ethical standards, to use or disclose PHI if the covered entity believes, in good faith, that the use or disclosure is necessary in order to prevent or lessen a serious and imminent threat to the health or safety of a person or of the public and the disclosure is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat. HIPAA also has a provision to report crime on the premises, which would, again, be needed only if you must disclose PHI to make an effective report.

A covered entity that uses or discloses PHI to prevent or lessen a serious and imminent threat is presumed to have acted in good faith with regard to its belief justifying use or disclosure under this subsection if the belief is based upon the covered entity’s actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority. Thus, a covered entity has little, if any, potential liability for making such a disclosure but could face significant liability for failure to make such a disclosure and serious harm results. With this presumption of good faith, it is unlikely that a covered entity will face any liability for a disclosure to law enforcement in these circumstances. So don’t worry about HIPAA if an individual or group attacks your facility threatening or actually committing violence. See 45 C.F.R. § 164.51.

The final part of risk analysis is to test and revise your security measures once they are in place. Testing may be hard to do because you certainly don’t want to upset your patients or clients or risk their condition by moving them. But some testing will go a long way to help your security succeed in a threat situation.

Deciding on what security is needed for a health care provider is far from easy. And poor security can have fatal results unlike a breach of PHI. But if you do a thorough risk analysis and select reasonable and appropriate security measures that will deter assaults and protect your facility and those present if an assault occurs with consideration given to the legal environment, you will have done what you can. I believe that it is impossible to stop all terrorist attacks, just as it is impossible to stop all crime. But you can deter some attacks and stop or minimize the damage if, God forbid, one occurs.

This blog post is somewhat off topic although HIPAA was discussed as far as it allows for reporting an attack to law enforcement. Please let me know if it was helpful and whether you are interested in other health law issues (although I refuse to get knowledgeable about OSHA!).

Also, I have drafted a sample Bomb Threat Policy, which is now available for you in our Premium Member section. If you have trouble logging in to the Premium Member section, please email Alice McCart at, and she will have our order department contact you to help you.

Further, this time more in the spirit of the season, I have had posted in our Premium Member section a little Christmas gift for you to enjoy: one of my short stories, “The 51st Way to Leave Your Lover,” which is also available on Kindle.


seo by: k.c. seo