Mutual Aid and the Data-Sharing Agreement You Don't Have

The engine from County A crosses the line into County B on a working structure fire. County B's ambulance transports the patient to a hospital in County C. The ePCR gets written by County A's crew using software that routes data to County B's state repository. Nobody signed anything about any of this, but that's a mutual aid call. It happens every day, and the data-sharing gap behind it is wide enough to drive a tender through.

What Happens to PHI When Units Cross Jurisdictional Lines

HIPAA allows PHI sharing for treatment without a signed agreement in place. Under 45 CFR 164.506, a paramedic from one agency can hand off vital signs and meds to a receiving ED doc from another agency without a BAA or a DUA between them. That's not the problem. The problem is what happens afterward when the ePCR gets written. It contains the patient's name, date of birth, clinical findings, and transport decision. That record is created by an agency that was operating outside its home jurisdiction under a mutual aid agreement that covers operations but not data. The record enters the aiding agency's ePCR system, flows through their vendor's data pipeline, and lands in the state's repository tagged to the responding unit. Neither agency formally documented the data transfer. There is no documented chain of custody for the record, and there is no agreement about who owns it, who can amend it, and who is responsible for a breach notification if it leaks.

The rescue worked, but the paperwork is a liability that nobody planned for.

The same problem surfaces in EMS Telemedicine Integration: BAA Chain and Security Architecture when clinical data crosses vendor boundaries during a telemedicine consult, but telemedicine usually has a written agreement. Mutual aid almost never does.

BAA vs DUA for Public Safety Agencies

This is where the confusion starts.

A Business Associate Agreement is a contract between a covered entity and a vendor. Your agency signs a BAA with your ePCR vendor, your CAD vendor, and your billing service. It says they will safeguard your PHI and use it only for the purposes you authorize. That's a BAA.

A Data Use Agreement is a contract between two covered entities. Your agency and the neighboring agency are both covered entities under HIPAA. When you share PHI with each other for treatment, the Privacy Rule allows it. When you start storing, transmitting, and retaining each other's records permanently or semi-permanently, you need a DUA that defines who does what with the data.

Most agencies do not have DUAs with their mutual aid partners. They have handshake agreements built on the assumption that the operational relationship covers the data relationship. It does not.

A proper inter-agency DUA should spell out three things:

• Ownership. The agency whose crew wrote the ePCR is the Provider of Record. That does not change just because the call happened outside their jurisdiction. The DUA should say this plainly so there is no dispute when a subpoena arrives seven years later.

• Retention. The aiding agency's ePCR system now holds a record for a patient who is not their patient. How long do they keep it? Do they purge after the state repository confirms receipt? Do they archive it indefinitely because their system has no way to delete a single record without breaking the audit trail? The DUA should set a retention period and a purge mechanism.

• Transmission. When the aiding agency finishes their shift and returns to their station, how does the record get to the home agency? Options include fax, email, or a state-level data exchange, but the method matters. Email is not acceptable for PHI without encryption. Fax is technically compliant but operationally fragile. A secure exchange portal is better, but only if both agencies have one and know how to use it.

Sharing PHI Across Jurisdictional Lines in Fire and EMS

The operational reality is that the clinical handoff happens in real time on the scene. The data-sharing happens later, after the apparatus is washed and the crew is writing their report at 3 a.m. That delay creates a gap.

The crew from County A has County B's patient in County A's ePCR. They are logging into a system governed by County A's policies, accessing a record for a patient in County B's jurisdiction, and submitting it to a state repository that may have different retention rules than either county. There is no agreement that says which policy applies. If there is a breach, both agencies are on the hook. The auditors will not care which one caused it.

The fix is a regional DUA framework that every agency in the mutual aid compact signs. It does not have to be a hundred-page document. It needs to define the three things above and commit each agency to a minimum set of security controls for PHI in transit and at rest. That is enough to survive an audit and enough to clarify who owns what when a record request comes in.

Building a Unified Incident Response Plan for Multiple MSPs

The PHI problem is the clinical side. The incident response problem is the operational side, and it gets worse the more vendors are involved.

Three neighboring agencies in a mutual aid compact use three different MSPs. Agency A runs CrowdStrike. Agency B runs SentinelOne, and Agency C runs a local MSP that resells a third EDR product you have never heard of. When ransomware hits the regional dispatch center that serves all three, the IR plan demands that everyone work together. But the MSPs have no pre-existing relationship. Their tools do not share telemetry. Their security operations centers have no common language for threat reporting. And the first six hours of the response are spent arguing about permissions.

The MSP for Agency A has access to Agency A's environment but not to the regional dispatch infrastructure. The MSP for Agency C has access to the dispatch infrastructure because they host the CAD server, but they do not have a standing agreement to communicate directly with Agency A's security lead. Everyone is working the same incident through different lenses with no common operating picture.

This is a logistics failure, not a technology failure. The tools work even when the permissions do not.

The solution is a Mutual Aid Technical Annex attached to the regional IR plan. It should contain:

• Cross-tenant visibility. Each MSP agrees to grant read-only access to a named security lead from each other agency during a declared emergency. This is pre-negotiated, tested annually, and activated by a phone call, not a contract revision.

• Out-of-band communication. When the dispatch network is compromised, email and Teams are not available. The annex should specify a backup channel like a Signal group, a dedicated secure portal or a conference bridge on a separate provider. Every MSP and agency lead should know how to reach it.

• A common classification for threat severity. If Agency A's MSP says "we see lateral movement from the CAD server to the backup appliance" and Agency B's MSP says "we see suspicious DNS queries from the backup appliance," those observations should map to the same severity level. The annex should define what each severity tier means in operational terms so there is no time wasted translating between frameworks.

The AI Dispatch Transcription problem connects here because when dispatch audio is transcribed by an AI service, the output can be pulled into an investigation by any of the involved MSPs. Without a clear data-sharing protocol, that transcription becomes just another record floating between agencies with no custody chain.

Frequently Asked Questions

Can we share patient data with another agency during a mutual aid call without a signed agreement?

For immediate treatment purposes, yes. HIPAA's Treatment, Payment, and Operations provision allows PHI sharing without a signed agreement during a live patient encounter. But when formal records transfer afterward, you need a DUA to cover retention, ownership, and breach liability.

What is the difference between a BAA and a Data Use Agreement?

A BAA is between a covered entity and a vendor. You sign one with your ePCR vendor. A DUA is between two covered entities. You sign one with the neighboring fire department when you share records across jurisdictional lines. They serve different purposes and are not interchangeable.

How do we handle incident response when different agencies use different MSPs?

Establish a Technical Annex to your regional IR plan. Pre-negotiate read-only cross-tenant access for declared emergencies, define an out-of-band communication channel that bypasses the compromised network, and agree on a shared severity classification for threat reporting. Test it once a year with a tabletop exercise.

Who owns the ePCR record on a mutual aid call?

The agency whose personnel wrote the record owns it. That does not change just because the call happened outside their jurisdiction. The DUA should state this explicitly to eliminate disputes during discovery requests and breach investigations.

What happens if a mutual aid partner has a data breach with my agency's PHI?

Both agencies are on the hook. The aiding agency holds the record and is responsible for its security. The home agency is the original covered entity and remains responsible for the patient's privacy. Without a DUA that assigns clear breach notification obligations, both agencies will have to explain to auditors why no agreement existed.

---

The operational success of mutual aid in public safety is not in question. The data architecture behind it is. Most agencies are one audit away from discovering that their clinical handoffs work perfectly and their data-sharing framework does not exist. A regional DUA and a Mutual Aid Technical Annex for the IR plan cover the gaps. They take a few hours to draft and a day to negotiate. The alternative is explaining to a federal auditor why you thought a handshake was enough.

-- Steven