HIPAA regulations
Now that we are in the information age, privacy is becoming more and more of a concern. In order to protect privacy and curtail privacy infringements, the Federal Government enacted the "Health Insurance Portability and Accountability Act of 1996." The HIPAA regulations covered more then privacy, but for our purposes the privacy issues are what matters.
In the 1950s, the some newspapers used to list every admission to the hospital and their illness. Now you cannot even go to the hospital without signing a HIPAA form, and you should sign one for every EMS call also.
HIPAA at its most basic says that the patient has a right to privacy and that we respect that right. The patient has the right to determine the amount of information to be given out, and to whom it is given. The only exceptions are for patient care, billing, research, and quality assurance/improvement.
HIPPA created the term “protected health information” or PHI. PHI can be any medical information, but specifically the issue is any information that can connect the patient with the condition. This includes the patient’s name, location, and hospital transported to. The patient can also ask you to keep private any and all information, which you have to comply with.
This includes talking about the patient to the patient’s family and friends, police, press, and anyone not directly responsible for patient care. We as caregivers are responsible for maintaining the patient’s privacy. This includes not interviewing the patient in front of bystanders, family, and non-EMS personnel. The challenge is to treat the patient, with what looks like our hands tied behind our back.
So the question is, how do we treat our patients? Patient’s privacy needs to be worked into all aspects of patient care, and the best way to describe it is to go step by step through a ‘normal’ call. (I will use the example of a transporting EMS service, but it goes the same for EMS support or non-transporting.)
Privacy starts with the dispatch. In many areas, calls are still dispatched as “123 Main St, the Jones Residence for chest pain”. While it may be convenient, and easier to find, the patient’s name should be omitted from radio transmissions. Anyone can buy a scanner, and with the address and name, figure out who the patient is. Ideally even the address wouldn’t be given over the radio, but it is necessary for patient care, and therefore exempt from HIPAA.
When you approach the patient, you should introduce yourself, your company, ask for permission to treat, and ask if it is ok to talk in front of the patient’s family/friends. This may sound odd, but it is important and the permission to treat and privacy questions will save you and your company in the future.
Now that you have permission to treat and speak freely, you should limit the amount of personnel interacting with the patient. HIPAA allows you to share information to achieve effective patient care, but limiting personnel not only is a privacy issue but also provides better patient care.
That being said, there is a limitation. The Ryan White act specifically states that you cannot discriminate or share information about a patient’s HIV status. In this case, you can ask the patient to disclose the information to your partner, but you are not allowed to disclose it.
HIPAA does not make provisions for sharing information with police or other authorities not directly doing patient care. That means that we cannot tell the police that the patient smelled like a brewery or was found with a needle in their arm. In order to get that information, they would need to subpoena the report or ask you to testify in court.
Where HIPPA becomes a big issue in a volunteer department is after the call. We all have gone back to the house and discussed calls, and it’s a good and natural part of the process. HIPAA allows for review of calls, but PHI needs to be protected.
In our small communities, it is easy for people to talk. If you go home and talk to your wife about the call, and talk about the location, hospital transported to, or patient’s name, you are violating HIPAA. This violation can cost you personally $5k or more.
Finally, the last concern as far as HIPAA is involved is record keeping. HIPAA regulations spend quite a bit of time talking about security of records. Any records must be secure and if used for QA/QI or research must have no patient demographics. Patients are allowed to ask to see their file at any time and may ask to have it changed. You should also have on file a document signed by the patient stating that you informed them of their HIPAA rights and they understand.
If you keep your records on a computer, the security concerns double. All data must be password protected, encrypted, and meet stringent security requirements. These requirements are such that it is best to bring someone in to help.
HIPAA legislation may make our lives difficult, but it is for the best. In 10 years, we will all be amazed at the lack of privacy patients had 10 years ago. Keep your members informed, and their adherence to HIPAA regulations with help to show that they are true professionals.
Discuss this column at http://www.volunteerfd.org/phorum/read.php?f=20&i=94&t=94
