It has been a hot topic in Firehouse.com forums, at fire service and EMS conventions, in the trade press and in fire stations across the nation. And, it is causing lots of confusion at all levels. What is this new HIPAA privacy requirement? How does it apply to me and my department?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted by Congress to improve the nation's health care and health insurance system. The privacy rule is one small component of a massive law that has spawned massive mandates on all parts of the health care system. It is intended to give patients more control over their health records and over who has access to those records. Covered health care providers must take reasonable steps to limit the unnecessary disclosure of protected health information. This federal privacy requirement took effect in April, and it imposes a major new mandate on all elements of our health care system, including many (but not all) EMS units. The new rules are among the most significant changes in emergency medical services in many years. Never before has there been a federal standard defining and ensuring the privacy of a patient's medical information.
Because the rules are designed to apply to all elements of our nation's health care system, there may be some aspects that do not fit well with the unique character of EMS. What works well in a hospital or clinical setting doesn't always work on the streets where we operate.
Already the rules have undergone one significant revision. The Department of Health and Human Services (HHS) issued its original version of the privacy rule in December 2000, just days before the Clinton administration left office. However, in March 2002, the department reopened the rulemaking process in order to address some serious unintended consequences that had been identified. It had concluded that the original privacy rule would have interfered with patients' access to quality medical care. The proposed rule changes provoked more than 11,000 public comments. The current rules were published in August 2002, and took effect on April 14 of this year.
The rule relies on the "minimum necessary" principle. The disclosure of health information should be limited to the "minimum necessary" to accomplish the intended purpose. Entities must develop procedures and policies for the use of medical information that implement this principle. There are exceptions, of course, which generally are intended to balance privacy protections with quality health care delivery. The most significant exception is that information can be provided to other health care providers for treatment purposes. This includes billing information.
Covered EMS systems must institute security measures for handling and releasing medical information that are appropriate for its organization. Employees (including volunteers) must be trained on the HIPAA rule and the department's policies. A "privacy officer" must be designated. Patients must be informed of the privacy practices (presumably by giving them a brochure and obtaining a signed acknowledgement that they have been informed). All of these requirements should have been implemented by the rule's April 14 effective date.
This is a legally complex rule that already has raised many questions regarding its application. As a result, Firehouse® EMS Contributing Editor Gary Ludwig reports that there is lots of confusion about the new rule. More distressing, people aren't talking to each other. He cites cases throughout the nation where EMS personnel, hospitals, police, coroners and others are unnecessarily refusing to share information.
One critical exception to the "minimum necessary" rule is that unlimited disclosures can be made between health care providers for treatment and billing purposes. There have been reports of hospitals refusing to share information with EMS providers, but hospitals are misreading the rule when they do this. There is no reason for a hospital, nursing home or other health care facility to withhold information from EMS personnel. This is one significant change from the original rule, which had created barriers to hospitals sharing patient information with the EMS providers who brought patients to them.
Much has been written about the new HIPAA privacy rule, and still there are many situations where its application is unclear. The rule's complexity has led the International Association of Fire Chiefs (IAFC) to counsel its members to seek professional legal advice to make sure their departments are in compliance.
Since the days of Hippocrates, in ancient Greece, medical confidentiality has been of great importance, both to patients and to those who provide medical care. However, as HHS discovered in drafting this rule, it is difficult to both protect patient privacy and to promote the best possible quality care for patients.
The current rule improves on the initial draft in providing more of a common-sense balance between these two important values. But, it is complex, and its implementation will continue to be a challenge to EMS providers. There still is a great need to educate EMS personnel about what they must do to effectively implement these new privacy requirements.
Steve Blackistone, a Firehouse® contributing editor, is an attorney and a member of the Bethesda-Chevy Chase Rescue Squad in Montgomery County, MD.