During a recent visit to one of my stations, a firefighter asked me about a medical procedure that I had undergone not too long ago. Another firefighter quickly interjected and said I did not have to answer the question since it violates the Health Insurance Portability and Accountability Act (HIPAA). I looked at him in amazement. I couldn’t believe some people still exercised extreme caution when discussing medical information—all because of a fear of HIPAA, and after all these years.
HIPAA hysteria
I’ve been hearing about HIPAA for 20-something years and all the hysteria surrounding it. We whisper behind closed doors for fear we might violate HIPAA. It was like a switch was flipped one day and a person’s healthcare information suddenly became a matter of national security, as if the only way to release the information was if Congress was briefed in a closed session by the director of the CIA.
I can remember when HIPAA first came about in 1996. By the time my department finished training us, we were all scared to say anything about a patient. If you got caught releasing medical information, you could be fined, jailed, sued by the patient, lose your first-born child and possibly be sacrificed to the gods.
I can remember being at a shooting scene in St. Louis right after everyone had been trained on HIPAA. The responding paramedics would not tell the police officers anything about the victim’s medical condition since they were sure they would be violating HIPAA if they did. The police officers were livid!
Objectives & entities
HIPAA was first passed by Congress as landmark legislation in 1996. It had two main objectives: 1) to make sure individuals maintained their health insurance between jobs, and 2) to ensure security and confidentiality when it came to patient information and data. In addition, it mandated uniform standards for electronically transmitting administrative and financial information relating to patient health.
The key word to remember about HIPAA is insurance, and when you read the law, it’s pretty clear why. The law applies to “covered entities,” which include 1) a health plan, 2) a healthcare clearinghouse or 3) a healthcare provider that transmits any health related information in electronic form in connection with a transaction for the purposes of insurance reimbursement.
So if your department only provides first responder services and does not provide EMS transport, some believe that HIPAA does not apply. And if your fire department does provide EMS transport but does not bill insurance companies for your services, some believe HIPAA does not apply.
Of course, there are always the moral and ethical standards of doing business. Just because your fire department isn’t regulated by HIPAA doesn’t mean you can post a car accident victim’s name and medical condition on your website. You still have an ethical and moral obligation to protect a patient’s privacy, which you should have been doing prior to the HIPAA law.
HIPAA violation = jail time?
The other common rumor about HIPAA is that no one goes to jail for violating it. That is not exactly true! In 2010, Dr. Huping Zhou, a cardiothoracic surgeon from China and a former UCLA Healthcare System employee, was convicted and sent to prison for four months for violating HIPAA. It seems he was fired from UCLA Healthcare System as a researcher with the UCLA School of Medicine after it was determined that on 327 separate occasions, he accessed and read the medical information of his immediate supervisor, his co-workers and other patients, including celebrities. But there was no evidence that Dr. Zhou disclosed or gave medical information to anyone. He merely accessed medical records without authority.
Others have been convicted and done jail time stemming from incidents occurring in Alaska, Arkansas, Washington, etc. More often, however, people are fined by healthcare providers for HIPAA violations.
Common sense
There has been a lot of hysteria about HIPAA over the last 20 years. Los Angeles City Fire Department’s Twitter feed has been shut down a couple of times over the last several years for fear that HIPAA was being violated. Firefighter/paramedics have also raised questions whether a quality improvement person can read a patient care record and provide feedback. Another issue: Can one fire chief release information to the media about another chief being terminated for failing a random drug test?
It all comes down to common sense. Can you go flaunting someone’s medical information all over the place? Common sense says no! Can you knowingly go into someone’s medical records when you have no business looking at them and you did not treat the patient? Common sense says no! Can you then share the name and medical information with someone else? Common sense says no. Can you take pictures of a patient while on a call and send it as a text message to your buddies or post it on Facebook? Common sense says no!
Just remember: There is no need to live in fear when it comes to dealing with HIPAA. Just keep in mind that if it does not pass the smell test, it’s best not to share, release or delve into someone’s medical records as a firefighter or paramedic.
