What do all of these occurrences have in common? The Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPPA is a beast. It is 396 pages of information from the federal government that centers on protecting the medical privacy of the patient. HIPPA, also known as "the Privacy Rule," has been described as one of the largest federally unfunded mandates ever imposed on the health care industry. Part of the law is designed to improve efficiency in health care delivery by standardizing electronic data interchange and providing protection of confidentiality, personal health information, and security of health data through setting and enforcing standards.
The intent of the law is designed to give patients more control over who accesses their health information. The law also provides restrictions for the use or the release of a patient's health records. Standards are also in place to give health care providers guidance on releasing information in order to protect the privacy of a patient's health information.
Many paramedic/firefighters and EMT/firefighters feel caught in the middle between doing their duty and protecting the privacy of patients.
From my interaction with many around the country, there is still confusion, bewilderment and misunderstanding among those in the fire service with certain segments of the law.
Most fire departments and EMS agencies, by law, should have conducted training to all their members by April 14, 2003. However, this training in many cases has added to the confusion. Also during their training, many have learned of the serious consequences for violations of the law. This has added to the shutdown of information in some cases.
The Department of Health and Human Services' Office of Civil Rights has been charged with enforcement of the HIPAA regulations and there are civil and criminal penalties if a patient's privacy rights are violated. For civil violations, the OCR can levy penalties up to $100 per violation and up to $25,000 per year.
The criminal side of the law is more punitive. Any criminal violation will be handled by the Department of Justice. Criminal penalties include fines up to $50,000 and one year in prison for certain offenses; up to $100,000 and up to five years in prison if the offenses are committed under "false pretenses"; and up to $250,000 and up to 10 years in prison is the offenses "are committed with the intent to sell, transfer or use protected health information for commercial advantage, personal gain or malicious harm."
Some of the biggest confusion centers on sharing patient information with other health care providers and other public safety officers. Can paramedic/firefighters share information with a police officer? Yes - under certain conditions and on very specific occasions. Examples include when there is a death of a suspicious nature or when a death may be related to a crime. Other circumstances include victims of assaults, rapes or any other events that may lead to a police investigation because a crime has been committed. If there is an immediate danger to the patient or someone else, information can be shared with law enforcement. The law also allows medics to disclose information when there is a need to identify or locate a missing person or suspect.
Do you have to have the patient sign the privacy statement even though they are a "regular" that you transport all the time? No, it is only necessary to get one signature per patient per lifetime.
Another area where there has been information shutdown is between the hospital and the transporting fire agency. If a hospital fails to give you information on a patient you just transported, it is not clear on the law. HIPAA allows health care providers to share information between themselves if they are both involved in the treatment of the patient. Not only can a fire department medic obtain information on patient they transported to a hospital, but the hospital is also allowed to obtain information from the fire department medic.
What happens if your billing company needs information from the hospital? Can the company get it? Yes, as long as the company is your contracted billing agency, the hospital can share fact sheets and billing information.
What about quality assurance and quality improvement programs? Many hospitals as a part of providing medical direction to a fire department also have quality assurance or quality improvement programs in place. However, the patient information for purposes of quality assurance or quality improvement can be shared only with the transporting EMS agency.
What about transmitting patient information over a radio or cellular telephone? As long as your radio or cellular transmission is related to treatment, it is permitted under HIPAA. However, discretion is the operative word when transmitting patient information over a radio or cellular telephone. For example, in many cases, the patient's name would not be a part of the treatment modality and the transmission of the patient's name over the radio or cellular telephone would not be necessary.
What should your fire department being doing? First, as I noted, all personnel should have been trained on HIPAA by April 14. Second, all paper records and electronic data patient records should be protected and secured from those not involved in the treatment, billing, quality assurance or quality improvement process.
Many fire departments have established compliance officers or privacy officers. These individuals are responsible for maintaining policies and coordinating training of all employees. Fire departments should also develop standard operating procedures (SOPs) with respect to who has access to health care information, when information can be released and security measures necessary for maintaining the confidentiality of patient information.
Although this law is a beast and can be intimidating, a common sense approach to managing the security of patient information while performing you job duties is what is required to be successful.
Additional information on HIPAA can be found at the following websites:
Gary Ludwig, MS, EMT-P, a Firehouse® contributing editor, is the chief of Special Operations for Jefferson County, MO. He retired in 2001 as the chief paramedic for the St. Louis Fire Department after serving the City of St. Louis for 25 years. He is also vice chairman of the EMS Section of the International Association of Fire Chiefs (IAFC). He is a frequent speaker at EMS and fire conferences nationally and internationally, and is on the faculty of three colleges. Ludwig has a master's degree in management and business and a bachelor's degree in business administration, and is a licensed paramedic. He also operates The Ludwig Group, a professional consulting firm. He can be reached at 636-789-5660 or via www.garyludwig.com.
