In general, the privacy rule is that medical information about a consumer can only be transmitted by various covered entities in order to treat the consumer, collect payment from the consumer, and complete health care operations, such as audits or quality assessments. All the information is “need to know”, so even if you are performing one of the above operations you only get as much information as you need to do your job. For instance, a registration nurse will receive detailed personal information to collect payment, but very vague medical information, as she does not need those details to put a patient into the hospitals system, whereas the patients medical nurse will receive very detailed medical information, but is more limited on things like the patients address or credit card number.
The Privacy Rule, applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA. It covers all information pertinent to the patients past, present or future physical or mental health or condition, the provision of health care to the individual, and the past, present, or future payment for the provision of health care to the individual.
One of the major purposes of the Privacy Rule is to define and limit the circumstances in which protected heath information may be used or disclosed by covered entities. The only way private health information may be shared by a covered entity is if the Privacy Rule permits so, or the subject of the information gives consent via writing. The penalties for violating the Privacy rule are very severe for health care providers like ourselves, in fact HSS may give civilian money penalties to covered entities for non-compliance of the Privacy Rule requirement. Fees of $100 may be imposed with a maximum limit of $25,000 per year for multiple violations. Covered entities may get out of fees only if a violation is due to reasonable cause and did not involve willful neglect, and the covered entity corrected the violation within 30 days of when it knew or should have known of the violation.
Slowly the medical industry is adapting newer technologies. The late coming of the medical industries reporting system into the technological age is perhaps because of the strict privacy restrictions that apply to all the associated information. It’s difficult to protect things once they are online, even if they only exist with an intranet of medical service providers. In PG and Montgomery counties, as well as around the country, there has recently been a major jump forward, switching from paper reporting to electronic reporting. This has made the process much more streamlined, but questions may arise as to how secure this is. There are several major things that didn’t exist during the paper reporting system that have been implemented to improve security and confidentiality. Firstly, one must sign in to the system with their own name and password to see their own “calls” another EMS provider cannot access these records, not even if they were on the call. Only the EMS provider in charge can access the records. It also adds a patient signature pad, which the patients signs after reading about HIPAA’s regulations, and learning about how the information I have collected will be used, and how it should not be used. It also eliminates the “EMS reviewer” which was part of paper reporting, essentially a third party EMS member who generally was not on the call would review the full report to ensure accuracy before sending the report to the county to be placed into the system.
There are some worrysome things about the new reporting system though, firstly not every provider remembers to sign out of the system before they leave, granting access to the next EMS provider who uses the computer. This is generally not an issue, as most other providers just sign out, but it is still technically a HIPAA violation.
The Privacy Rule, applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA. It covers all information pertinent to the patients past, present or future physical or mental health or condition, the provision of health care to the individual, and the past, present, or future payment for the provision of health care to the individual.
One of the major purposes of the Privacy Rule is to define and limit the circumstances in which protected heath information may be used or disclosed by covered entities. The only way private health information may be shared by a covered entity is if the Privacy Rule permits so, or the subject of the information gives consent via writing. The penalties for violating the Privacy rule are very severe for health care providers like ourselves, in fact HSS may give civilian money penalties to covered entities for non-compliance of the Privacy Rule requirement. Fees of $100 may be imposed with a maximum limit of $25,000 per year for multiple violations. Covered entities may get out of fees only if a violation is due to reasonable cause and did not involve willful neglect, and the covered entity corrected the violation within 30 days of when it knew or should have known of the violation.
Slowly the medical industry is adapting newer technologies. The late coming of the medical industries reporting system into the technological age is perhaps because of the strict privacy restrictions that apply to all the associated information. It’s difficult to protect things once they are online, even if they only exist with an intranet of medical service providers. In PG and Montgomery counties, as well as around the country, there has recently been a major jump forward, switching from paper reporting to electronic reporting. This has made the process much more streamlined, but questions may arise as to how secure this is. There are several major things that didn’t exist during the paper reporting system that have been implemented to improve security and confidentiality. Firstly, one must sign in to the system with their own name and password to see their own “calls” another EMS provider cannot access these records, not even if they were on the call. Only the EMS provider in charge can access the records. It also adds a patient signature pad, which the patients signs after reading about HIPAA’s regulations, and learning about how the information I have collected will be used, and how it should not be used. It also eliminates the “EMS reviewer” which was part of paper reporting, essentially a third party EMS member who generally was not on the call would review the full report to ensure accuracy before sending the report to the county to be placed into the system.
There are some worrysome things about the new reporting system though, firstly not every provider remembers to sign out of the system before they leave, granting access to the next EMS provider who uses the computer. This is generally not an issue, as most other providers just sign out, but it is still technically a HIPAA violation.
Dom’s Experiences:
As a provider in Montgomery County I deal with HIPAA regularly. As mentioned before, the major take home point as a provider is to limit how many people get information about your patient, which can be surprisingly more difficult than one would expect. I can’t count how many times a nervous family member has jumped into the back of my ambulance asking a lot of questions that I simply wasn’t allowed to answer. Speaking of family members, there is also the difficultly of which family members should be brought along inside the ambulance, and who may sit in the back with the patient, and who to seclude to the front. Over the course of a typical transport by myself, and by many providers, I try to dig up as much medical history as I can with the person in a very short period of time through a series of questions, many of which are the very information HIPAA is designed to protect, which means that having a family member in the back of the ambulance requires the consent of the patient.
Now, we’ve mentioned that for consumers the major take home point is that all their information is to be protected, but as providers our major take home point is that HIPAA is by no means meant to hinder our job. There isn’t some sea of paperwork to move this information from say, a nursing home, to myself, to an emergency department staff, nor is HIPAA meant to keep me from telling a necessary number of future providers about what is going to occur. On a major trauma call I may end up giving a report to a paramedic, a nurse, and an entire team of trauma surgeons without violating HIPAA. HIPAA is a medical “need to know” and if 20 people truly do need to know then all providers involved are covered. While at Holy Cross Hospital a few nights ago I saw a good example of how nurses cover themselves from violating HIPAA. I had just brought in a patient, who’s daughter later called the hospital. The nurse called over to my patient saying “ma’am, your daughter is on the phone, she would like to know if I can give her information about your condition, is that alright?”. This statement, while seemingly simple, really shows how aware the nurse was that others were listening, and what information they should not know about my patient. Firstly, she referred to her only as “ma’am”, as to not give a name, second, she referred to my patient’s “condition” without stating aloud what was wrong, and third, she asked permission even before informing the patients daughter. HIPAA is something always on the mind of providers, and while not stopping us from doing our jobs, it remains an important part of the community.
Andrew’s Experiences:
I am also an EMT provider and experience many of the same things Dom touched on. When a patient is transported by an ambulance from the College Park Fire Department, they are required to sign a computer which serves multiple purposes. The laptop computer is used by providers to record patient information, keep track of the location of calls, and also used as a mean for patients to sign electronic “paperwork”. One of the things that the patients sign is a detailed explanation of HIPAA as it relates to an ambulance transport. The form basically describes the Privacy Rule and how their information is protected. Another precaution the providers take is verbally explaining HIPAA to the patients before they even sign the laptops. We tell them to fully understand what they are signing and basically that any personal health information shared is confidential and will only shared by covered entities which include the EMT’s, the hospital staff, and the patient’s health insurance companies.
On Monday, 10/11/10, a major incident happened at Downtown College Park which involved 4 people (3 of which were students) getting in a fight ending in stab wounds to all four victims. This incident has been all over the news and newspapers. I ended up driving one of the patients to the hospital and proving care for two of them on scene. Local news stations all swarmed to College Park in order to report and gather as much information as possible. Many of these stations called our firehouse looking for information about the patients and their condition. As a covered entity by HIPAA and the Privacy Rule, we were unable to share any information about the patients and what we did. Also, close friends of mine have been asking about what happened to the patients, but I am only able to give a brief summary of the incident without giving too many details about the patients and their condition. I am personally glad that there are rules and regulations about personal health information because if something as terrible as the recent stabbings happened to me, I’d want my information to be as confidential as possible.
This was a good introduction into first-hand experiences with patients' health information as it is described directly by health care providers. This post clearly explained the legal protections an individual has when being transported to the hospital for any reason. It even addresses the little known facts about whether family members can be present in an ambulance, even though you did not clarify who can remain in the back and which member rides upfront and why. Synthesizing these experiences with a real-world example of the recent stabbing near campus also raised some interesting questions. I would have liked to have seen the issue taken one more step beyond the personal experiences and legal facts. How IS a crime, such a stabbing, handled as compared to someone being transported from their home. Do police officers question ETs (even though officers may be aware of the rules)? Where does "family" stop in terms of sharing information? Can only mom/dad/brother/sister obtain permission to the information? If distant family members can too, what is required? I am especially interested in cases where the law was challenged and applied (even unintentionally). Some additional research might have produced these examples. You could have interviewed other ETs on their experiences/observations related to privacy or you could have surveyed students or the public on what they do and do not know about the rules you must follow. These are the type of extensions that would have made the assignment stronger. It's a fascinating topic. Thank you for sharing it.
ReplyDelete