Within chapter seven, the discussion will
focus on privacy and confidentiality requirements for EMS patient records.
Once completed with this chapter, you should be able to explain the components of the Health
Insurance Portability and Accountability Act and analyze the issues that face EMS organizations
in the areas of compliance, training, and handling violations; analyze the issues associated
with maintaining patient confidentiality with regard to written reports and other patient
documents; identify the confidentiality requirements for employment records and convey a basic
understanding of public records law; and, draw conclusions on best practices for maintaining
patient, employment, and other necessary records that EMS organizations possess.
To frame the subject of medical records privacy, consider the following situation: You transported
a resuscitated cardiac arrest victim to the hospital and are completing your documentation
in the hospital’s emergency department. While the report has been completed, the patient
suffers another cardiac arrest and the hospital staff asks the crew for assistance. You leave
the report on the nurses’ station desk and assist. You couldn’t help but notice a local
television reporter hanging around the emergency department. Your patient was a victim of an
assault and, whether you realized it or not, the reporter was looking for a story.
After you are done assisting the hospital staff, you return to the nurses’ station to
discover the patient medical record is nowhere to be found. Thinking it was inadvertently
destroyed or thrown away, you generate another report for the hospital staff before returning
to the station. Later that evening, the lead story on the
news is the assault on your patient. During the broadcast, the reporter pulls your the
original report and broadcasts all of the medical information you documented, including
the written narrative of the assault and the injuries sustained by the patient. Needless
to say, you are somewhat livid at the report, as well as the reporter’s audacity after realizing
the reporter essentially stole your documentation. So, what would you do in this situation? Do
you write a letter to the TV station expressing your outrage that the reporter stole the patient’s
record? Do you contact your department’s attorney, the county prosecutor, or the state attorney
general to see about having criminal charges filed against the reporter? Should you write
a letter of apology to the family given your role in the release of the patient’s protected
health information? Do you think there is a policy issue that should be addressed to
prevent something like this from occurring in the future?
This scenario obviously involves personal healthcare information, which is protected
by the Health Insurance Portability and Accountability Act. There are commonly state laws that also
govern the privacy of patient health information, and we will explore the law in Wisconsin as
well as the protections provided by HIPAA regarding the storage, retention, and disposal
of written records. HIPAA is federal legislation passed in 1996
that applies to any healthcare provider that transmits protected health information electronically.
Within the law are provisions that ensure not only the privacy and security of such
information, but also ensure there is a mechanism in place for patients to obtain their own
medical records from the healthcare entity. Given the sensitive nature of this data, which
can include medical history, care provided, insurance and financial information, vital
signs, and other elements, it is no wonder the law tries to ensure reasonable and appropriate
safeguards are in place to ensure the integrity and confidentiality of this information.
One thing to note is that the employment records of employees within a covered entity are not
covered under HIPAA, even if those records contain protected health information. There
are other laws that deal with the confidentiality of employment records.
This duty to maintain patient confidentiality stems from historical principles of providing
healthcare. HIPAA simply codifies many of these previously existing practices while
also defining instances in which a healthcare provider may release protected health information
without patient consent. The US Department of Health and Human Services
developed rules under HIPAA to ensure patient privacy while also addressing the need for
healthcare information to flow within the system to promote and facilitate high-quality
healthcare. As mentioned previously, every healthcare
provider who electronically transmits health information in connection with certain transactions
is a covered entity under HIPAA and must comply with the law. As far as EMS agencies are concerned,
every transporting EMS agency in the state of Wisconsin is required to submit ambulance
run data into the state’s WARDS system, which essentially removes any doubt that the EMS
agency is transmitting electronic health information. Within Wisconsin specifically, state statute
256.12(12) stipulates that all records made by an ambulance service provider in administering
emergency care procedures to and handling and transporting sick, disabled, or injured
individuals shall be maintained as confidential patient healthcare records. State statutes
146.81 through 146.82 deal specifically with patient healthcare records and provide even
greater clarification on what constitutes a healthcare record, how the information may
be utilized, and the types of disclosures permitted without patient consent.
Just because a entity may not be specifically covered by HIPAA does not mean the provisions
of HIPAA do not automatically apply. HIPAA recognizes a business associate classification
for people or organizations that perform certain functions or activities on behalf of, or provides
certain services to, a covered entity when those functions or activities involve the
use or disclosure of protected health information. Such business associates must adhere to HIPAA
requirements. As an example, if an EMS agency has an external vendor maintaining its computer
systems, and those computers contain protected health information data, the vendor is subject
to the confidentiality requirements defined within HIPAA. Another example could be a first
response agency that interfaces with a transporting ambulance service. That first response agency
may not transmit electronic healthcare records and, as a result, is not a covered entity
defined specifically within HIPAA. Such an agency would be a business associate of the
transporting EMS agency, however, which means they must still maintain the confidentiality
of patient records and information. Billing and insurance agencies must also comply
with HIPAA provisions, which includes health insurance companies, HMOs, company health
plans, and certain government programs, such as Medicare and Medicaid.
Covered entities under HIPAA must give patients the ability to have access to copies of their
personal health records, have corrections added to their health information, receive
notice of how protected health information is used and stored, give permission (or withhold
such permission) to use or share protected health information, and receive a report about
when and how protected health information was shared. If there is a breach in security
and information is leaked, acquired, or otherwise obtained by an unauthorized party, the covered
entity actually has a duty to proactively notify the patient of the release of information.
The Privacy Law sets numerous rules and limits related to who can look at and receive health
information. Ultimately, medical records are the property of the patient and it is the
patient’s right to determine who can access his or her medical records. Most access requires
written permission unless the access falls within very specific exceptions.
Such exceptions include the release of information for treatment and care coordination, paying
healthcare bills, ensuring clean and safe nursing homes, protecting public health, making
required reports, specific law enforcement activities, and system quality and improvement
activities. Additional exceptions include disclosures
to insurance providers and billers, subpoenas, direct patient requests, and authorized legal
representatives if the patient is deceased. One of the reasons why HIPAA is taken so seriously
by healthcare providers is because the penalties for illegal disclosures can be substantial.
Penalties for a breach of HIPAA can include fines up to $50,000 and/or imprisonment for
up to 1 year. If such a disclosure is made under false pretenses, the fine is $100,000
and/or imprisonment of 5 years. Given malicious intent, the fine is up to $250,000 and/or
imprisonment of 10 years for the breach. The length of time medical records must be
maintained can vary greatly from jurisdiction to jurisdiction. According to the textbook
author, medical records must commonly be stored for anywhere from one year to 25 years, with
a minimum of 8 years being common. Depending on the volume of patients seen by
a healthcare provider over the course of time, that can amount to a considerable sum of paperwork
that must be maintained. Paper records should be stored in a secured area, such as a locked
filing cabinet or a locked room with limited access.
At some point, it is also likely that those stored records will need to be accessed and
released. Such a release should occur in compliance with the organization’s release policy, which
may include a review by the organization’s records management officer.
HIPAA also has a “minimum necessary” standard that stipulates healthcare agencies must implement
reasonable policies and procedures that limit how much protected health information is used,
disclosed, and requested for certain purposes. The agency should release the minimum amount
of information necessary to meet the requirements of a specific disclosure, and it should also
limit access to that information to the minimum necessary personnel required to manage and
maintain that information. For instance, an EMS crew using a computer system for entering
patient run data should not be able to access information for other patients treated and
transported by a different crew. If transmitting patient data to an insurance company or collection
agency, it may not be necessary to provide the entire patient file. The minimum necessary
standard requires the EMS agency to provide only that information necessary for the insurance
company or collection agency to process the claim. The minimum necessary standard does
not apply to communications between healthcare providers for treatment purposes, however.
As a result, the EMS provider does not have to worry about providing too much information
to a destination hospital or treating physician, which is probably a good thing.
It was previously mentioned that protected health information can be used for system
quality and improvement activities. This would permit a healthcare agency to make copies
of medical records for use in a QA or QI review. Given such copies, personally identifiable
information should be removed. Those participating in the process should sign confidentiality
agreements to ensure everyone is familiar with the confidential nature of the documents.
Once the review is completed, any document copies should be properly destroyed.
The physical transportation of protected health information is very important as the exposure
to inadvertent breaches in confidentiality is greater while the records are being moved
from one secure storage location to another. During transport of protected health information,
all documents should be secured and monitored closely. If the records are transported in
a vehicle and the driver must leave the vehicle at any time, the vehicle should be locked
with the records out of sight. It is possible to mail protected health information
if certain requirements are met. If moving records in bulk, however, using the mail may
not be the most effective and secure method to employ.
One thing important to note is that HIPAA recognizes something called an incidental
disclosure of protected health information. An incidental disclosure is a disclosure of
protected health information that is a by-product of a permissible or required use or disclosure.
So long as the healthcare provider takes reasonable safeguards and implemented the minimum necessary
standard with respect to the primary use or disclosure, an incidental disclosure is not
a HIPAA violation. For instance, an incidental disclosure could
include an EMS provider asking questions of a patient in a crowded public area, or the
provider transporting more than one patient in an ambulance from a multiple-casualty incident
and both patients can hear the medical report called in to the hospital by the EMS crew
for the other patient. EMS providers and agencies should obviously
take reasonable steps to limit incidental disclosures. It is good to know that HIPAA
does not expect absolute confidentiality in all instances, however.
If there is ever an instance where medical records must be destroyed, secure destruction
is required. Many states have regulations that govern the destruction of such records;
local requirements should be followed. It is important to recognize that certain
medical records should not be destroyed, including archival records, permanent records, or records
that would be necessary in litigation. While the maintenance of patient records is
important for EMS agencies, so too is the maintenance of its own personnel records.
To begin, personnel files can contain various types of information, from resumes, applications,
and tax information, to letters of discipline, commendations, and medical records. The Americans
with Disabilities Act recommends keeping employee health records separate from the rest of their
personal information. The last thing an employer wants is for a manager to access a personnel
file that contains medical information of the employee, which then results in some type
of disparate treatment based upon that medical information. Compartmentalizing the employee’s
information in this fashion is a prudent step in protecting both the employee and the organization
from such issues. Keep in mind as well that most states give
employees the right to review their own files. Within Wisconsin, this right is guaranteed
by state statute 103.13 and it encompasses medical records as well as other employment
records. The statute also provides some exceptions to this access, such as records related to
the investigation of possible criminal offenses committed by the employee, letters of reference
for the employee, materials used for staff management planning, and a few other specific
items. (These exceptions are defined within 103.13(6).) Being familiar with this requirement
is important as violations of 103.13 can result in a $100 fine for each day in which the statute
is violated. Ultimately, personnel files should be treated
with the same deference and importance as patient health information. Employers are
required to secure employee records, limit access to only those with a legitimate interest
in seeing them, and allow the employees access to their own records within specific statutory
requirements. The segregation of medical records from an
employee’s other employment records may be required by the ADA, depending on the nature
of the medical record. For instance, if the employer uses post-employment offer medical
examinations or inquiries, those records must be confidential and maintained separately
from the other employment documents. If you are an employer providing group health
insurance to more than 50 participants, HIPAA privacy provisions apply to the medical information
maintained by the employer for its employees. Under both the ADA and HIPAA, there are scenarios
in which protected employee health information may be released to third parties, but those
exceptions are rather limited. Given advances in medical technology, there
is actually a law that deals with the use and maintenance of an employee’s genetic information.
The Genetic Information Nondiscrimination Act of 2008 requires employers to keep any
genetic information it has on an employee as part of the employee’s confidential medical
record (as defined by the ADA), makes it illegal to discriminate against employees or applicants
based on their genetic information, and also establishes specific limits on disclosures
of that information. If an employer is a public (or governmental)
employer, there can be a question as to how open records laws apply to employment records.
Virtually all states have some limitations on open records disclosures when the subject
is an employee’s personal file. Such limitations typically include personal information; public
employee records; performance evaluations; investigative information; identities of complainants,
witnesses, and victims; and, employment and licensing information.
Within Wisconsin, the public records laws are defined within statute 19.31 through 19.39.
Under 19.36(10), employee personnel records are typically exempt from open records requirements.
Regardless of whether your EMS agency is a public or a private entity, state and federal
laws regarding records management must be followed. The federal government takes HIPAA
protections very seriously and Wisconsin also has its own law regarding the confidentiality
of patient records. Beyond patient health records, remember that EMS agencies also maintain
records on its employees and could face litigation if an employee’s personal information is wrongfully
disclosed. Again, a HIPAA violation could result in fines
anywhere from $100 to $50,000 or more, depending on the nature of the disclosure.
Additionally, Wisconsin state statute 146.84(1) recognizes a civil cause of action for the
inappropriate release of patient health information, which includes actual damages, exemplary damages,
attorneys fees, and other costs associated with the litigation. 146.84(2) also provides
for up to three and-a-half years of imprisonment and a fine of up to $100,000, depending on
the severity of the disclosure and the intent of the breaching party.
Thus, even if HIPAA may not apply or be enforced, there is also a parallel state statute in
Wisconsin that may result in liability for an unlawful disclosure of patient health information.
An interesting caveat about HIPAA is that it was not intended to undermine state open
records laws and, if a state permits a specific disclosure by law, HIPAA typically cannot
be used to establish liability for that legally permitted disclosure.
This can be an issue for EMS agencies involved in high profile or newsworthy responses when
the media requests specific information, especially if the EMS agency is a governmental agency
and the media outlet makes a formal open records request of the agency.
State statute 256.15(12)(b) stipulates that an authority may release the name of the ambulance
service provider, the names of the EMS providers involved, the date of the call, dispatch and
response times, the reason for the dispatch, the location to which the ambulance was dispatched,
and the destination to which the patient was transported, if applicable. It may be surprising
to note that the law also allows the release of the patient’s name, age, and gender. The
law does go on to state that the release of the patient’s medical history, condition,
or emergency treatment received is prohibited. Lastly, this law applies to agencies that
are considered to be “authorities” under state law. State statute 19.32(1) defines what entities
are considered to be authorities. A governmental entity is typically considered an authority
for the purposes of this disclosure law. A private ambulance service, on the other hand,
would probably not qualify as an authority under the law. Then again, a private ambulance
service is also not subject to the state’s open records laws, which means a media outlet
cannot compel a private ambulance service to release information through an open records
request, like it arguably can for a public agency.
If you are requested to release information regarding a call and are not sure what can
be released, if anything, it is advisable to consult with your agency’s legal counsel.
Returning to the earlier scenario, it should be clear that the theft of patient medical
information could have serious ramifications for not only the EMS agency, but the providers
as well. In this case, the medical record had not yet been transferred to the emergency
department staff, meaning that the EMS provider was responsible for the security of the report.
The textbook author indicates that a letter of complaint should be sent to the news station
producer even though the producer may not acknowledge the source. Working with the EMS
agency’s attorney is definitely advisable as there may be potential for criminal charges
or other legal action against the reporter. While the textbook author recommends that
a letter of apology be sent to the family, HIPAA actually imposes a duty of notification
in the event of an information breach. The EMS agency is required under 45 CFR 164.440-414
to provide notification to the patient of the breach, and must also provide notice to
the Secretary of Health and Human Services (although such notification can occur annually
given that the breach affects less than 500 people).
In light of this information, it is imperative that EMS organizations have a comprehensive
records management program. Such a program should encompass patient record confidentiality
as breaches can have a significant consequence for the organization. Under HIPAA your agency
should have a privacy officer who is well versed on the HIPAA privacy requirements.
Ensure your agency has a comprehensive records release policy in place that everyone can
read and understand. Be sure to train your employees as well to ensure they are not handing
out private or privileged material to the wrong people. Also make sure all medical records
are secured with only the minimum necessary number of people having access. If the records
are hard copy, then they must be physically locked up. If the records are electronic,
security and encryption is vital.