Clarifying HIPAA & Disclosure of Disease Information

Clarifying HIPAA

 

 
 
 

Katherine West, BSN, MSEd, CIC & James R. Cross, JD | | Wednesday, August 8, 2007


Case 1: It's 3 a.m. on a Saturday night and you_re en route with a patient in the back of the ambulance. When the patient becomes combative, you_re not able to trigger the safety device and are stuck with a contaminated needle. Your designated officer for infection control reports the exposure to the medical facility and requests source patient testing. The designated officer is told the results can't be released because of HIPAA.

Case 2: Your crew is instructed to transport a patient from the prison infirmary to the local hospital. You note that the infirmary staff is wearing masks but nothing is said to your crew. When you ask the diagnosis of the patient, you_re told that the information can't be revealed due to HIPAA.

The Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, directed the U.S. Department of Health and Human Services (HHS) to issue privacy regulations that set standards to govern individually identifiable health information. The Privacy Rule developed by HHS went into effect for most entities subject to the law (i.e., "covered entities") on April 14, 2003. Following implementation of the Privacy Rule, a great deal confusion has persisted within medical facilities regarding the sharing of source patient test results following an exposure event. Some medical facilities have refused to provide the test results of source patients involved in exposures because they believe such disclosure would violate HIPAA. Such refusals on the part of medical facilities are inappropriate and represent a misinterpretation of the Privacy Rule.

The Privacy Rule protects all 'individually identifiable health information' held or transmitted by a covered entity. This information is referred to as "protected health information" (PHI). It includes information regarding the individual's health condition, the provision of health care to the individual, or payment for the provision of health care to the individual if the information identifies the individual or there_s a reasonable basis to believe it can be used to identify the individual. The individual's written authorization is required for any use or disclosure of PHI that is not for treatment, payment, or healthcare operations or otherwise permitted or required by the Privacy Rule.

However, the Privacy Rule does not prohibit disclosure of PHI in all circumstances. Recognized exceptions include the issue of a medical facility disclosing source patient testing. A covered entity (e.g., a medical facility) is permitted to disclose PHI without an individual_s authorization to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law [45 CFR Section 164.512 (a)]. One of the "required by law" categories in the Privacy Rule is "Uses and Disclosures for Public Health Activities." The following use and disclosure is specifically authorized:

"A covered entity may disclose protected health information for the public health activities and purposes described in this paragraph to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation." [45 CFR 164.512 (b)(1)(iv).]

Medical facilities clearly are required by law to provide source patient test results in exposure incidents. The Ryan White Law, a federal law (PL 101-381), mandates that source patient test results be provided to the designated infection control officer (DICO) of the emergency response employee involved in an exposure incident. The medical facility to which the source patient involved in the exposure was transported has the legal obligation under this law to provide source patient test results following notification of the exposure by the DICO. The DICO then has the obligation to inform the exposed employee of the source patient test results.

In addition, the OSHA Bloodborne Pathogens Standard (29 CFR 1910.1030), also a federal law, provides that the employer of an employee involved in an exposure incident must obtain the results of the source individual's testing and make this information available to the exposed employee.

It's clear, therefore, that in the event of a bona fide exposure, medical facilities are authorized under HIPAA to disclose source patient test results pursuant to the Ryan White Law and the OSHA Bloodborne Pathogens Standard. Such disclosures are no different than disclosures made to state public health officials pursuant to state notifiable disease laws. In the opening scenario, the DICO should give a copy of this information to the emergency department staff. It's clear that source patient test results are to be released to the DICO.

Confusion has also persisted regarding the role of medical facilities in the sharing of tuberculosis diagnosis information. This issue is important to clarify because the practice of standard precautions does not include the routine procedure of masking the patient for transport with a surgical mask. The rules for bloodborne disease and airborne disease are very different. In November 2005, the Centers for Disease Control and Prevention (CDC) published a document entitled "Controlling Tuberculosis in the United States" that included the following statement:

"HIPAA also recognizes the legitimate need for public health authorities and others responsible for ensuring the public's health and safety to have access to personal health information to conduct their missions and the importance of public health disease reporting by health-care providers. HIPAA permits disclosure of personal health information to public health authorities legally authorized to collect and receive the information for specified public health purposes. Such information may be disclosed without written authorization from the patient. Disclosures required by state and local public health or other laws are also permitted. Thus, HIPAA should not be a barrier to the reporting of suspected and verified TB cases by healthcare providers, including health-care institutions."

In addition, the CDC published updated TB guidelines in December 2005, which OSHA is enforcing. In the guidelines, medical facilities are reminded that "EMS personnel should be included in the follow up contact investigations of patients with infectious TB disease. The Ryan White Comprehensive AIDS Resources Emergency Act of 1990 (Public Law 101-381) mandates notification of EMS personnel after they have been exposed to a patient with suspected or confirmed infectious TB disease." Here, it's clear that it's the responsibility of the medical facility to notify the DICO directly if there has been an exposure.

Medical facilities refusing to provide this information may not be aware of the Ryan White Law and the exception to providing this information contained in the HIPAA law. The DICO and a member of administration from your department should schedule a meeting with the medical facilities risk manager, head of the emergency department and the infection control practitioner to review this issue. Minutes of the meeting should be taken to document the discussion and the agreed to results. If non-compliance continues or is not agreed to, then OSHA may be called to report this violation and, for exposures involving emergency responders, to Dr. Gomma, who is in charge of the administrative aspects of the Ryan White Law. Dr. Gomma can be reached at 513/841-4337.

Katherine West, BSN, MEd, CIC, is an infection control consultant with Infection Control/Emerging Concepts Inc. Contact West atinfo@ic-ec.com.

James R. Cross, JD, is an attorney who covers regulatory and legislative issues for Control/Emerging Concepts Inc.

Resources

  1. Centers for Disease Control and Prevention: ˙The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.Ó April 2, 2001.
  2. IV. Final Regulatory Impact Analysis, 5U.SC.804(2)- Public Law 104-21.
  3. Occupational Safety and Health Administration: ˙CPL 2-2.69, Compliance Directive, Occupational Exposure to Bloodborne Pathogens.Ó November 27, 2001.
  4. Centers for Disease Control and Prevention, Department of Health and Human Services: ˙Ryan White Comprehensive AIDS Resources Emergency Act; Emergency Response Employees; Notice.Ó Federal Register. March 21, 1994.
  5. Centers for Disease Control and Prevention: ˙Controlling tuberculosis in the United States.Ó MMWR. 54(RR12):1-81, 2005.
  6. Centers for Disease Control and Prevention: ˙Guidelines for preventing the transmission of mycobacterium tuberculosis health-care settings, 2005.Ó MMWR. 54(RR17):1-141, 2005.



Connect: Have a thought or feedback about this? Add your comment now
Related Topics: Health And Safety, PPE and Infection Control

 
What's Your Take? Comment Now ...

Featured Careers & Jobs in EMS





 

Get JEMS in Your Inbox

 

Fire EMS Blogs


Blogger Browser

Today's Featured Posts

 

EMS Airway Clinic

Simulation-Based Assessment Facilitates Learning & Enhances Clinical Judgment

Simulation is an educational tool that can be used to develop and refine clinical skills of the student in a controlled environment before they progress to becoming practicing clinicians.
More >

Multimedia Thumb

Buffalo Medics, Firefighter Keep Working in Crash

Rural Metro medics describe crash that overturned their ambulance.
Watch It >


Multimedia Thumb

Drone Delays Landing of Ohio Medical Helicopter

Miami Valley Hospital incident raises questions over legalities of drones.
Watch It >


Multimedia Thumb

Four Killed in New Mexico Medical Plane Crash

Crash near fairgrounds claims patient and crew of three.
Watch It >


Multimedia Thumb

Texas Ambulance Involved in Crash

Odessa ambulance and car collide during response.
Watch It >


Multimedia Thumb

Building Explosion, Collapse in Paris Suburb

Death toll rises to eight after blast in Rosny-sous-Bois.
More >


Multimedia Thumb

New Mexico Air Ambulance Crash

NTSB investigates crash that killed four.
More >


Multimedia Thumb

Where in the World of EMS is A.J.? Scranton

JEMS Editor-in-Chief visits his hometown of Scranton, Pa.
More >


Multimedia Thumb

VividTrac offered by Vivid Medical - EMS Today 2013

VividTrac, affordable high performance video intubation device.
Watch It >


Multimedia Thumb

The AmbuBus®, Bus Stretcher Conversion Kit - EMS Today 2013

AmbuBus®, Bus Stretcher all-hazards preparedness & response tool
Watch It >


Multimedia Thumb

Braun Ambulances' EZ Door Forward

Helps to create a safer ambulance module.
Watch It >


Multimedia Thumb

Field Bridge Xpress ePCR on iPad, Android, Kindle Fire

Sneak peek of customizable run forms & more.
Watch It >


More Product Videos >