I am HIPAA, Hear Me Roar

I’ll bet that in some time in your career you have encountered the HIPAA police. These people tend to cite HIPAA as a reason for virtually everything. One of my pet peeves is the tendency of some people to misinterpret HIPAA or try and use HIPAA to prevent necessary medical and administrative follow-up. There are few things in EMS and emergency medicine that are as misunderstood as HIPAA. In fact, it takes an attorney with no hobby and no social life to really understand this law. It really is that sad. Let’s look at HIPAA and try and dispel some myths and misconceptions.

HIPAA is an acronym for the Health Insurance Portability and Accountability Act. It was enacted in 1996 and was primarily designed to ensure that people who lost their jobs were able to maintain health-care insurance coverage. A provision that was added to HIPAA as an after thought was the Privacy Rule. This rule, which took effect in 2003, brought strong regulation to the maintenance and release of medical records and personal health information. This is the part of the HIPAA regulations that EMS people are most familiar with. The penalties for HIPAA infractions can be significant. You don’t mess with HIPAA.

So, let’s take a look at HIPAA’s Privacy Rule. Although HIPAA has certainly improved the confidentiality and security of medical records, it has certainly hurt the field of medical research and medical quality improvement (QI). Both medical research and medical QI are dependent upon evaluating certain data typically protected by HIPAA constraints.

Reduced access to medical records for research and medical QI have been frequently reported. As an emergency physician and researcher, I am shocked at the number of times someone in health care misinterprets the HIPAA provisions. Some of this occurs, I’m sure, because people truly do not understand HIPAA. Much of it, I’m afraid, is that people are too lazy or uncaring to do the work. HIPAA has become the equivalent of a law enforcement badge to many health-care workers.

Now, let’s bust some HIPAA myths that pertain to EMS:

Myth: The acronym is HIPPA.
No, the acronym is not HIPPA! I know of few things less accurately used than the HIPAA acronym. It’s HIPAA — not HIPPA!

Myth: HIPAA does not allow EMS personnel to find out if they have been exposed to a dangerous disease.
HIPAA does not prohibit notification of possible disease exposure to EMS personnel. HIPAA regulations state:

Covered entities may disclose protected health information to (1) public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect; (2) entities subject to FDA regulation regarding FDA regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and postmarketing surveillance; (3) individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law; and (4) employers, regarding employees, when requested by employers, for information concerning a work-related illness or injury or workplace related medical surveillance, because such information is needed by the employer to comply with the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or similar state law.

Myth: HIPAA does not allow EMS agencies to use a patient’s personal health information for QI and oversight activities.
HIPAA does not prevent selected QI and oversight entities from obtaining information on patients. In addition, it does not require patient consent to obtain protected health information when used for the reasons detailed in the statutes. HIPAA regulations state:

Covered entities may disclose protected health information to health oversight agencies (as defined in the Rule) for purposes of legally authorized health oversight activities, such as audits and investigations necessary for oversight of the health care system and government benefit programs.

The statute defines a “health oversight agency” as:
Health oversight agency means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

Generally speaking, providers can also use and disclose privileged health information (PHI) for QI purposes. However, PHI disclosure is usually limited to the “minimum necessary” information to accomplish the purpose of the disclosure.

Myth: HIPAA rules do not allow EMS personnel to tell law enforcement about criminal activities.
Many EMS personnel believe they cannot tell law enforcement about a crime because of HIPAA constraints. This is not the case, as long as the law is followed. HIPAA regulations state:

Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official’s request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.

Myth: Bona fide researchers cannot access medical record information for medical research.
Many believe that EMS research (especially outcome studies) is stymied, because HIPAA regulations do not allow researchers access to protected health information. The truth is that there’s a specific exclusion in HIPAA statutes to allow research as long as specific qualifications are met. HIPAA regulations state:

“Research” is any systematic investigation designed to develop or contribute to generalizable knowledge. The Privacy Rule permits a covered entity to use and disclose protected health information for research purposes, without an individual’s authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of individuals’ authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or (3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought. A covered entity also may use or disclose, without an individuals’ authorization, a limited data set of protected health information for research purposes.

A “limited data set” is defined as:
A limited data set is protected health information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. A limited data set may be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for the protected health information within the limited data set.

Conclusion
Despite the common misconceptions, there are exclusions and mechanisms in the HIPAA rules to allow research and QI. Thus, do not let the HIPAA police keep your system from necessary QI activities (and research). Now, it’s important to point out that I’m not a lawyer and don’t play one on TV. I didn’t sleep in a Holiday Inn Express last night. These are my interpretations (and what I’ve been told by people with considerably more expertise than I). If you’re facing any of these issues in your EMS system, consult with a HIPAA expert or an attorney. My goal here is to help dispel some of the HIPAA myths. HIPAA should not be a tool used for obstructing medical research, quality improvement or disease exposure notification.

chicago shooting

Man and Woman in Critical Condition After Friday Night Shooting in Chicago

Two people were in critical condition after a shooting Friday night in the city’s Edgewater neighborhood, according to Chicago police.

No-Bid Ambulance Contract Riles Henry County (KY)

Henry County officials have approved a transition to a private EMS provider, leaving some residents and emergency responders with concerns.