HIPAA Rule - Do we know what we need to know

[JPINFV]

We pretty much operate the same way as Ruff. We can only say if they are there or not. The pt can tell the caller all they want to, but we cannot. The problem with something as big and vague as HIPAA is that it is open to interpretation. Our lawyers have decided that it means we cannot notify the police if a pt has been assaulted, etc with certain exceptions such as child abuse or if a knife or gun was involved. We have had a few instances where the police bring someone in and say they are arresting them but will be back in 12 hours when they are sober. We've been told that we cannot notify them once they are sober. If the pt chooses to leave once they are sober we have no grounds to keep them. We are not cops so we cannot detain them against their will at that point, but it is violating their HIPAA rights if we let the police know the pt is ready to go.

....but...

"Permitted Uses and Disclosures. A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: ... (5) Public Interest and Benefit Activities; ... Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.

...

(5) Public Interest and Benefit Activities. The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes.²⁸ These disclosures are permitted, although not required, by the Rule in recognition of the important uses made of health information outside of the health care context.

...

Law Enforcement Purposes. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official’s request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.^34"

Underline added.

It would be interesting to know how your lawyers and the CMS lawyers interpreted the statute differently.

Edited November 10, 2011 by JPINFV

[DFIB]

JPINFV - Upon review my prior response was obtuse. My interest has been resumed by your last post.

Thank you for posting the statutes.

[JPINFV]

JPINFV - Upon review my prior response was obtuse. My interest has been resumed by your last post.

Thank you for posting the statutes.

No worries. I posted those examples in the first one because "treatment, billing, and healthcare operations" is the specific phrase used, but we've all heard or experienced the situations where someone is complaining or concerned about passing on information or getting the sealed envelope that's "for the hospital." Similarly, there's generally at least one person who's surprised that if you don't bill electronically then you don't have to follow HIPAA since you aren't a "covered entity."

Edited November 10, 2011 by JPINFV

[ERDoc]

....but...

Underline added.

It would be interesting to know how your lawyers and the CMS lawyers interpreted the statute differently.

I wish I had an answer JP. I don't make the rules, I just follow them. If the lawyers that make and interpret the policy can't agree how is anyone else supposed to?

[island emt]

No worries. I posted those examples in the first one because "treatment, billing, and healthcare operations" is the specific phrase used, but we've all heard or experienced the situations where someone is complaining or concerned about passing on information or getting the sealed envelope that's "for the hospital." Similarly, there's generally at least one person who's surprised that if you don't bill electronically then you don't have to follow HIPAA since you aren't a "covered entity."

One of the exact points I was trying to make earlier. Many providers have never read the complete law or attended a training session put on by a lawyer to explain the ACTUAL meaning of what is HIPAA. Many still call it hippa and use it to include any and all definitions because they read something on the internet.

Our state did a big roll out of HIPAA ten years ago and the state attorney insisted that" all prehospital providers were covered entities". I then handed her a copy of the rule that shows that a non billing entity is not a covered entity. Hence the new state law was incorrectly written and passed. Didn't make a whole lot of friends in the state office over that one. :-}

[JPINFV]

Two more quick comments in regards to my last post.

1. Electronic billing and ePCRs are not the same thing. If you bill medicare, you bill electronically regardless of if you use paper or ePCR.

2. HIPAA is not the end all, be all of privacy rules. State rules may be cover you regardless of if you are covered under HIPAA and may be more strict with what can or can't be shared and the conditions required to do so. This is another reason why people need to stop using "HIPAA" as meaning "privacy laws."

[ERDoc]

Even the people with the law degrees whose specialty is HIPAA can't agree on it. It's an amazing legal environment we live in.

[Richard B the EMT]

Same with people who ask you about the patients you see in the ambulance. the simplest thing to say is this "I cant tell you that, sorry"

I had a simple line:

"Now I know you wouldn't want me talking of YOUR business to strangers, so don't ask me to tell you of my patient's business."

Most times it worked.

[Chief1C]

Just wanted to add... Thank you for abbreviating HIPAA correctly. Just sayin'.

[HERBIE1]

We pretty much operate the same way as Ruff. We can only say if they are there or not. The pt can tell the caller all they want to, but we cannot. The problem with something as big and vague as HIPAA is that it is open to interpretation. Our lawyers have decided that it means we cannot notify the police if a pt has been assaulted, etc with certain exceptions such as child abuse or if a knife or gun was involved. We have had a few instances where the police bring someone in and say they are arresting them but will be back in 12 hours when they are sober. We've been told that we cannot notify them once they are sober. If the pt chooses to leave once they are sober we have no grounds to keep them. We are not cops so we cannot detain them against their will at that point, but it is violating their HIPAA rights if we let the police know the pt is ready to go.

Interesting. You say the cops will leave someone who is under arrest and come back later for them? Wow. Around here, if the person is in custody, the cops need to baby sit them until they are treated and discharged. If they get admitted to the floor- same thing. They need officers guarding the patient-regardless of the charges against them. Most cops are NOT happy about duty such as that.