Medical Confidentiality and HIPAA Hysteria

Today’s burning question: I work for a fire department as a Firefighter – Paramedic. We have a quality assurance program in place for EMS. The department has EMTs doing quality assurance reviews on medical reports submitted by the Paramedics. In addition, any officer can look at the paperwork whenever they feel like it. My question is, who should be looking at EMS paper work in regard to HIPAA? We provide a first responder service only and we do not bill for our services

Answer: Despite all the hysteria surrounding HIPAA, it is probably not your biggest concern. Generally HIPAA applies to entities that bill electronically for medical services rendered. As such HIPAA would not apply to your department as a provider. HIPAA may apply to your department as an employer in terms of handling medical information of your employees but that is an entirely different issue.

The bigger concern that your department has – and the one that seems to get overlooked quite often by Fire & EMS folks – is state medical confidentiality laws. All states have medical confidentiality laws and they pre-date HIPAA by several decades. These state laws place restrictions on medical information that HIPAA was intended to WEAKEN.

Let me say that again so it can sink in: HIPAA weakened state medical confidentiality laws.

HIPAA was enacted because state laws were becoming a nuisance to the big-business of health care – who needed a way to exchange medical information electronically. So Congress stepped in and gave big-business health care companies what they needed: a way around those pesky state laws that restricted who could see what. How they sold the American people on the lie that HIPAA enhanced the protection of their medical information was an acting job that warrants an Academy Award!!!! But I digress…

Back to your question – the concern your department should have is whether it is violating state medical confidentiality laws, not HIPAA. Since you do not do medical billing, HIPAA is not a concern… but state medical confidentiality laws are. Take a look at Rhode Island’s Confidentiality of Health Care Communications and Information Act:

§ 5-37.3-4  Limitations on and permitted disclosures. – (a)(1) Except as provided … a patient’s confidential health care information shall not be released or transferred without the written consent of the patient or his or her authorized representative, on a consent form meeting the requirements of subsection (d) of this section. …

   (2) Any person who violates the provisions of this section may be liable for actual and punitive damages.

   (3) The court may award a reasonable attorney’s fee at its discretion to the prevailing party in any civil action under this section.

   (4) Any person who knowingly and intentionally violates the provisions of this section shall, upon conviction, be fined not more than five thousand ($5,000) dollars for each violation, or imprisoned not more than six (6) months for each violation, or both.

In other words, confidential medical information cannot be released to anyone without the patient’s written consent. There are a number of exceptions including a release to another health care provider as necessary for the patient’s treatment, scientific research, court orders, etc., etc.

Here is another provision of the medical confidentiality law that fire departments and EMS providers need to be particularly cognizant of:

§ 5-37.3-4   (c) Third parties receiving and retaining a patient’s confidential health care information must establish at least the following security procedures:

   (1) Limit authorized access to personally identifiable confidential health care information to persons having a “need to know” that information; additional employees or agents may have access to that information which does not contain information from which an individual can be identified;

   (2) Identify an individual or individuals who have responsibility for maintaining security procedures for confidential health care information;

   (3) Provide a written statement to each employee or agent as to the necessity of maintaining the security and confidentiality of confidential health care information, and of the penalties provided for in this chapter for the unauthorized release, use, or disclosure of this information. The receipt of that statement shall be acknowledged by the employee or agent, who signs and returns the statement to his or her employer or principal, who retains the signed original. The employee or agent shall be furnished with a copy of the signed statement;

   (4) Take no disciplinary or punitive action against any employee or agent solely for bringing evidence of violation of this chapter to the attention of any person.

Thus, as the recipient of confidential medical information – and as an entity that retains such information – fire and EMS departments must establish security procedures that limit access to patient medical records to those with a “need to know”. Employees with access to records need to be trained and sign an acknowledgement that meets the requirements of § 5-37.3-4 (c).

So the short answer to your question is – you need to check your state medical confidentiality laws. In RI, a fire or EMS organization needs to have a written policy governing medical records, train personnel in the policy, get a signed acknowledgment from each employee, and limit access to medical records to those with a “need to know”. I would suspect your state has a similar requirement.