The shutdown of LAFDs Twitter feed earlier today over concerns about possible HIPAA violations has been reversed and the Tweets have resumed. The HIPAA-based shutdown is the second in the past two years for LAFD, and topic has been covered extensively by Dave Statter.
For my take – let’s look at the law (without the hysteria). Get your reading glasses, some coffee, maybe some No-Doze… To assist with this overview I have a number of sources for folks in need to dig as deep as they need to.
Who does HIPAA apply to: A covered entity
Who is a covered entity:
- A health care provider that conducts certain transactions in electronic format (billing and the related exchange of health information)
- A health plan
- A health clearing house
So if a fire department provides EMS and does not engage in electronic billing, it is not a covered entity (at least as far as emergency response goes). You may stop reading here if you do not provide EMS or you do not electronically bill. Because a dispatch center is not a health care provider (nor does it bill electronically) it is not a covered entity, although an argument can be made that an in-house dispatch center affiliated with a covered-entity fire department is part of a covered entity.
Here is a chart to help determine if you are a covered entity: CoveredEntitycharts
What kind of information is protected: Let’s look at the definitions:
"(4) HEALTH INFORMATION.–The term 'health information' means any information, whether oral or recorded in any form or medium, that– is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”
“(6) INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION.–The term 'individually identifiable health information' means any information, including demographic information collected from an individual, that–
(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and–
(i) identifies the individual; or
(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”
Here is a copy of HIPAA: hipaastatutepdf
Great… so how does that help…. Well it kind of doesn’t, does it. We have to keep digging.
The following is from a US Health & Human Services publication titled SUMMARY OF THE HIPAA PRIVACY RULE, which you can download below:
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).”
OK… now we see that a person’s address can be individually identifiable health information when it is connected to a past, present or future medical condition. The regulations that implement HIPAA use the term protected health information (PHI) to refer to individually identifiable health information. HIPAA does not prohibit a covered entity from all uses of PHI. As a matter of fact, it expressly allows PHI to be shared in a number of circumstances.
Here is more from the HHS Summary:
De-Identified Health Information – There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual.
Permitted Uses and Disclosures – A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations. Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.”
Among the permitted uses of PHI that routinely allowed are:
Treatment, Payment, Health Care Operations. A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities. A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship.
Uses and Disclosures with Opportunity to Agree or Object. Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. Where the individual is incapacitated, in an emergency situation, or not available, covered entities generally may make such uses and disclosures, if in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual.
Facility Directories. It is a common practice in many health care facilities, such as hospitals, to maintain a directory of patient contact information. A covered health care provider may rely on an individual’s informal permission to list in its facility directory the individual’s name, general condition, religious affiliation, and location in the provider’s facility. The provider may then disclose the individual’s condition and location in the facility to anyone asking for the individual by name, and also may disclose religious affiliation to clergy. Members of the clergy are not required to ask for the individual by name when inquiring about patient religious affiliation.”
For Notification and Other Purposes. A covered entity also may rely on an individual’s informal permission to disclose to the individual’s family, relatives, or friends, or to other persons whom the individual identifies, protected health information directly relevant to that person’s involvement in the individual’s care or payment for care. This provision, for example, allows a pharmacist to dispense filled prescriptions to a person acting on behalf of the patient. Similarly, a covered entity may rely on an individual’s informal permission to use or disclose protected health information for the purpose of notifying (including identifying or locating) family members, personal representatives, or others responsible for the individual’s care of the individual’s location, general condition, or death. In addition, protected health information may be disclosed for notification purposes to public or private entities authorized by law or charter to assist in disaster relief efforts.
Incidental Use and Disclosure. The Privacy Rule does not require that every risk of an incidental use or disclosure of protected health information be eliminated. A use or disclosure of this information that occurs as a result of, or as “incident to,” an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the “minimum necessary,” as required by the Privacy Rule.
So not every use of PHI by a covered entity is protected by HIPAA. It actually seems like some common sense flexibility has been written into the interpretations. In particular, the incidental disclosure provision seems quite valuable.
Here is a copy of the HHS Summary: privacysummary
So we are down to brass-tacks: When can someone’s address be PHI? If we are a covered entity, if the patient’s identity is associated with a medical condition (past, present or future), and if the address can be used to identify a particular patient, the address could be a PHI. Thus, if we ask a patient for his home address as part of a patient-provider relationship and we in turn release that address to someone in a way that can be associated with that particular patient along with his medical condition (past, present or future), it could be a HIPAA violation. Of course if the address is “de-identified” or if the address was never associated with a particular patient or medical condition then it is not PHI.
But our question here really isn’t about a patient’s identifying address – it is about whether we can Tweet a dispatch address. Is a dispatch address for an EMS emergency coupled with the nature of an emergency automatically PHI? How is a dispatch to a certain address associated with a particular patient? Even someone who lives alone at an address could have a visitor.
In the rare instance where somehow a dispatch to a certain address is associated with a particular patient (let’s even assume we somehow dispatched the units without using an open radio frequency) doesn’t the fact we arrive on the scene with lights and siren kind of let the proverbial HIPAA cat out of the bag???? Its no longer a confidential secret that an ambulance and fire truck have been sent to 123 Main Street. HELLO… all the neighbors were just informed!!!! If we are so concerned about the disclosure of the dispatch address being a HIPAA violation, what pray tell do we do about the sirens and red lights? If that is not a HIPAA violation, how can stating the address over the radio, or rebroadcasting it over Twitter be a violation?
While I do not believe sharing a dispatch address and the generalized nature of an emergency is PHI, let’s play this out as if it were. What if we are dispatched to 123 Main Street for a man having chest pains, and the dispatcher even states over the radio that we are looking for Mr. Smith… So now we connect an address with a patient and a medical condition… would the HIPAA Hysterics-among-us insist it is PHI to the point that we could not ask for Mr. Smith once we arrive because we would be divulging PHI to whom ever answers the door? If we avoid using his name, could we ask if anyone there was having chest pains? Ooops, we would be divulging PHI… If we ask for Mr. Smith and there was no Mr. Smith there, did we violate HIPAA by using Mr. Smith’s name? Would we violate HIPAA if we went knocking on his neighbors’ doors and asked the same questions? Is this discussion absurd? Does this have any connection what so ever with the reason why Congress enacted HIPAA in the first place? NONE WHAT SO EVER!!!
So I guess I am not seeing how a dispatch address coupled with a generalized nature of the emergency as part of a Tweet is PHI. Auto-accident, carbon monoxide alarm, house fire, person ill, elevator emergency, confined space rescue… these terms do not come close to what can reasonably be considered PHI. Admittedly, if additional information is added about the patient’s medical condition (eg. 37 year old HIV positive male with chest pains) and/or identify (name or other identifying details), either or both could cause us to cross the line. Certainly when it comes to Tweets there is less of a case to be made for a legitimate “incidental disclosure” of PHI compared with medically necessary radio transmissions. Maybe that’s the real story here – dispatch has a bit more latitude to use certain medically related details – which can be justified as “necessary for treatment” and even an “incidental disclosure” under HIPAA, while the Tweets need to stay clear of being PHI all together.
But the fact remains – if information is not PHI – then even a covered entity is within bounds to relay that information using Twitter.
Here is an excellent summary of some of the dispatch issues provided by Steve Wirth & Co. Steve is the best when it comes to these kinds of issues – and this brief overview should help address the remaining thorny HIPAA issues. hipaa_position