# Patient Privacy Scenario



## FullArrest (Mar 20, 2008)

**SORRY FOR THE LONG POST, BUT THIS WAS A BIT OF A COMPLEX SITUATION**

I work a lot of private events as a means for some extra income.  I have often come across organizations (especially professional level sports organizations) which have their own medical paperwork (entirely risk management tools) that they like hired EMS personnel to fill out. 

These forms always include (at the very least) the patients first and last name and will sometimes include contact information such as address and telephone number.  The forms also request information regarding the incident including description of illness/injury.  

I have never filled out one of these forms and generally advise officials from whichever organization publishes them to have one of their people fill them out as long as the patient directly consents to them and as long as their questioning does not interfere with my care of the patient.  

I recently worked with an EMT with >20 years experience who advised me that filling out these forms is not a violation of HIPAA because the patients are either athletes who have signed releases with the organization or patrons who are on private property.  Furthermore, he stated that since the only demographic information on the forms was the patients first and last name.  

While I see the logic in the first argument, we never saw any such release. As far as patrons on private property, I really don't see how that serves as an exemption.  

Either way, we treated several patients, all of whom my partner filled out the private agency paperwork on despite my protest.  All patients except for one were injured while participating in the event and were subsequently transported to local hospitals.  The final one was sent to an area hospital with severe, sudden onset RLQ pain.  None of these patients were advised that their information would be released to the organization that sponsored the event.

I attempted to talk my partner out of filling out these forms, but he stated that he knew "a lot" about HIPAA and suggested that I read up on it.  I argued with him that after a few years in the emergency department and 7 years  in medical offices, that I was at least fairly well versed and that I felt uncomfortable with him releasing the information.  

He ended up filling out the forms and submitting them to the organization that sponsored the event.  

Am I crazy here, or what?  The situation seemed pretty clear to me, but I figured I would run it by some other people and get some ideas about how others would have handled the situation.


----------



## MedicPrincess (Mar 20, 2008)

It would seem to me that YOU (or your partner) filling them out and providing this information to the facility or oranization that simply sponsors the event, would indeed be a HIPAA violation.  The sponsoring organization would not fall into the need to know for continuing care catagory that is covered by HIPAA.  What sort of continuing care is a sponsoring organization providing?

Now, a representative of the sponsoring organization could come gather that same information from the patient themselves as you suggested.


----------



## firecoins (Mar 20, 2008)

I don't see the problem.  The sponsoring organization is entitled to know the incidents that occur at their events.  HIPPA does not prevent them from knowing about these incidents.


----------



## MedicPrincess (Mar 20, 2008)

The incidents that occur, yes....

The patients personal information....NO.

Just like at your local Wal-Mart....a person codes in the checkout line, slips in the produce aisle, passes out shoe shopping....it is not our responsibility to provide that patients personal information to the store, however they do have the right to know something happened.


----------



## reaper (Mar 20, 2008)

Most places do have the right to the information. The injuries occurred on their property, which means their insurance is liable. 

Do you not provide pt info to the insurance companies that you bill, on a ambulance?

HIPPA provides that the insurance company directly involved with the payment for services, is entitled to the Pt's info.


----------



## Ridryder911 (Mar 20, 2008)

Not a HIPAA violation if does NOT involve billing, maybe privacy act but NOT HIPAA! To be specific, the billing has to be electronically billed to be under HIPAA.  Everyone should really learn the HIPAA Act. 

R/r 911


----------



## firecoins (Mar 20, 2008)

If some organization sponsors an event and specifically an athletic event, the producers are entitled to know WHO got hurt and HOW.  They are liable for these injuries and they have responisiblity of knowing how to prevent such injuries if possible. The sponsors do NOT need to know unrelated medical information.  This is not like someone who just codes in a Walmart for a random unrelated reason.  

HIPPA as rid had pointed out has to do with billing.  You are not violating HIPPA in any such way by informing the sponsors.


----------



## ffemt8978 (Mar 20, 2008)

firecoins said:


> If some organization sponsors an event and specifically an athletic event, the producers are entitled to know WHO got hurt and HOW.  They are liable for these injuries and they have responisiblity of knowing how to prevent such injuries if possible. The sponsors do NOT need to know unrelated medical information.  This is not like someone who just codes in a Walmart for a random unrelated reason.
> 
> HIPPA as rid had pointed out has to do with billing.  You are not violating HIPPA in any such way by informing the sponsors.



SPOT ON POST!  They have a right to know who was injured, their injuries, and their contact information.  They don't need to now the patient's past history, allergies, meds, etc...


----------



## Jon (Mar 20, 2008)

The company where I work that covers events has worked a HUGE bike race for the last few years... we have a separate waiver we have the patients sign that allows us to share our information with the sponsoring organization. We also fill out basic info on the patient on a form for the sponsor... name, rider #, and complaint/treatment. We can do this BECAUSE we have a HIPPA waiver form signed by the paient. No signature, the ride sponsor's staff must get what they can from observing us.


----------



## certguy (Mar 21, 2008)

The sponsors should have the right to the info they need for thier insurance only . Unfortunately , the insurance would need the pt's name , address , phone no. etc. Anything else would be protected . Perhaps thier own risk management folks should be doing the info collecting for the insurance , which would leave your pt. care info non - comprimised .


----------



## Jon (Mar 21, 2008)

When we cover the convention center, the Convention Center Security staff, as well as the event's security staff respond to medical emergencies. Both security companies complete reports on the incident, that way the convention center and the show sponsor have records.


----------



## FullArrest (Mar 21, 2008)

Jon said:


> The company where I work that covers events has worked a HUGE bike race for the last few years... we have a separate waiver we have the patients sign that allows us to share our information with the sponsoring organization. We also fill out basic info on the patient on a form for the sponsor... name, rider #, and complaint/treatment. We can do this BECAUSE we have a HIPPA waiver form signed by the paient. No signature, the ride sponsor's staff must get what they can from observing us.



I really like the idea of having a waiver signed by the patient to release their information.  

Collection of information for risk management purposes really is not the job of EMS professionals and doing so without informed consent surely presents an ethical problem if not a legal one. 

I will see what I can do about getting a waiver drawn up for these types of events.

Thank you to everybody for your feedback.


----------



## reaper (Mar 21, 2008)

The OP stated that they wanted Name, Contact info, and Injury. No Medical hx was asked for.  You can pass on Contact info and hx of present incident.

I see nothing wrong with OP situation, as described.


----------



## FullArrest (Mar 21, 2008)

reaper said:


> The OP stated that they wanted Name, Contact info, and Injury. No Medical hx was asked for.  You can pass on Contact info and hx of present incident.
> 
> I see nothing wrong with OP situation, as described.



Where does it say that we can pass on information regarding a patients contact information and history of present incident?   There are a number of cases I have found in which EMS agencies and individual EMTs have been successfully sued for passing along such information to people not directly involved in the MEDICAL care of the patient.  

Again, the above IS a HIPAA violation.  And yes, I do realize that HIPAA has to do with insurance and that patients have no right to recover damages even if a HIPAA violation occurs. Where HIPAA comes in regarding patient privacy lawsuits (according to risk management at one of my former employers) is that is serves as a documented standard of care by establishing a manner in which documents containing sensitive information can be shared.  Violation of HIPAA standards CAN be brought into civil proceedings as evidence of a violation of the standard of care. 

The bottom line is that filling out medical information on a patient (hx of present illness IS medical information that some patients DO NOT want released to a private entity) on a form for a non-medical entity does NOTHING to serve the patient and is not legally mandated of us.  

Because of the unique nature of private event EMS, I do not mind sharing information with a venue SO LONG AS THE PATIENT GIVES INFORMED CONSENT TO RELEASE SUCH INFORMATION.  To me, it just seems a lot easier to have staff connected to the particular event fill out such paperwork.


----------



## BossyCow (Mar 21, 2008)

firecoins said:


> If some organization sponsors an event and specifically an athletic event, the producers are entitled to know WHO got hurt and HOW.  They are liable for these injuries and they have responisiblity of knowing how to prevent such injuries if possible. The sponsors do NOT need to know unrelated medical information.  This is not like someone who just codes in a Walmart for a random unrelated reason.
> 
> HIPPA as rid had pointed out has to do with billing.  You are not violating HIPPA in any such way by informing the sponsors.



HIPAA not HIPPA. I know this because I just had to have all our MIRs reprinted for this same typo.


----------



## rsdemt (Mar 26, 2008)

*patient confidentiatally question*

I agree with you.
I would tell the people, I am treating , about the form.
And get their permission, to fill it out.
If they refuse, to give the information, I would simply pit something on the form about person refuses to give information.
I would also talk to the organization about the issue, and HIPPA. Maybe they are not as knowledgable about HIPPA, as medical professionals are.
I mean if I can not find out about patients, I transport (offically at least. As we know nurses will tell us, buy that is personal.)  How can you give personal info. to what is really strangers?


----------



## BossyCow (Mar 31, 2008)

One more time folks.. it's  *HIPAA*


----------



## firecoins (Mar 31, 2008)

BossyCow said:


> One more time folks.. it's  *HIPAA*



GET OFF THE TYPOS. Its really annoying.


----------



## skyemt (Apr 1, 2008)

firecoins said:


> GET OFF THE TYPOS. Its really annoying.



seems kind of rude...

it's not a typo, but rather knowing what the acronym is... if you look back through past posts, many mistake it for HIPAA...i was one of them, and was happy to correct myself...


----------



## wolfwyndd (Apr 1, 2008)

HIPAA = Health Insurance Portability Act
I have no idea what HIPPA is.  Just throwin' that out there.

Back to the posts at hand.  I would have to agree that writing down someone's contact information (IE, name, address, phone number) isn't going to violate anything.  A SSN would violate someone's privacy, but nothing to do with HIPAA.  I really don't think writing down someone 'History of PRESENT illness' is going to violate HIPAA either.  And the sponsoring organization will need that information if they are going to cover an illness / injury that occurred during one of their events.  

FullArrest:  I can see your concern for this information, however, based on the information you provided, I don't believe you'd be violating HIPAA for any of the questions you've stated.  However, in that same vein, I'd also be a bit hesitant to fill out that information and give it to some sponsoring adgency's representative.  I'd be much more comfortable if a representative from the sponsoring organization was there to gather that information for themselves with the patient.  Unless they consider YOU the representative from the sponsoring organization since THEY are paying YOU to provide a service.  

But that's only a guess.


----------



## Sapphyre (Apr 1, 2008)

wolfwyndd said:


> HIPAA = Health Insurance Portability Act
> I have no idea what HIPPA is.  Just throwin' that out there.



If it's HIPAA as you say, where's the second A in your expansion?
It's HIPPA = Health Insurance Privacy and Portability Act

As to the rest of this, I once slipped on a puddle of water on the floor at Sears.  Hit the ground hard enough that the seam on my shorts left a line on my thigh, and for the first couple of minutes, the leg was so stunned it wouldn't bear my weight.  (I was maybe 12, and was a thin/short child, not much weight to bear).  The store personnel insisted I fill out their form toe covered to check checked out on their dime, and to cover their arse in case I was seriously injured and the family decided to sue, and make it out to be worse than it was.

Of course, the difference was, it was store personnel who presented the form, not EMS.  I don't know, if you were hired to be the coverage for the event, it kind out sounds like you'd be billing the event company, and as such, them being the payer, it's information they want/need to know.


----------



## wolfwyndd (Apr 1, 2008)

Sapphyre said:


> If it's HIPAA as you say, where's the second A in your expansion?
> It's HIPPA = Health Insurance Privacy and Portability Act


Sorry, my bad.  Health Insurance Portability and Accountability Act. 

Although this does bring up an important point.  We're all medical professionals and even we can't get it right.


----------



## BossyCow (Apr 2, 2008)

firecoins said:


> GET OFF THE TYPOS. Its really annoying.



Whether or not I annoy you has nothing to do with the thread.. please stay on topic.

I just had to have MIR's reprinted because of this typo. HIPAA is a regulation that we need to follow, we should be able to spell it correctly


----------



## paramedix (Apr 4, 2008)

Wow, reading all the posts, I really wish our personnel would be so protective over patient confidentiality.

Bit off the discussion... what happens when you have two or more patients in your rig and you do a SAMPLE or obtain other info from each patient. Isn't that a bit awkward blaring your patients condition out to a stranger - provided the other patients are unrelated to yours...

It happens here all the time. More than one patient in a rig and you have to get the details done... you need to ask.

When we attend events or major events we are obliged to divulge information of injuries that occurred on the premises of the event during the event.

This information only consists of:
1: Time & Place
2: Nature of Injury & MOI
3: Tx to Hospital YES/NO
4: Ref Number

No other details are submitted and we never had any comebacks, unless a liability claim was brought forward and then we have to release the details according to the Ref Number. The organizers usually keep this basic record for future improvements/stats and logging.


----------



## karaya (May 3, 2008)

The part time private employer of the event such as a concert or sporting event is most likely not a covered entity as defined in HIPAA rules.  Since the employer does not submit medical claims electronically they would not be considered a covered entity and therefore you would not need to comply with HIPAA.

The responding EMS provider most likely is a covered entity and their medics would need to comply with HIPAA.

HIPAA definition of covered entity is very clear as to who and what it applies to.  A lot of paramedics and EMT's are under the false impression that HIPAA applies to them no matter where they work and that is simply not true.  For instance, if a fire department runs ALS pumpers and yet provides no transport services with electronic billing then they are not a covered entity and HIPAA does not apply to them even though they staff EMT's and paramedics.

Hope this helps to clear things up.

Ray


----------



## JPINFV (May 4, 2008)

http://www.cms.hhs.gov/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf

Page 3 has a 2 step flowchart that tells you if you are a covered entity. As have been said before, if the event is not billing for medical services, then you are required under terms of your employment (insubordination is an offense that can lead to termination) to release your patients information to your superiors. 

BTW, karaya, welcome to the boards and if I am reading your avatar correctly, stop stealing my bodily fluids.


----------



## karaya (May 4, 2008)

JPINFV said:


> BTW, karaya, welcome to the boards and if I am reading your avatar correctly, stop stealing my bodily fluids.



You are correct sir!  Thanks for the welcome!

Ray


----------



## LIFEGUARDAVIDAS (May 9, 2008)

>Question to FullArrest (original poster): 

You wrote: "I work a lot of private events as a means for some extra income. I have often come across organizations (especially professional level sports organizations) which have their own medical paperwork (entirely risk management tools) that they *like* hired EMS personnel to fill out."  

When you say "like" what do you exactly mean? Does your contract / work agreement with the event Organization cover this?  -I mean, is one of your responsibilities / is it among your duties to fill their own paperwork? / -Is it mentioned in the job description? 


>Question to any of the replyers:

Let's say (hypothetically) it is an HIPAA violation, and (according to the contract / work agreement) it is one of the responsibilities of EMS personnel hired for the event. 

If the patient files a complaint and starts legal actions, who would be the accused party? (The EMT hired for the event, the Organization hiring him, both?).

If the EMT was hired by the event Organization through an event services company, could the latter be sued too? 




Guri


----------



## karaya (May 9, 2008)

The patient could file a complaint with the OCR in which the OCR could take the issue up with the covered entity and the individual.  However, HIPAA does not allow for private suit from the patient directly related to HIPAA.  All the patient is allowed to do under HIPAA is file the complaint.

State laws may provide a course for the patient to take private suit against the entity and or individual; most likely a violation of a state privacy tort.


----------

