HIPAA Violation?

[thatSPIKYflip]

What constitutes a HIPAA violation? Giving away specific identifying information? I am writing a paper for class and would like to know if I can use a situation I encountered while riding the ambulance. Obviously, I would not give out names, but I want to provide details of the situation. There is little possibility that my teacher would know the patient.

Any help?

 

[SanDiegoEmt7]

I'll get that for you: http://tinyurl.com/yhz6cat

 

[JPINFV]

Seeing that you're in NJ, does the company that rode along with bill for services?

 

[thatSPIKYflip]

Yes, the company I am with does bill.

 

[JPINFV]

The reason I asked is because only services that bill electronically (i.e. everyone who bills Medicare) has to follow HIPAA. That is the definition of a covered health care provider. Of course at the same time, local and state laws may apply in addition to HIPAA.

That said, as long as someone reading it can't identify the patient then you should be ok. It's very easy to tell a story and either change information that isn't pertinant to the case or just not provide identifying information (name, basic description, etc) when writing up a case study. So, "cardiac patient on floor 4" can be bad in the hospital (hence all of the signs in the elevators), where as "we dropped the patient off on the 4th floor" 2 months after the event in a report to your instructor is ok.

 

[thatSPIKYflip]

Thank you for your help. Just to add, the incident occurred some time ago, probably around four months ago, so according to what you say, I should be fine. Thanks once again!

 

[JPINFV]

Just don't be going out giving the name or enough information to make a sketch off of. In general, you shouldn't get any more identifiable than "Patient was a 34 y/o M..." etc. Heck, if you're really concerned, you could even fudge the age a few years either way.

 

[spinnakr]

The reason I asked is because only services that bill electronically (i.e. everyone who bills Medicare) has to follow HIPAA.

Are you 100% sure that's correct? I've been informed otherwise.
EDIT: Having just checked wikipedia, this is not entirely reliable. There is one specific part that applies only to electronic information; however, the "privacy rule" applies to ALL "Protected Patient Information" - both paper and electronic.

Additionally, attaching a name to a patient treatment, outcome, or other information, is generally considered a breach of confidentiality, regardless of its legality under HIPAA.

 

[Shishkabob]

Don't confuse patient confidentiality laws with HIPAA laws. They are 2 different things.

 

[JPINFV]

Are you 100% sure that's correct? I've been informed otherwise.

http://www.cms.hhs.gov/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf

Alternatively,

The Privacy and Security Rules apply only to covered entities. Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If an entity is not a covered entity, it does not have to comply with the Privacy Rule or the Security Rule.

...

A health care provider...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html

Edit:

Center for Medicare and Medicade Services (CMS) website trumps anything on Wikipedia.

 

[rforsythe]

Are you 100% sure that's correct? I've been informed otherwise.
EDIT: Having just checked wikipedia, this is not entirely reliable. There is one specific part that applies only to electronic information; however, the "privacy rule" applies to ALL "Protected Patient Information" - both paper and electronic.

Additionally, attaching a name to a patient treatment, outcome, or other information, is generally considered a breach of confidentiality, regardless of its legality under HIPAA.

Consult HHS's site for actual wording if you're curious:
http://www.cms.hhs.gov/HIPAAGenInfo/06_AreYouaCoveredEntity.asp
and http://www.cms.hhs.gov/HIPAAGenInfo/06_AreYouaCoveredEntity.asp (grab the PDF from that page)

The HIPAA privacy rule only applies to covered entities, which means in some cases it may not matter as far as HIPAA is concerned. That said I don't know many (any?) establishments that do not bill electronically so it generally applies everywhere.

You're correct on the last part as well. Pt's have a reasonable expectation of privacy which has been well established at this point, so releasing identifying information to anyone not involved in their care (including insurance co's who pay for it, etc) is considered a violation of privacy.

 

[JPINFV]

You're correct on the last part as well. Pt's have a reasonable expectation of privacy which has been well established at this point, so releasing identifying information to anyone not involved in their care (including insurance co's who pay for it, etc) is considered a violation of privacy.

...but there lies the problem. Instead of arguing that health care providers shouldn't release patient information based on ethics, people instead like to throw around HIPAA like it's some crazy entity that will eat your children if you even accidentally slip (e.g. incidental exposures does not constitute a breech of HIPAA). HIPAA isn't the end all, be all of privacy concerns, whether looking at it from an ethical standpoint or a legal standpoint.

 

[ExpatMedic0]

Is it only the patient identifying information such as name, age, address ect? Sometimes I have bystanders and friends or co workers ask me about what happened to the patient or what I did for them. I normally tell them I cant share that due to patient privacy and use HIPPA as my example.

 

[JPINFV]

Warning: IANAL


If the patient is identified, then legally speaking you shouldn't talk about it without reason (handing off care, QA/QI, etc). Of course there's a fair amount of shop talk that goes on in any field, so a big question is "why are they asking." If it's "hey, you treated my friend John Doe right? Yea, I'm just curious, what happened" is, in reality, different than an EMS coworker asking, "So what happened with John Doe, the frequent flyer, last night?" or "Yea, I took John Doe (regular dialysis patient) to the ER last night." Arguably all 3 are privacy violations, however the intent and actual outcome of the first one is drastically different than the outcome of the 2nd two.

 

[spinnakr]

Repeated warning: IANAL! (Good call)

@Linuss: that was precisely my point. It doesn't much matter in this case, because ignoring HIPAA, confidentiality laws are still applicable.

As far as the applicability of HIPAA is concerned: I realize that the first category of "covered entity" requires electronic billing; however, the definitions for a "health plan" are far wider, and presuming an individual has insurance, probably falls under that category. However, I can't say I read very thoroughly, so I don't know if this only applies to the plan itself, or the care of a person with that plan. And for the record, I GREATLY appreciate those links, and that's exactly why I asked if you were sure.

I think the confusion with wikipedia is likely because data storage and electronic billing are two completely unrelated phenomenon: a covered health care provider who bills electronically doubtless has paper records, and HIPAA applies to the paper records too. So in other words, shame on me for reading too quickly.

@JPINFV: You raise an excellent point - far too many people wave around HIPAA like it's some kind of boomstick. Unfortunately, this includes a massive number of healthcare administrators - which can and has ended up in (particularly nurses) being fired for relatively trivial, accidental breaches of HIPAA (such as "wrongful" disclosure of information to family members).

At any rate, I think we can agree: giving any information related to the treatment of a patient that contains identifying information to anyone who isn't directly involved in care is technically a violation of both patient confidentiality and HIPAA. Yes?

And now, I REALLY should get back to studying for this damn midterm.