By Mike McEvoy, Ph.D., RN, CCRN, REMT-P, and Paul Gillan, JD, EMT-B
HIPAA has many different meanings depending on where in the health care spectrum you work. For street-level fire/EMS personnel, HIPAA ordinarily pertains to what you say and what you write. The patient care report (PCR) is the principal fire/EMS record containing written patient Protected Health Information (PHI). Assessing how departments create, use, and store PCRs can be a good indicator of that organization’s compliance with HIPAA.
In this month’s HIPAA Focus, we take a cradle-to-grave look at PCR practices and suggest some best practices for meeting HIPAA’s privacy standards.
Right from the Start
For most fire/EMS services, the EMTs providing patient care will generate the majority of PCRs. The means by which EMTs acquire and record patient information should be private. This is especially imperative in public places such as shopping centers and offices where others are frequently within earshot and full viewing range of you, your records, and the patient. Make your best effort to collect and record information as privately as possible. This might require dispersing crowds or moving your patient to the ambulance to afford privacy as well as shielding your recorded information from prying eyes at an emergency scene. Do not, however, compromise patient care in the interest of privacy.
HIPAA also poses no barriers to collecting information from others for purposes of patient care. Indeed, bystanders and family members often have valuable and certainly pertinent information about the patient or circumstances that you need to provide proper care. By all means, get the information you need from whatever sources are available. Be cautious in the process of obtaining information not to unnecessarily reveal private information about the patient. We emphasize “unnecessarily” because there are circumstances in which it may be necessary to reveal protected information to provide treatment to the patient. These include instances we have mentioned in previous HIPAA Focus articles such as giving a patient name to a neighbor who could then direct you to the proper residence.
One common practice potentially fraught with conflict involves “ride-alongs.” Many fire/EMS agencies allow public officials, media, and other observers to accompany ambulances and medic units. The public relations and political benefits of allowing observers to accompany fire/EMS must be weighed against the potential exposure resulting from a HIPAA violation. It is difficult to craft a ride-along program that fully complies with HIPAA, and the limitations on the observer’s use of the information often make it more trouble for them than it’s worth. At an absolute minimum, riders should receive a HIPAA briefing and sign a confidentiality statement. Any protected information the observer (such as a reporter) might wish to disclose must have appropriate authorization from the patient.
Do not overlook PCRs that come to your service through other means, such as transfers, intercepts, or nontransporting first responders. Developing policies and procedures to protect these patient records is just as important as protecting the records created by your service’s own providers.
Patient and Paperwork Handoff
Standard of care dictates that verbal and written reports be provided when transferring care of a patient to another health care provider. Patient privacy should be respected in both of these exchanges as well. For written reports, this means being certain that your record is placed into the proper hands and not left accessible to persons uninvolved in care and treatment of your patient. For example, do not leave your PCR in a common room frequented by EMTs from other services while you are restocking.
Where You Go, Your Records Go
Once a call is over, there must be a secure process for getting a PCR from the EMS unit to the service’s administrative offices. For certain, the PCR travels many places in between. A not uncommon practice is to accumulate PCRs in the unit clipboard until returning to station or ending a tour of duty. Some departments allow PCRs to pool in ready rooms, communication rooms, or administrative staff areas that are open to anyone.
Storing PCRs in anything other than a secure box, even temporarily, is a dangerous practice that should end. Ideally, PCRs will go directly from the authoring EMS provider into a private, secure administrative receptacle immediately after the call. It is acceptable for a crew to accumulate PCRs inside a clipboard, out of view of a casual observer, over the course of a shift, as long as access is limited to that crew. All PCRs should be moved to the secure box at the end of the shift so that providers coming on duty or using the unit for response to other calls cannot access patient records.
Billing and Reimbursement
Many fire/EMS services outsource their billing and reimbursement and may photocopy PCRs to send off to their billing services. Make certain your billing service is covered by a business associate (BA) agreement. (Keep in mind that the billing service is YOUR business associate, NOT the other way around!) For the most part, the billing service needs to see the entire PCR to properly determine how the call should be categorized and who should be billed, so ordinarily copies do not need to be redacted. However, billing and reimbursement are subject to the “minimum necessary” rule, which means that you can only disclose the minimum amount of information necessary to accomplish the task. If the PCR contains sensitive patient information that does not relate to billing, that information should be taken out. For example, if your service picks up a patient who is HIV positive, information about the patient’s status should be redacted from billing copies unless it impacted the care you provided.
Use common sense when assessing your transmission means. Faxing to a nonsecure receiving machine (such as one that might be located in a common area) is not advised. If you are not sure, ask questions. Keep in mind that your service is responsible for lapses in patient privacy, even if your billing service is the one that goofed!
Quality Improvement
Some fire/EMS services satisfy quality improvement mandates by parceling out PCR reviews to other employees or volunteer members. There are a few HIPAA aspects to consider as part of this process.
QI is part of “health care operations,” so access to records for this purpose does not need to be logged and does not need to be included on any audit of records disclosures. However, QI is subject to the “minimum necessary” standard. Therefore, only the minimum amount of information necessary to conduct QI on the call should be disclosed. That means that copies must be redacted of all nonessential information, such as the patient’s name and address.1
Data Entry
Many fire/EMS services key data from paper PCRs into a computer system for administrative tracking purposes. This may involve a data entry clerk different from billing and reimbursement personnel. This type of use would fall in the category of “health care operations” and is subject to the minimum necessary rule.
Additionally, some services outsource this function. If so, be sure your outside vendor is covered by a BA agreement and that only the data fields that are to be keyed in are made available.
Storage and Retrieval
Secure storage of PCRs is essential at all times. It is not necessary to keep PCRs in a fireproof safe, but reasonable precautions must be taken to protect the records. At minimum, lock boxes should be used to secure PCRs in stations and offices.
Watch Out for Copies
Copies of PCRs are often provided to other health care personnel for the purposes of treatment, and HIPAA freely allows this practice without restrictions. Other copies may require patient authorization. For example, services contracted for EMS coverage at special events may be asked by the event promoter to provide copies of PCRs for risk management or loss control purposes. Such a release would require patient authorization in most cases. The same is often true for police agencies, courts, and investigative agencies. In fact, many state laws supercede HIPAA with much more stringent requirements for such releases.
Keep in mind, also, that many state PCR forms are preprinted in duplicate or triplicate and the additional copies are put to some other use. In New York, for example, state-sanctioned PCR forms are created in triplicate. One of the triplicate forms becomes part of the patient’s hospital record. Another is submitted to a regional EMS program agency in compliance with a statewide prehospital care report collection program. The PCRs are proofed by the program agencies and then sent to the state, where certain information from the forms is used to create a statewide call database.
Fire/EMS services should know exactly what happens to their duplicate forms including, for example, knowing which data fields are required for compliance with state reporting requirements and which are not. Assess whether the actions taken with respect to those duplicate forms are permissible under HIPAA and whether any additional standards must be met, such as developing a business associate agreement or obtaining a patient authorization. Do not assume that current practices with respect to duplicate copies are either permissible or compliant.
Recognition and Public Relations
Meaningful positive results such as delivery of newborns and cardiac arrest reversals often prompt departments to publicly recognize the lifesaving actions of their members. Not uncommonly, pictures and details about patients are released to the media or posted on department Web sites. In all such instances, the department should obtain a signed release from the patient prior to the publicity. Be aware of more stringent state laws on this topic as well.
Records Destruction
Records containing PHI, including PCRs, should be destroyed in accordance with your service’s document retention schedule. Retaining documents for longer than the required period is not advised. (If your service does not have a document retention policy, it should develop one with the appropriate input from industry and legal experts.)
If your service uses a vendor for document destruction, consider whether the vendor is a business associate. If the vendor could access the information (even if the vendor is prohibited by contract from accessing the information), a business associate agreement should be in place to protect the service.
Summary
Patient care documentation must be protected from cradle to grave. This means affording privacy during the patient interview all the way to protecting your finished reports from prying eyes while you take a meal break, and then some. Knowing what HIPAA and your state laws require will help to ensure that you provide the best possible privacy protection for your patients and their medical information.
Above all, if you are unsure whether your services’ practices meet the HIPAA privacy standards, ASK a knowledgeable professional. Do not rely on what a neighboring service does, on lay advice, or on assurances given by vendors.
References
1 Note that the PCR need not and probably should not be “de-identified.” Deidentification would strip too many elements from the record (such as patient age) as to diminish the record’s value for QI purposes.
Mike McEvoy, Ph.D., RN, CCRN, REMT-P, is the EMS coordinator for Saratoga County, New York. A former forensic psychologist, he now works in the Cardiac Surgical ICU at Albany Medical Center and teaches at Albany Medical College in New York. He is a paramedic for Clifton Park-Halfmoon Ambulance Corps and medical advisor for the West Crescent (NY) Fire Department. He presently serves as a member of the New York State EMS Council and the State Emergency Medical Advisory Council and is the EMS director on the Board of the New York State Association of Fire Chiefs.
Paul Gillan, JD, EMT-B, is a senior associate attorney with the regional law firm Iseman, Cunningham, Riester & Hyde, LLP, in Albany, New York, and is admitted to practice law in New York, Maryland, and Vermont. An active EMT, he devotes a substantial portion of his practice to representation of fire and EMS services, EMS councils, and individual EMTs.
