New Guidance for HIPAA Compliance: Some Questions Answered
The United States Department of Health and Human Services, Office of Civil Rights (OCR) has been charged with enforcement of the HIPAA privacy regulations. Commonly referred to as the Privacy Rule, the regulations go online for enforcement beginning April 14, 2003. On December 3, 2002, the OCR released much needed additional guidance on how it expects health care providers and other covered entities to implement the Privacy Rule established as part of the Health Insurance Portability and Accountability Act of 1996. This is Part One of a two part series designed to cover this new guidance, as well as other common issues for ambulance services that have developed under the Privacy Rule.
The document, titled “Standards for Privacy of Individually Identifiable Health Information” (the “Guidance”) and available at www.hhs.gov/ocr/hipaa/privacy.html, provides new information on several key areas of the Privacy Rule that directly relate to ambulance service providers. That is good news. In fact, the word “ambulance” actually appears four times and the phrase “emergency medical provider” appears a number of times as well!
For the first time, the HIPAA Privacy Rule creates national standards to protect patient medical records and other personal health information. OCR gives some very good commonsense reasons behind what the Privacy Rule is intended to do, and an excellent summary of what it means for patients. There was a need for this guidance, as it is unfortunate that many commonsense notions about patient privacy and the use and disclosure of patient information took on an almost amoeba-like form with the Privacy Rule. There are literally hundreds of pages of regulation, preamble to regulation, questions and answers, and materials from the federal government on what should have amounted to an easy to administer regulation. Phrases and acronyms like “PHI,” “NPP,” “designated record sets,” “role based access,” and “business associates” now take on a unique meaning with many definitional twists.
Last Modified: December 2014
The OCR Guidance
Bringing it back to basics, the OCR reminds us that the Privacy Rule was intended to:
• Give patients more control over their health information
• Set boundaries on the use and release of health records
• Establish appropriate safeguards that health care providers and
others must achieve to protect the privacy of health information
• Hold violators accountable, with civil and criminal penalties that can
be imposed if they violate patients’ privacy rights
• Strike a balance when public responsibility supports disclosure of
some forms of data—for example, to protect public health
For patients, the OCR points out that among the benefits of the
Privacy Rule is that patients are “able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.” Here is what the Privacy Rule does for patients:
• Enables patients to find out how their information may be used, and
about certain disclosures of their information that have been made
• Limits release of information to the minimum reasonably needed for
the purpose of the disclosure (except when treating a patient)
• Gives patients the right to examine and obtain a copy of their own
health records and request corrections
• Empowers individuals to control certain uses and disclosures of
their health information
The newly updated Guidance is broken down into major subject sections, each with a set of answers to frequently asked questions at the end of the section, and a short description of what is required by health care providers and other entities to meet the requirements of that section of the privacy standard. Some of the Guidance is similar to the version issued by HHS in July 2001, but it has been totally revised to address many of the top privacy compliance issues that have recently arisen.
Two key points of the Guidance for ambulance providers
1. Direct disclosure of PHI by health care facilities to ambulance services and their business associates is clearly permitted.
Overreaction to HIPAA has caused some health care facilities to refuse to release patient information to the very ambulance service that just brought the patient to the hospital. They have even refused to release this information, necessary for billing, to the ambulance service’s contracted billing company. But this view is overly conservative, and the Guidance makes clear that both of these types of disclosures are permitted by the Privacy Rule: “A covered entity may disclose protected health information to another covered entity or a health care provider (including providers not covered by the Privacy Rule) for the payment activities of the entity that receives the information.” The Guidance provides this specific example:
A hospital emergency department may give a patient’s payment information to an ambulance service provider that transported the patient to the hospital in order for the ambulance provider to bill for its treatment services. (Guidance, page 56)
Business associates are entities that use, create, or disclose PHI on behalf of a covered entity, such as an ambulance service. Typical business associates of an ambulance service include billing companies, consultants, and lawyers that have access to PHI (such as during a Medicare claims audit).
A common question is whether a hospital is permitted to release PHI directly to the ambulance service’s billing company, rather than to the ambulance service directly. Again, the Guidance specifically answers the question with a “yes”:
May a covered entity share protected health information directly with another covered entity’s business associate? A: Yes. If the HIPAA Privacy Rule permits a covered entity to share protected health information with another covered entity, the covered entity is permitted to make the disclosure directly to a business associate acting on behalf of that other covered entity. (Guidance, page 47)
Thus, a health care facility is permitted to disclose PHI to the ambulance service for treatment and payment purposes, as a “business associate” (BA) of the ambulance service; the facility may disclose that same information directly to the ambulance billing company.
EMS LAW TIP: Now is the time to identify your business associates, contact them, and execute business associate agreements with each one. It need not be complicated, and several sample BA agreements are included in “The Ambulance Service Guide to HIPAA Compliance” available to order at www.pwwemslaw.com, which contains more than 30 model policies and forms that can easily be adapted to your organization. Other health care providers, like hospitals or nursing facilities, may require documentation of the business associate agreement between your ambulance service and your billing company. You should provide copies of those agreements to the facilities that request them.
Also, if a hospital is giving you a hard time about releasing PHI to you or your billing company for billing purposes, send them a letter outlining these points with reference to the OCR Guidance. Sometimes this will work. Sometimes it won’t. Keep in mind that when it comes to disclosure of PHI—other than that needed for treatment of the patient—the hospital should limit the PHI it gives you to the minimum amount necessary to accomplish the ambulance billing process. But since documentation of medical necessity for ambulance service under Medicare rules may include patient diagnosis, condition, and treatment being performed in the hospital, a fairly broad range of PHI should be available to you if you need it to support the submission of the claim, as this information may be necessary for proper billing purposes.
2. Disclosures of PHI by phone, radio, or other “med patch” to the hospital are permitted as an incidental disclosure not requiring special security measures.
The Privacy Rule permits certain incidental uses and disclosures that occur as a byproduct of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 CFR 164.502(a)(1)(iii). An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and occurs as a result of another use or disclosure that is permitted by the Rule.
The Guidance points out that the Privacy Rule “is not intended to prohibit providers from talking to each other and to their patients. Provisions of this Rule requiring covered entities to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers’ primary consideration is the appropriate treatment of their patients. The Privacy Rule recognizes that oral communications often must occur freely and quickly in treatment settings. Thus, covered entities are free to engage in communications as required for quick, effective, and high quality health care.”
We believe that this includes, as incidental disclosures, radio communication to the hospital, including communications by cell phone or landlines. Supporting this conclusion are the OCR’s specific comments about health care providers sharing information by telephone, as well as the pointed statement that radio communication need not be encrypted:
Nurses or other health care professionals may discuss a patient’s condition over the phone with the patient, a provider, or a family member. (Guidance, page 14)
The Privacy Rule does not require the encryption of wireless or other emergency medical radio communications which can be intercepted by scanners. (Guidance, page 15)
EMS LAW TIP: Some commonsense security measures should be brought to bear to deal with these issues. For example, unless necessary for gaining access to the patient or for treatment of the patient, the name of the patient should generally not be given over the air unless it is necessary, such as in the case in which the patient had just been seen in the ED earlier in the day, and the name of the patient would be important for treatment purposes upon arrival at the hospital. A “no patient names” policy is usually the norm in radio etiquette anyway, so not much needs to change here except a greater sensitivity to the issue and an alertness as to who is near you when you are talking on the phone or radio about a patient. Never sacrifice the immediate care of the emergent patient because of excessive concerns over patient privacy. This is a key point: HIPAA does not change this!