Patient Rights and EMS Obligations
One of the most often quoted and frequently misunderstood disputes about patient rights is HIPAA. HIPAA stands for Health Insurance Portability and Accountability Act and is meant to protect a patient’s privacy. The privacy rules of patients apply to healthcare providers, healthcare plans, and businesses involved in the transmission of patient records (such as billing agencies). According to the US Department of Health and Human Services, some of those who are not required to follow strict HIPAA rules and regulations include law enforcement, child protective services, municipal and state agencies, and in some cases school districts, employers, life insurance agencies and court cases.
According to the New York State Office of Mental Health, these are the Basic Principles of the Privacy Rule:
1. The Privacy Rule protects all “protected health information” (PHI), including individually identifiable health or mental health information held or transmitted by a covered entity in any format, including electronic, paper, or oral statements.
2. A major purpose of the Privacy Rule is to define and limit the circumstances under which an individual's PHI may be used or disclosed by covered entities. Generally, a covered entity may not use or disclose PHI to others, except:
a. as the Privacy Rule permits or requires; or
b. as authorized by the person (or personal representative) who is the subject of the health information. A HIPAA-compliant Authorization must contain specific information required by the Privacy Rules.
3. A covered entity must provide individuals (or their personal representatives) with access to their own PHI (unless there are permitted grounds for denial), and must provide an accounting of the disclosures of their PHI to others, upon their request.
4. The Privacy Rule supersedes State law, but State laws which provide greater privacy protections or which give individuals greater access to their own PHI remain in effect.
However there are times when HIPAA falls into unknown territory and critical decisions must be made whether the patient’s privacy or other considerations take priority. COVID-19 has been both an unusual and dangerous health emergency and in March of 2020 a limited HIPAA waiver was issued by the Secretary of the U.S. Department of Health and Human Services. Limited waivers for public health emergencies generally expire within 72-hours unless other potentially life-threatening situations exist. There are currently some grey areas where HIPAA rules must still be applied.
If a patient gives (written) consent, doctors and hospitals may give out some patient info; if a patient is unconscious the patient’s health history may be shared AS NECESSARY in order to provide treatment; and in cases where there may have been public exposure to a life threatening virus, patient information may be shared with necessary agencies. At all times the priority is the patient’s privacy — in other words, share only what is absolutely necessary. Any health practitioner or agency who does share this confidential patient health information can be subject to scrutiny and could be fined and other censure if found that the information shared was done maliciously or carelessly.
Since COVID-19 has been an ongoing problem for several months and is sadly expected to flare again during this winter’s flu season, it is a good idea for all EMS agencies to review HIPAA with their members and exact procedures to follow when privacy rules are in question.