In the October 17th-19th issue of USA Today, a page one story titled "Medical Privacy Law Creates Wide Confusion" tells the tale of the confusion created by the HIPAA Privacy Rule, with a front-and-center example of how this confusion has led to delays in EMS care. We certainly agree with the theme of the article that HIPAA is confusing and overly complex, and, when wrongly interpreted, may actually hinder the delivery of patient care in ways it was never intended to. The article's key example is the case of an ambulance service in Colorado that was delayed in arriving at the scene of an emergency, reportedly because the crew refused to give the name of the patient to an area resident who knew all the neighbors and where they lived.
This story prompted us to provide this critical reminder to all EMS organizations....when you need to reveal protected health information (PHI) to locate or treat a patient, by all means release the information! Asking someone "do you know where the Smith residence is" or a dispatcher giving a patient name over the radio are not HIPAA violations. When an ambulance can't find a patient, the EMS crew can't treat the patient. And treatment-related disclosures are expressly permitted under HIPAA.
When it comes to dispatch agencies giving patient names over the radio to responding EMS crews, it is important to remember that there are many areas of the country where ambulance services and other public safety agencies need to know the name of the residence in order to find the location. Again, where such information is necessary to find the patient, it is integral to treatment, and its disclosure would, at most, be defined as an "incidental disclosure" when those with scanners overhear the information, and, again, there is no HIPAA violation. The Office of Civil Rights, the government agency which oversees enforcement of the Privacy Rule, addressed these types of issues in written guidance, making it clear that EMS communications did not need to be "encrypted" to prevent the interested citizens from eavesdropping with their scanners and underscoring the fact that incidental disclosures when making treatment-related communications are an inescapable fact of providing patient care and do not result in HIPAA violations.
Further, in many cases, 911 dispatch centers are run by counties or other government agencies that are not even "covered entities" under HIPAA, so they can freely give out patient information necessary for the ambulance crews to not only find the location, but to also provide valuable information about the patient's condition---if they are breathing or not, if there is childbirth in progress, etc. This further underscores that such disclosures are clearly treatment-related, and the regulations don't restrict this exchange to information to the time of patient contact or after it. Treatment-related disclosures may be required before you even get to the patient, so this means that public safety agencies should give information out over the air when that information is needed to find the patient and to assist in treatment.
Many dispatch agencies do not make a practice of transmitting patient names, and often the street address is sufficient to allow the EMS crew to locate the patient. And it may not be necessary to give the name of the residence out over the air on a routine basis. But if an ambulance crew needs the name of the residence to find the location, or any other information, dispatchers should provide such information to them without question. Many EMS responders in rural areas, and even some in not-so-rural areas, may indeed require a name on a mailbox to find the location even when they have the address. The fact is, rural addressing continues to be a challenge in some areas, and some streets still may not even have house numbers. Even ones that do are often not visible from the street, which may prompt the ambulance crew to ask for a name. Ambulance crews should be able to get this information without question from their dispatch center. In our view, people who interpret HIPAA to the contrary are giving bad, and sometimes dangerous, advice.
Unfortunately, the HIPAA Privacy Rule has led to an outcry that a law meant to protect patient privacy has resulted in "overkill" (as USA Today puts it) that can actually result in harm to patients in an emergency. Anyone who has questions about the issues raised in the USA Today article -- or any of the other tough HIPAA issues - should contact legal counsel knowledgeable in this area of the law.
(c) Copyright, 2003, Page, Wolfberg & Wirth, LLC.