HIPAA Focus: HIPAA Myths, HIPAA Facts

By Mike McEvoy, Ph.D., RN, CCRN, REMT-P, and Paul Gillan, JD, EMT-B

The better part of a year has passed since the April 14, 2003, HIPAA compliance deadline. Surprisingly, little has been done to address some very common misperceptions and misunderstanding about HIPAA. Some myths have acquired the influence of urban legends and managed to overshadow HIPAA facts. This article explores seven common HIPAA myths and the real facts that underlie them.

Myth #1: Hospital HIPAA Is Good Enough for Me
An incredibly common HIPAA implementation strategy is for fire/EMS services to merely borrow forms and notices from a local hospital, change the name on the forms, and declare themselves HIPAA compliant.

Using a hospital model as a starting point for your own policy or form can sometimes be a good idea, but it can just as easily lead to trouble. As we have mentioned in previous HIPAA Focus articles, hospital operations differ from EMS in very significant ways. A Notice of Privacy Practices referring to the EMS service’s radiology department or on-site pharmacy (yes, we have seen them) is a clear indicator that compliance efforts were mediocre at best.

Not to mention, stock forms and policy templates don’t even come close to a total HIPAA implementation package. Old policies need review to determine if they are impacted by HIPAA, and operational changes must be made. Most importantly, your agency must develop a “culture of confidentiality” and that will never happen just by borrowing someone else’s forms and putting them in your response vehicles. This same concept applies equally to wholesale pilfering of a neighboring fire/EMS service HIPAA compliance plan.

Myth #2: One HIPAA Slip Will Land You in Jail
Lawyers and consultants sometimes use the spectre of jail time for HIPAA violations as a way of prying big dollars from the hands of frightened fire/EMS services.

It is absolutely true that HIPAA violations can lead to jail time. That penalty, however, is reserved for those who “knowingly” make disclosures in violation of HIPAA. “Knowingly” means different things in different federal jurisdictions and, in some cases, requires that the person have actual knowledge of the law as well as a specific intent to break it. So while jail time for HIPAA violations is not out of the question, the risk of jail time for HIPAA violations should be kept in perspective.

The more likely enforcement scenario is the imposition of a penalty, which begin at $100 per violation with a requirement that the violation be remedied. The penalty for low-level violations is capped at $25,000 per year, so your service is not likely to face financial ruin even from a slew of HIPAA violations.

Early reports indicate that the HHS Office of Civil Rights (OCR), the federal agency responsible for administering HIPAA privacy rules, is not dropping the boom on unsuspecting violators. Instead, its focus appears to be one of getting covered entities into voluntary HIPAA compliance.

Myth #3: All I Need Is Billing Service HIPAA
Ensuring that your billing service is HIPAA compliant when processing claims and reimbursement on your behalf is a critical component of a compliance plan. It is, however, impossible for your billing service to do everything necessary for your fire/EMS service to become fully HIPAA compliant. Do not be misled by ads for electronic clearinghouses such as this one:

Filing your claims electronically CAN AUTOMATICALLY keep you in COMPLIANCE with HIPAA REGULATIONS, AS WELL AS STATE AND FEDERAL GUIDELINES.

This claim is only a partial truth. Your fire/EMS service might (and note that it is only a possibility) comply with the transactional standards by submitting claims through a clearinghouse. Privacy compliance (and soon, too, security compliance) are entirely separate matters. The mere use of an electronic clearinghouse does nothing for your service’s HIPAA privacy compliance.

Myth #4: Dispatch Services Don’t Do HIPAA
It’s true that some dispatch services are not required to comply with HIPAA. It is not true that dispatch is categorically exempt from HIPAA.

To determine whether dispatch must be HIPAA compliant, ask first whether the dispatch is a “covered entity.” Fire/EMS services that self-dispatch are the most likely to be covered entities, and their dispatch operations must comply with HIPAA just like any other part of their operations.

Dispatch services that are genuine municipal or government services are not likely to be covered because they are not likely to engage in any of the covered transactions. However, if the dispatch service conducts dispatch on behalf of a covered entity, the dispatch may be a business associate and may have to comply with the covered entity’s rules governing confidentiality of PHI.

Determining where a particular dispatch service falls requires expert knowledge of state and local law, together with a thorough understanding of the history of dispatch in that particular locale. Blanket statements about whether or not dispatch falls under HIPAA are virtually worthless: There are more exceptions than fit the rule.

CE, BA, or otherwise, keep in mind also that the vast majority of information generated in EMS dispatching operations is needed to deliver treatment to the patient. As such, disclosure of any information helpful in expeditiously dispatching and directing resources to the patient is generally allowed under HIPAA. This means that addresses, patient complaints, and even names may at times (depending on the specifics of the locality) be perfectly acceptable to transmit by radio, phone, or electronic format. Likewise, EMS providers having difficulty locating a caller’s residence would be justified in revealing the patient’s name to an inquisitive neighbor familiar with the area. When it comes to treatment, HIPAA1 permits any and all disclosures necessary to facilitate prompt and proper care.

Myth #5: Patients Can Sue for HIPAA Violations
HIPAA itself provides no private right of action to patients. If a patient suffers as a result of a HIPAA violation, the remedy outlined in HIPAA is a complaint either to the covered entity or to the appropriate federal authority (the Office of Civil Rights). OCR can, in turn, impose penalties, but the person that complained would not share in the penalty or get any other kind of financial reward for complaining.

What HIPAA does do, however, is create an industrywide “standard of care” for how patient information must be treated and safeguarded. If a patient sued for breach of privacy, the HIPAA standards would likely be relied on as evidence of what the fire/EMS service should have done to protect the patient’s privacy.

Understanding your exposure to liability for such a lawsuit requires an understanding of state privacy laws (if any) and how your state courts have historically treated invasion of privacy lawsuits. Some states will be more receptive than others to the use of HIPAA standards as evidence for a national standard of care.

Myth #6: “Minimum Necessary” Affects Run Sheets and Limits Reports to ED Staff
Standard of care for transfer of patient care from prehospital to hospital requires both an oral report to the receiving hospital staff as well as submission of a written patient care report. Some fire/EMS services are concerned that HIPAA requires them to edit run sheets or leave elements out of oral reports for fear of violating the minimum necessary rule.

The minimum necessary rule is a crucial factor in examining your service’s reimbursement process and administrative operations. In these areas, HIPAA prevents you from providing more information than is necessary to accomplish the purpose of the disclosure. For example, if you are billing for one call, you provide information only about that call and only what is necessary for the payer to make a determination on payment of the claim.

The minimum necessary rule does not apply to treatment, so both patient care reports and oral reports to other EMS providers and receiving hospital staff can be made confidently with full disclosure.

Myth # 7: HIPAA Spells the End of Faxes and E-Mails
Faxing and emails have tremendously expedited the exchange of medical information. The formatting requirements for electronic transmission of records spelled out in HIPAA are nothing short of complex. While these were primarily intended to assure the confidentiality of information transmitted to and between billing services and payment centers, those unfamiliar with this aspect of the health care industry often misconstrue these HIPAA requirements to have been intended for faxing and e-mails. Faxes and e-mails are not limited by HIPAA, but users need to take note of the same common sense principles. First, be certain of whom your intended recipient is and know their correct fax number or e-mail address. Second, people are human and will make mistakes. Cover your bases by including a privacy and confidentiality statement on fax cover sheets and in e-mail signatures that tell the recipients how to contact you and what to do if they accidentally receive a transmission from you that was not intended for them. Third, consider the reasons for electronic transmission of Protected Health Information (PHI). If the minimum necessary standard applies to your communication, be certain you comply.

Despite the best plans, mistakes occur. Prescriptions intended for the local pharmacy will end up faxed to the deli instead. When this happens, keep Myth # 5 in mind. A mistake is not the end of the world.

To help you separate myth from fact, obtain a complete copy of the privacy standards at http://www.hhs.gov/ocr/combinedregtext.pdf.

When someone tells you something HIPAA that doesn’t seem to make sense, don’t simply take them at their word. Have them show you the section of the rule they are relying on. If what they’re selling you is a myth, you’ll soon find out.

1Note, however, that state laws may still prohibit certain disclosures even if they are permitted under HIPAA. Seek guidance from an EMS attorney versed in your state law if you are at all unsure.

Mike McEvoy, Ph.D., RN, CCRN, REMT-P, is the EMS coordinator for Saratoga County, New York. A former forensic psychologist, he now works in the Cardiac Surgical ICU at Albany Medical Center and teaches at Albany Medical College in New York. He is a paramedic for Clifton Park-Halfmoon Ambulance Corps and medical advisor for the West Crescent (NY) Fire Department. He presently serves as a member of the New York State EMS Council and the State Emergency Medical Advisory Council and is the EMS director on the Board of the New York State Association of Fire Chiefs.

Paul Gillan, JD, EMT-B, is a senior associate attorney with the regional law firm Iseman, Cunningham, Riester & Hyde, LLP, in Albany, New York, and is admitted to practice law in New York, Maryland, and Vermont. An active EMT, he devotes a substantial portion of his practice to representation of fire and EMS services, EMS councils, and individual EMTs.

1Note, however, that state laws may still prohibit certain disclosures even if they are permitted under HIPAA. Seek guidance from an EMS attorney versed in your state law if you are at all unsure.

CA Fire Department Pilot-Testing Drone Response to ‘Unknown Type’ Fire Calls

The San Bernardino County Fire Protection District has launched a pilot program making drones the first responders for "unknown type fire" calls.
Mike Dugan and company talking building constructon and disasters

Humpday Hangout: Building Codes and Disasters

Mike Dugan and the panel regulars will talk with their guests about building codes and how proper building construction can mitigate the damage from natural…