By Mike McEvoy, Ph.D., RN, CCRN, REMT-P and Paul Gillan, JD, EMT-B
HIPAA, like many other government regulations, has managed to bring out the best and the worst in people. Best practices are found in departments that have creatively implemented new routines embracing the spirit of HIPAA. Worst practices flourish in departments that made halfhearted efforts to create an appearance of compliance, usually without attempting to understand HIPAA’s purpose. HIPAA has also been used inappropriately both as a shield and a roadblock to reasonable disclosures of information, usually by unreasonable people.
This article focuses on the relationship between HIPAA and quality improvement (QI) including when protected information can be shared and how HIPAA differentiates between research and quality improvement activities.
Components of QI
Mandated QI programs in hospitals came from the same parents as HIPAA: federal legislation. Probably through trickle-down effect, most states now mandate QI for EMS agencies as well. There are three key components of a QI program: prospective, concurrent, and retrospective. Activities that assure quality patient care before a truck or ambulance rolls comprise prospective QI. Examples of prospective QI include equipment and staffing standards, checklists, operational policies and guidelines, medical protocols, review/verification of certifications, and EMS education programs. Concurrent QI includes activities to monitor and ensure quality at the time care is being provided, such as supervision or oversight by a medical director or advisor. Activities that look back to see if quality service was given constitute retrospective QI. Review of run reports, response surveys mailed to patients and families, interface with other response agencies, surveys of receiving hospitals, response time studies, and high risk call reviews all fall under the umbrella of retrospective QI.
There can be no doubt that a substantial number of QI activities–particularly concurrent and retrospective QI–directly involve review of records classified as protected health information (PHI) under HIPAA. A clear understanding of the relationship between HIPAA and QI is imperative to protect your patient records. It also makes good business sense given the hefty penalties for noncompliance.
Permitted Uses of PHI
Acronyms help to psychologically reduce the size of legislative works that rival long novels. “TPO” is the catch phrase used to remember the three basic permitted uses of protected health information: treatment, payment, and “health care operations.” (Why the acronym isn’t “TPH” we’ll never know.) Most QI activities are included under health care operations.
Unlike treatment situations when you normally share an entire record with other treating health care providers, a “minimum necessary” standard applies to most QI activities. This standard essentially limits the information disclosed to the minimum necessary information needed to accomplish the task. For example, a patient’s name, age, and sex would not be necessary to share when reviewing the frequency and thoroughness of vital sign assessments. Typically, your notice of privacy practices (NPP) tells patients that you will use their PHI for QI reviews. Specific authorization from the patient is not necessary.
There are several exceptions to permitted uses of PHI, and a few are worth highlighting here. Reports to public health authorities of communicable diseases; reports of child abuse or neglect; notifications of drug or medical equipment failure or safety hazards; and reports for the purposes of government oversight such as licensure and disciplinary actions are all usually allowed without authorization from the patient and without opportunity for the patient to agree or object to the disclosure (45 CFR 164.512)1. It is important to understand, however, that state laws do not necessarily supersede HIPAA restrictions. State laws that are more protective of patient privacy than the federal standards will continue to apply.2 But state laws that are less protective may be preempted and may no longer apply.3 Determining which exception, if any, applies to a given use or disclosure is tricky. New York, for example, requires every certified EMS provider to complete a patient care report after each patient contact and to submit a copy to a statewide quality assurance program.4 Although this is a “mandatory report” for New York certified EMS providers, disclosure of the patient care report would not fall into the exception of “uses and disclosures required by law.” The more appropriate category is disclosures for “health oversight activities,” which permits disclosures necessary for appropriate governmental oversight of the health care system. In either case, the disclosure would be allowed.
The Research Trap
The difference between “quality improvement” and “research” has long been a matter of degrees. This is probably because of the relative ease of conducting quality improvement studies vs. the maze of red tape involved in research. HIPAA and other federal regulations place greater responsibility on researchers to protect the PHI they collect and analyze, and “research” typically requires meeting burdensome notice and consent requirements. Given these additional burdens, you or your colleagues might be tempted to conduct research under the guise of quality improvement studies. Be forewarned: HIPAA has drawn the line dividing research from quality improvement much more clearly, eliminating much of the discretionary leeway of those who conduct “research” to decide how they will categorize their investigations.
HIPAA specifically defines research as “systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”5 No longer are the waters as murky; if you have thoughts about or plans to publish findings of a study or analysis you conduct, it is research, not QI.
Surveyors and Databases
Accreditation organizations and outside surveyors are usually not covered entities (CE) under HIPAA, but they are definitely business associates (BA) of departments that are covered entities.6 You should have a business associate contract in place with any accrediting organization to assure that your PHI is properly handled.
If you submit data to an outside database, such as a regional or national cardiac arrest, stroke, or injury prevention database, you should also have a business agreement with them. Since the purpose of such databases is to analyze trends, compare yourself to others, and ultimately improve the quality of patient care, submitting PHI to data warehouses is considered a QI activity under HIPAA.
Some departments employ or contract with a third party to conduct QI reviews. These contractors are also considered business associates and require a business associate contract as well.
Case conferences are a fairly common venue for quality improvement review at all levels of medicine. Typically, case conferences are multidisciplinary and gather providers from many different departments or agencies (all of whom are covered entities themselves, but may not have treated or been involved in the care of the patient being discussed).
Departments conducting case conferences should exercise caution in displaying and disseminating PHI (such as a patient care report). Recall that the minimum necessary rule applies to these types of disclosures. Any information not necessary for the review should be redacted. This will usually result in the removal of information that would identify the patient being reviewed, such as names, addresses, birthdates, etc. Identifying elements vary depending on the circumstances. A good rule of thumb is to strip away any data that would allow a provider who was not involved in the case under review from recognizing the identity of the patient. Keep in mind the goal of case reviews: improvement of the health care delivery system and enhanced knowledge of providers that will facilitate better care of future patients.
Does HIPAA need QI too?
HIPAA was designed to keep patient information private. As we have mentioned in prior HIPAA Focus columns, implementation of good privacy practices and training your members cannot be a one-time deal. Quality improvement activities may pose the greatest danger a department may have for HIPAA violations. A keen awareness of how your QI program operates and what PHI is routinely used is not sufficient to keep your department from running afoul of HIPAA. Consider aiming the lens of your QI program at your department’s HIPAA compliance. You might want to follow a typical patient record through the channels of your EMS system to analyze the strengths and weaknesses of your privacy practices. While you’re at it, review the effectiveness of your HIPAA training a various levels of your organization to determine whether your members have the required knowledge to effectively comply with the HIPAA requirement that affect their jobs. You may be surprised at what you learn.
1http://www.hhs.gov/ocr/combinedregtext.pdf The rule contains many criteria that must be met to allow the disclosure. Review the regulation carefully in conjunction with your state’s reporting requirements to determine which disclosures are allowed.
2 See 45 CFR 160.202 for the definition of “contrary” to state law, and 45 CFR 160.203 for the general rule and exceptions to preemption.
3 For an example of preemption analysis, see the New York State Department of Health’s preemption charts at http://www.health.state.ny.us/nysdoh/hipaa/hipaa_preemption_charts.htm
4 New York State Codes, Rules, and Regulations, Chapter VI of Title 10 (Health), 800.15 (a) (1) http://www.health.state.ny.us/nysdoh/ems/part800.htm#800.15
5 45 CFR 164.501 (Definitions)
6 The privacy rule specifically defines accrediting organizations as business associates. See 45 CFR 164.103.
Mike McEvoy, Ph.D., RN, CCRN, REMT-P, is the EMS coordinator for Saratoga County, New York. A former forensic psychologist, he now works in the Cardiac Surgical ICU at Albany Medical Center and teaches at Albany Medical College in New York. He is a paramedic for Clifton Park-Halfmoon Ambulance Corps and medical advisor for the West Crescent (NY) Fire Department. He presently serves as a member of the New York State EMS Council and the State Emergency Medical Advisory Council and is the EMS director on the Board of the New York State Association of Fire Chiefs.
Paul Gillan, JD, EMT-B, is a senior associate attorney with the regional law firm Iseman, Cunningham, Riester & Hyde, LLP, in Albany, New York. An active EMT, he devotes a substantial portion of his practice to representation of fire and EMS services, EMS councils, and individual EMTs. For more information about the firm, please visit http://www.icrh.com.