Hello Everyone - I'll start with a long post and then tone in down a little! 

This group should be a big help to folks and everyone should remember the different interpretations and opinions the entire healthcare industry now has on HIPAA and its impact when reading and discussing the standards - some of these issues have only been discussed but not tested by an actual event... 

 
Below are our stances on the issues discussed - I welcome comments and criticism...

Our agency practices leaving the records at the hospital; in fact, the trauma legislation in NC has a requirement in the trauma system program that prehospital care be a part of the evaluation; during a trauma center site visit by the state office of EMS, the pre-hospital record is on their check list of items to review in the hospital medical record.  You have to keep in mind that state privacy laws may be more stringent and require more that the federal laws - they just can't be less…

Also, the standard has an area that may address disclosure of information not "owned" by the covered entity:

(e) Implementation specification: documentation. A covered entity must document the following and retain the documentation as required by § 164.530(j):

(1) The designated record sets that are subject to access by individuals; and
(2) The titles of the persons or offices responsible for receiving and processing requests for access by individuals.

Everyone needs to have a designated record set - when a request is then made, we have a defined record that everyone can follow.  If the hospital does not have the EMS record as part of their Designated Record Set, one could argue it was disclosed inappropriately.  It's all going to come back to local policy and interpretation.

 
As to subpoenas, be careful when responding as there are specific criteria for proper disclosure even in the presence of a subpoena.  The patient still has to be notified of the closure...  see the standard below:

 
(e) Standard: disclosures for judicial and administrative proceedings.

(1) Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding:

(i) In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or

(ii) In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if:

(A) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iii) of this section, from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request; or

(B) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph (e)(1)(v) of this section.

 
You have to read the entire standard to see how it all interconnects based on the "what if" scenarios.

Hope this helps in the discussions…

Dwayne R. Young, BS, REMTP
ES Manager Planning and Research
Guilford County Emergency Services
1002 Meadowood Street
Greensboro, NC 27409
(336) 641-4980 (Office)
(336) 641-6538 (Fax)
 
Confidentiality Notice
 

The information contained in this message contains personally identifiable health information and must be treated with strict confidence.  The information contained herein is intended only for the addressee listed above and should be used only for the purposes of health treatment, payment, or other healthcare operations as defined by Guilford County Emergency Services, or, for other means previously agreed upon by both parties.   Please contact the sender at the designated number as soon as possible to ensure corrective actions are taken so that the intended recipient is contacted.  If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communications is strictly prohibited.  If you have received this in error, please notify us by telephone and delete the message immediately.  Thank You

________________________________

From: hipaaems@yahoogroups.com [mailto:hipaaems@yahoogroups.com] On Behalf Of emtpkelly
Sent: Monday, March 31, 2008 10:00 PM
To: hipaaems@yahoogroups.com
Subject: [HIPAA & EMS] Re: PCRs at the hospital

--- In hipaaems@yahoogroups.com <mailto:hipaaems%40yahoogroups.com> , "Will Dunn" <dunnww@...> wrote:
>
> Hello everyone.
>
> I am (relatively) new to an agency that does not leave field patient
> care reports at the hospital once care has been handed over. I
> complained about this for a variety of reasons.
>
> I am told that there was an instance in the past where following a
> formal records release from the hospital for purposes of litigation,
> our PCR turned up--a surprise since there had been no formal records
> request from us.
>
> I have been under the impression that once we left that PCR with the
> hospital it's part of the medical record.
>
> The management here, after an opinion from our legal counsel, supports
> the practice of not leaving PCRs with the hospital since we know they
> could release it without patient consent, a HIPAA violation, except in
> the instances where it is required by law.
>
> I believe that this practice isn't doing the patient any favors, and,
> perhaps, contributing to worse patient care downstream.
>
> Anyone have any thoughts?
>
> Thanks very much.
>
> --wwd
>
Hi, Will. Welcome to the group!

I agree that not leaving the PCR at the hospital could work to the
detriment of the patient. Docs in my area probably don't use the PCR
much, but they do use them. We get an occasional call from the
hospital when the PCR doesn't show up, especially from inpatient units
like ICU.

Where is your medical director in this discussion? Maybe he/she can
bring some weight to bear.

I probably should add this next statement to the group's home page. I
am not a lawyer, and I suspect most list members won't be either.
Even the lawyers that might choose to join here probably will tell you
their response is not legal advice for a specific situation. So your
own legal counsel's guidance is what you should follow. They have to
defend you if they're wrong, so presumably they will have researched
and considered the issue thoroughly before rendering an opinion.

Having said that, I don't see a HIPAA issue with leaving a PCR at the
hospital. It serves a legitimate treatment purpose, and we never want
to let HIPAA stand in the way of treatment. Once we turn it over it
becomes part of the hospital's medical record. If the hospital gets a
subpoena for the record, then they must comply, assuming the subpoena
meets HIPAA requirements for patient notification and applicable state
laws. That is one of several occasions where HIPAA allows release of
PHI without patient authorization. (FYI, there is a subtle but
significant difference between the terms "authorization" and "consent"
in HIPAA. But that's for another day.) If the hospital follows all
laws in the process, obviously everyone is OK legally. If they're
not, it's their record and their HIPAA violation, not yours, IMHO.

What do your state EMS regulations and state law have to say? I would
hope your attorney considered them. If your state's laws are more
stringent in restricting disclosure, then they prevail over HIPAA.
(HIPAA prevails if it is more restrictive.) EMS regulations may have
a say in whether you leave a PCR. In Virginia, the regulations
require a PCR copy to be delivered to the ER within 24 hours of the
patient's delivery.

Hope that helps. Others?

Jim