Hello, Dwayne. First I'll start with a hearty "welcome." And then a
"thanks" for such a thorough response, including the actual Privacy Rule
citations. I was at home when I first responded to Will, and I didn't
have the Rule with me. I often bring things home from the office, but
HIPAA stuff usually is not among them. ;-) It is helpful to me, and to
others, I'm sure, to revisit the wording of the Rule periodically.

I have a couple of specific comments plugged in below. I also will be
pretty wordy for now, in part to provide background to the HIPAA newbies
and in part because I sometimes don't know when to shut up. :-)


--- In hipaaems@yahoogroups.com, "Dwayne Young" <dwayne.young@...>
wrote:
>
> Hello Everyone - I'll start with a long post and then tone in down a
little!
>
> This group should be a big help to folks and everyone should remember
the different interpretations and opinions the entire healthcare
industry now has on HIPAA and its impact when reading and discussing the
standards - some of these issues have only been discussed but not tested
by an actual event...
>
> Below are our stances on the issues discussed - I welcome comments and
criticism...
>
> Our agency practices leaving the records at the hospital; in fact, the
trauma legislation in NC has a requirement in the trauma system program
that prehospital care be a part of the evaluation; during a trauma
center site visit by the state office of EMS, the pre-hospital record is
on their check list of items to review in the hospital medical record.
You have to keep in mind that state privacy laws may be more stringent
and require more that the federal laws - they just can't be less...
>
> Also, the standard has an area that may address disclosure of
information not "owned" by the covered entity:
>
> (e) Implementation specification: documentation. A covered entity must
document the following and retain the documentation as required by §
164.530(j):
> (1) The designated record sets that are subject to access by
individuals; and
> (2) The titles of the persons or offices responsible for receiving and
processing requests for access by individuals.
>
> Everyone needs to have a designated record set - when a request is
then made, we have a defined record that everyone can
>follow. If the hospital does not have the EMS record as part of their
Designated Record Set, one could argue it was disclosed
>inappropriately. It's all going to come back to local policy and
interpretation.


I agree that one could make that argument. But to tie back into Will's
original question, I contend that it is the hospital's violation, not
the EMS agency's. We certainly can't be held responsible for
inappropriate redisclosure by those to whom we have made allowable
disclosures. If his counsel took that practice to its extreme, he would
disallow ANY disclosure.

I can't see why a hospital would not include their copy of the PCR as
part of the DRS. The DRS includes, among other things, PHI with which
the covered entity makes treatment decisions about the patient. I will
assume the hospitals in Will's area, like those in mine, might
occasionally find the information important for treatment.

But that may be somewhat beside the point. As your citation suggests,
the DRS includes "official" records that must be retained for access by
the patient if requested, among other things. But the protection of PHI
is not limited to what is in the DRS. Any and all PHI must be protected
by the covered entity, regardless of its form and location.


>
> As to subpoenas, be careful when responding as there are specific
criteria for proper disclosure even in the presence of a subpoena. The
patient still has to be notified of the closure... see the standard
below:
>
> (e) Standard: disclosures for judicial and administrative proceedings.
>
> (1) Permitted disclosures. A covered entity may disclose protected
health information in the course of any judicial or administrative
proceeding:
> (i) In response to an order of a court or administrative tribunal,
provided that the covered entity discloses only the protected health
information expressly authorized by such order; or
> (ii) In response to a subpoena, discovery request, or other lawful
process, that is not accompanied by an order of a court or
administrative tribunal, if:
> (A) The covered entity receives satisfactory assurance, as described
in paragraph (e)(1)(iii) of this section, from the party seeking the
information that reasonable efforts have been made by such party to
ensure that the individual who is the subject of the protected health
information that has been requested has been given notice of the
request; or
> (B) The covered entity receives satisfactory assurance, as described
in paragraph (e)(1)(iv) of this section, from the party seeking the
information that reasonable efforts have been made by such party to
secure a qualified protective order that meets the requirements of
paragraph (e)(1)(v) of this section.


No question, which is why I said earlier, "assuming the subpoena meets
HIPAA requirements for patient notification and applicable state laws. "

It is interesting to me how many lawyers don't know (or try to
circumvent) their own state laws for medical record subpoenas. Virginia
law has a very precise process -- that dovetails with HIPAA well -- that
mandates certain exact wording in the subpoena. The statements tell the
recipient that the patient or his counsel have received notice of the
subpoena, and the recipient MUST not (not just MAY not) release the
record until 15 days have passed, and has received notice from the
issuing attorney that: 1) the patient's attorney has elected not file a
motion to quash (the usual case given that most subpoenas are from
defendants in personal injury claims), 2) the patient has filed a motion
to quash and the court has resolved it, or 3) a motion to quash is
pending, in which case we are to seal the record and submit it to the
Circuit Court Clerk to hold until the motion is resolved. It gives
this non-lawyer a certain perverse pleasure to be able to call an
attorney's office to tell them their subpoena is invalid.



>
> You have to read the entire standard to see how it all interconnects
based on the "what if" scenarios.
>
> Hope this helps in the discussions...
>
> Dwayne R. Young, BS, REMTP
> ES Manager Planning and Research
> Guilford County Emergency Services
> 1002 Meadowood Street
> Greensboro, NC 27409
> (336) 641-4980 (Office)
> (336) 641-6538 (Fax)
>
> Confidentiality Notice
>
>
> The information contained in this message contains personally
identifiable health information and must be treated with strict
confidence. The information contained herein is intended only for the
addressee listed above and should be used only for the purposes of
health treatment, payment, or other healthcare operations as defined by
Guilford County Emergency Services, or, for other means previously
agreed upon by both parties. Please contact the sender at the
designated number as soon as possible to ensure corrective actions are
taken so that the intended recipient is contacted. If the reader of
this message is not the intended recipient, you are hereby notified that
any dissemination, distribution, or copying of this communications is
strictly prohibited. If you have received this in error, please notify
us by telephone and delete the message immediately. Thank You
>
>
>
>
> ________________________________
>
> From: hipaaems@yahoogroups.com [mailto:hipaaems@yahoogroups.com] On
Behalf Of emtpkelly
> Sent: Monday, March 31, 2008 10:00 PM
> To: hipaaems@yahoogroups.com
> Subject: [HIPAA & EMS] Re: PCRs at the hospital
>
>
>
> --- In hipaaems@yahoogroups.com <mailto:hipaaems%40yahoogroups.com> ,
"Will Dunn" dunnww@ wrote:
> >
> > Hello everyone.
> >
> > I am (relatively) new to an agency that does not leave field patient
> > care reports at the hospital once care has been handed over. I
> > complained about this for a variety of reasons.
> >
> > I am told that there was an instance in the past where following a
> > formal records release from the hospital for purposes of litigation,
> > our PCR turned up--a surprise since there had been no formal records
> > request from us.
> >
> > I have been under the impression that once we left that PCR with the
> > hospital it's part of the medical record.
> >
> > The management here, after an opinion from our legal counsel,
supports
> > the practice of not leaving PCRs with the hospital since we know
they
> > could release it without patient consent, a HIPAA violation, except
in
> > the instances where it is required by law.
> >
> > I believe that this practice isn't doing the patient any favors,
and,
> > perhaps, contributing to worse patient care downstream.
> >
> > Anyone have any thoughts?
> >
> > Thanks very much.
> >
> > --wwd
> >
> Hi, Will. Welcome to the group!
>
> I agree that not leaving the PCR at the hospital could work to the
> detriment of the patient. Docs in my area probably don't use the PCR
> much, but they do use them. We get an occasional call from the
> hospital when the PCR doesn't show up, especially from inpatient units
> like ICU.
>
> Where is your medical director in this discussion? Maybe he/she can
> bring some weight to bear.
>
> I probably should add this next statement to the group's home page. I
> am not a lawyer, and I suspect most list members won't be either.
> Even the lawyers that might choose to join here probably will tell you
> their response is not legal advice for a specific situation. So your
> own legal counsel's guidance is what you should follow. They have to
> defend you if they're wrong, so presumably they will have researched
> and considered the issue thoroughly before rendering an opinion.
>
> Having said that, I don't see a HIPAA issue with leaving a PCR at the
> hospital. It serves a legitimate treatment purpose, and we never want
> to let HIPAA stand in the way of treatment. Once we turn it over it
> becomes part of the hospital's medical record. If the hospital gets a
> subpoena for the record, then they must comply, assuming the subpoena
> meets HIPAA requirements for patient notification and applicable state
> laws. That is one of several occasions where HIPAA allows release of
> PHI without patient authorization. (FYI, there is a subtle but
> significant difference between the terms "authorization" and "consent"
> in HIPAA. But that's for another day.) If the hospital follows all
> laws in the process, obviously everyone is OK legally. If they're
> not, it's their record and their HIPAA violation, not yours, IMHO.
>
> What do your state EMS regulations and state law have to say? I would
> hope your attorney considered them. If your state's laws are more
> stringent in restricting disclosure, then they prevail over HIPAA.
> (HIPAA prevails if it is more restrictive.) EMS regulations may have
> a say in whether you leave a PCR. In Virginia, the regulations
> require a PCR copy to be delivered to the ER within 24 hours of the
> patient's delivery.
>
> Hope that helps. Others?
>
> Jim
>