Having problems with message search?
--- In hipaaems@yahoogroups.com, "Sean Regan" <sean.regan@...> wrote:
>
> Hello, my name is Sean Regan,EMS Captain with the Lynchburg Fire
> Department and by appointment our department's HIPAA officer.
>
> I have two questions that I believe someone on this board can answer.
>
> 1. Our department is implementing a FF Rehab program and our
> department is attempting to establish a baseline and upper limit for
> FF BPs. Our health and safety officer is soliciting Employee Name,
> BP reading and any BP medication that is being taken by the employee
> to be posted on spreadsheet that is stored on an unprotected network
> drive that can be accessed by any employee within our department.
> It appears that our H&S officer was told that this information was
> not PHI and that if only our employees had access to the information
> that it met the standards set forth by HIPAA. What are your
> thoughts on this?
>
> 2. How do departments handle the release of PHI to family members
> (especially when the patient is deceased). Any policies, processes
> and forms would be appreciated. I saw the flowsheet that Jim posted
> and have started to use that. Thanks Jim!
>
> Sean Regan,EMS Captain
> sean.regan@...
>
--- In hipaaems@yahoogroups.com, "Sean Regan" <sean.regan@...> wrote:
>
> Hello, my name is Sean Regan,EMS Captain with the Lynchburg Fire
> Department and by appointment our department's HIPAA officer.
>
> I have two questions that I believe someone on this board can answer.
>
> 1. Our department is implementing a FF Rehab program and our
> department is attempting to establish a baseline and upper limit for
> FF BPs. Our health and safety officer is soliciting Employee Name,
> BP reading and any BP medication that is being taken by the employee
> to be posted on spreadsheet that is stored on an unprotected network
> drive that can be accessed by any employee within our department.
> It appears that our H&S officer was told that this information was
> not PHI and that if only our employees had access to the information
> that it met the standards set forth by HIPAA. What are your
> thoughts on this?
>
> 2. How do departments handle the release of PHI to family members
> (especially when the patient is deceased). Any policies, processes
> and forms would be appreciated. I saw the flowsheet that Jim posted
> and have started to use that. Thanks Jim!
>
> Sean Regan,EMS Captain
> sean.regan@...
>
Hi, Sean, from about 100 miles to your east. Welcome to the group.
As for the first question, we (HIPAA covered entities) potentially wear two hats when it comes to employees. The usual hat is that of an employer. Once in a while, an employee becomes a patient, and then we wear the hat of a health care provider. We obtain certain medical information in both instances. But HIPAA makes a clear distinction between the two roles in deeming whether it is PHI and, therefore, protected by HIPAA. HIPAA specifically excludes employment-related information, which is how I would regard the information obtained by your H&S officer. On the other hand, if one of your firefighters suffers an injury, the information obtained by the crew that treats him/her will be considered PHI. It might be identical information to that obtained by the H&S officer -- history and meds aren't likely to change much, for example. But HIPAA makes it clear that it's not the nature of the employee's information that determines whether it's PHI; it is the role the covered entity was in when the information was obtained.
Having said that, if I was one of your people, I would protest loudly that my medical information is being stored in an insecure network location. It's still none of the business of my colleagues, except those who might be evaluating me in rehab or treating me for an illness or injury. Furthermore, you may be in violation of Virginia law here. The Code of Virginia doesn't make this same distinction. From the Code section on health records privacy, § 32.1-127.1:03, defining what records the section applies to:
"'Health record' means any written, printed or electronically recorded material maintained by a health care entity in the course of providing health services to an individual concerning the individual and the services provided...."I think someone could make an argument that rehab is a health service, even if you're not a "patient" as HIPAA defines it.
As for question #2, HIPAA allows some leeway here. First, the best thing is to simply ask the patient's permission to disclose to whatever family member is involved. But if the patient is unconscious or not present and, therefore, has no opportunity to agree or object, then you may exercise some judgement. If a family member or friend is involved with the patient's care or payment for that care, then we can disclose certain information to them under certain conditions. Then HIPAA allows us to disclose only what is minimally necessary for that person's involvement in care or payment. But before we disclose, we use good judgement in asking ourselves if the disclosure is in the patient's best interest.
I try to do the right thing, and with that in mind I generally interpret"involved with the patient's care or payment" pretty broadly. Forexample, if a spouse has called 911, he/she is involved with thepatient's care. If they provide medical history to me, they areinvolved with the patient's care. If the patient is a young adult whostill is on his/her parents' health insurance and presents the parent'sinsurance card to me, then the parents are involved with payment.
Again, though, judgement must enter into it. If I think the spouse has assaulted the patient, I'll probably tell him nothing. If the adult child is having a miscarriage or has taken an overdose, it may not be in her best interest for me to tell her parents.
CMS recently published a guideline document on this very subject:
http://www.hhs.gov/ocr/hipaa/provider_ffg.pdf
Meanwhile, I will see if I can upload it into the Files section here for ease of access.
Now, as for deceased individuals: HIPAA defines who may be a "personal representative" for many patient categories, including deceased persons. Such representatives may be regarded the same as the patient insofar as disclosures are concerned. As for who that might be, HIPAA defers to state law in many cases, including decedents. Virginia defines a hierarchy of individuals who may receive a decedent's records. Records may be disclosed as follows (from the same Code section cited previously):
"24. If the health records are those of a deceased or mentally incapacitated individual to the personal representative or executor of the deceased individual or the legal guardian or committee of the incompetent or incapacitated individual or if there is no personal representative, executor, legal guardian or committee appointed, to the following persons in the following order of priority: a spouse, an adult son or daughter, either parent, an adult brother or sister, or any other relative of the deceased individual in order of blood relationship; "Hope that helps!
Jim
Offline 
Send Email