My ride along program here in OC Ca doesn't allow under age kids. I'm
in the local Community Collage program and we have two company's we
ride with. I only had to sign a waver and that was it. Also one of the
company's lets you do as many as you want.

Hello everybody!
  I'm new to this whole thing. I'm reading everything I can and want to
express my thanks to you for starting this group.

Bumped yet again.  I'm sure someone out there in HIPAA-land has an
opinion, right??  :-)


--- In hipaaems@yahoogroups.com, "Jim Kelly" <cfems@...> wrote:
>
> [Bump]
>
> Anyone care to comment?
>
>
> --- In hipaaems@yahoogroups.com, "Jim Kelly" <cfems@> wrote:
> >
> > Many of you may have seen this from JEMS.com:
> >
> >
>
http://www.jems.com/news_and_articles/articles/Anatomy_of_Florida_Photo_\
> > Controversy.html
> >
> > I am interested in hearing views on this, first on the subject of the
> > taking of the pictures (forget the e-mailing of them for a moment).
> > Let's accept his premise that the purpose was as an "investigative and
> > educational tool."  Was it appropriate to take them?  Do you have a
> > policy on the taking of digital pictures on EMS calls?  Are members
> > allowed to take them with their personal cameras?  Department-issued
> > cameras only?  If pics are allowed, how do you manage their
privacy and
> > security from a HIPAA perspective?
> >
> > More clear-cut (presumably) is that he shouldn't have e-mailed them.
> > This case demonstrates one reason: After you e-mail something you have
> > no control over it; there is no way to restrict who and to how many
> > others the intended recipients forward it to.  In addition, you can't
> > control the security of the servers it resides on, for years perhaps.
> > Our philosophy of e-mail is that it is inherently insecure, and we
> > forbid the e-mailing of PHI except in a password-protected or
encrypted
> > form.
> >
> > Others?
> >
> > Jim
> >
>

The previous post re. cheap air tickets has been deleted and the
author banned.

Jim

[Bump]

Anyone care to comment?


--- In hipaaems@yahoogroups.com, "Jim Kelly" <cfems@...> wrote:
>
> Many of you may have seen this from JEMS.com:
>
>
http://www.jems.com/news_and_articles/articles/Anatomy_of_Florida_Photo_\
> Controversy.html
>
> I am interested in hearing views on this, first on the subject of the
> taking of the pictures (forget the e-mailing of them for a moment).
> Let's accept his premise that the purpose was as an "investigative and
> educational tool."  Was it appropriate to take them?  Do you have a
> policy on the taking of digital pictures on EMS calls?  Are members
> allowed to take them with their personal cameras?  Department-issued
> cameras only?  If pics are allowed, how do you manage their privacy and
> security from a HIPAA perspective?
>
> More clear-cut (presumably) is that he shouldn't have e-mailed them.
> This case demonstrates one reason: After you e-mail something you have
> no control over it; there is no way to restrict who and to how many
> others the intended recipients forward it to.  In addition, you can't
> control the security of the servers it resides on, for years perhaps.
> Our philosophy of e-mail is that it is inherently insecure, and we
> forbid the e-mailing of PHI except in a password-protected or encrypted
> form.
>
> Others?
>
> Jim
>

Many of you may have seen this from JEMS.com:

http://www.jems.com/news_and_articles/articles/Anatomy_of_Florida_Photo_\
Controversy.html

I am interested in hearing views on this, first on the subject of the
taking of the pictures (forget the e-mailing of them for a moment).
Let's accept his premise that the purpose was as an "investigative and
educational tool."  Was it appropriate to take them?  Do you have a
policy on the taking of digital pictures on EMS calls?  Are members
allowed to take them with their personal cameras?  Department-issued
cameras only?  If pics are allowed, how do you manage their privacy and
security from a HIPAA perspective?

More clear-cut (presumably) is that he shouldn't have e-mailed them.
This case demonstrates one reason: After you e-mail something you have
no control over it; there is no way to restrict who and to how many
others the intended recipients forward it to.  In addition, you can't
control the security of the servers it resides on, for years perhaps.
Our philosophy of e-mail is that it is inherently insecure, and we
forbid the e-mailing of PHI except in a password-protected or encrypted
form.

Others?

Jim

To answer Jim's question at the end of his excellent post, I do believe there is
a downside to executing a BA agreement when none is otherwise required. The
primary downside, in my view, is to voluntarily impose certain obligations via
contract (a BAA is, after all, a contract) on the  ambulance service that it
would otherwise not have directly under HIPAA. Plus you undertake certain
contractual obligations to the facility when HIPAA only imposes obligations to
the patient. Assuming voluntary contractual obligations to a facility under a
BAA only adds compliance burdens to a covered entity.



Douglas M. Wolfberg
Page, Wolfberg & Wirth, LLC
5010 E. Trindle Road, Suite 202
Mechanicsburg, PA 17050
(717) 691-0100
Sent via Blackberry

-----Original Message-----
From: "hipaaems@yahoogroups.com" <hipaaems@yahoogroups.com>

Date: Sat, 19 Apr 2008 05:21:47
To:"hipaaems@yahoogroups.com" <hipaaems@yahoogroups.com>
Subject: [HIPAA & EMS] Digest Number 8


HIPAA & EMS


       HIPAA &amp; EMS    
<http://groups.yahoo.com/group/hipaaems;_ylc=X3oDMTJlNWJkbjU2BF9TAzk3MzU5NzE1BGd\
ycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDaGRyBHNsawNocGgEc3RpbWUDMTIwODU\
5NjkwNg-->

Messages In This Digest (2 Messages)


  1a.
   Re: PCRs at the hospital From: Jim Kelly 1b.
   Re: PCRs at the hospital From: Barton Regan

  View All Topics
<http://groups.yahoo.com/group/hipaaems/messages;_ylc=X3oDMTJnYTFkZXRsBF9TAzk3Mz\
U5NzE1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDZG1zZwRzbGsDYXRwYwRzdG\
ltZQMxMjA4NTk2OTA3?xm=1&m=p&tidx=1>  | Create New Topic
<http://groups.yahoo.com/group/hipaaems/post;_ylc=X3oDMTJnbXRxMHVkBF9TAzk3MzU5Nz\
E1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDZG1zZwRzbGsDbnRwYwRzdGltZQ\
MxMjA4NTk2OTA3>
  Messages


  1a.


         Re: PCRs at the hospital      
<http://groups.yahoo.com/group/hipaaems/message/22;_ylc=X3oDMTJwMTJlNWVqBF9TAzk3\
MzU5NzE1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARtc2dJZAMyMgRzZWMDZG1zZwRz\
bGsDdm1zZwRzdGltZQMxMjA4NTk2OTA3>

Posted by: "Jim Kelly"
       cfems@...       <mailto:cfems@...?Subject=
Re%3A%20PCRs%20at%20the%20hospital>  
           emtpkelly
          <http://profiles.yahoo.com/emtpkelly>

  Fri Apr 18, 2008 7:37 am (PDT)

  > Will,
  >
  > If your agency has executed a valid "business associates" contract
  > with the hospital in question, it is legal and advisable to leave a
  > PCR with them, after all HIPAA never intended that patient care should
  > be compromised by a lack of communication. The reality is that your
  > agency should execute such an agreement with every facility they
  > transport to and keep them on file.
  > -BR
  >

  Hmm, this brings up another issue. The clear consensus among attorneys
  who have addressed the issue with us, as well as folks (attorneys and
  others) in the mainstream HIPAA lists and groups, is that a BAA between
  covered entities is unnecessary if the only service the two CEs are
  performing is treatment.

  § 160.103 of the Privacy Rule defines a business associate as follows
  (with references to "organized health care arrangement" omitted for the
  sake of brevity and because most EMS agencies presumably are not part of
  an OHCA):
  "(1) Except as provided in paragraph (2) of this definition, business
  associate means, with respect to a covered entity, a person who:
  (i) On behalf of such covered entity ..., but other than in the capacity
  of a member of the workforce of such covered entity ..., performs, or
  assists in the performance of:
  (A) A function or activity involving the use or disclosure of
  individually identifiable health information, including claims
  processing or administration, data analysis, processing or
  administration, utilization review, quality assurance, billing, benefit
  management, practice management, and repricing; or
  (B) Any other function or activity regulated by this subchapter; or
  (ii) Provides, other than in the capacity of a member of the workforce
  of such covered entity, legal, actuarial, accounting, consulting, data
  aggregation (as defined in § 164.501 of this subchapter), management,
  administrative, accreditation, or financial services to or for such
  covered entity ..., where the provision of the service involves the
  disclosure of individually identifiable health information from such
  covered entity or arrangement, or from another business associate of
  such covered entity or arrangement, to the person."
  So it clearly states that, in order to be deemed a business associate,
  an entity must be performing one of these (non-treatment) services on
  behalf of a CE. Multiple CEs treating the same patient are providing
  their service directly to the patient, and nothing (listed or otherwise)
  on behalf of a CE.

  An example as we have applied it: We have a volunteer EMS agency in our
  county that uses our billing company. They also use us as the
  go-between for sending PCR data to the company, receiving EOBs and other
  related documents and reports from the company, customer service,
  collection efforts, etc. We have a BAA with that agency where we are
  considered their business associate. We don't have BAAs with other EMS
  agencies in the area, nor (back to the point) with the area hospitals.

  Therefore, Barton, it seems clear that BAAs with receiving hospitals are
  not required by the Privacy Rule. Nor do I believe (back to Will's
  original question) that that should be a factor in whether his agency
  should leave PCRs with them. As some of us have said, their potential
  role in treatment seems to be justification enough.

  Now, a question for the masses: If Barton and others still choose to
  execute them, is there any downside?

  Jim




           Back to top
             Reply to 
<mailto:cfems@...?Subject=Re%3A%20PCRs%20at%20the%20hospital> sender  |
             Reply to  <mailto:hipaaems@yahoogroups.com?Subject=
Re%3A%20PCRs%20at%20the%20hospital> group  |
             Reply 
<http://groups.yahoo.com/group/hipaaems/post;_ylc=X3oDMTJwZG1sNmN0BF9TAzk3MzU5Nz\
E1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARtc2dJZAMyMgRzZWMDZG1zZwRzbGsDcn\
BseQRzdGltZQMxMjA4NTk2OTA3?act=reply&messageNum=22> via web post

             Messages in this topic
           
<http://groups.yahoo.com/group/hipaaems/message/12;_ylc=X3oDMTMyM3NjaG0xBF9TAzk3\
MzU5NzE1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARtc2dJZAMyMgRzZWMDZG1zZwRz\
bGsDdnRwYwRzdGltZQMxMjA4NTk2OTA3BHRwY0lkAzEy>  (8)  1b.


         Re: PCRs at the hospital      
<http://groups.yahoo.com/group/hipaaems/message/23;_ylc=X3oDMTJwMWpoanBnBF9TAzk3\
MzU5NzE1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARtc2dJZAMyMwRzZWMDZG1zZwRz\
bGsDdm1zZwRzdGltZQMxMjA4NTk2OTA3>

Posted by: "Barton Regan"
       bregan@...       <mailto:bregan@...?Subject=
Re%3A%20PCRs%20at%20the%20hospital>  
           geobug2000
          <http://profiles.yahoo.com/geobug2000>

  Fri Apr 18, 2008 2:35 pm (PDT)

  Boy Jim, that sure clears up a lot of issues for us, if I can get our
  attorney to agree.Thank you.
  BR--




           Back to top
             Reply to 
<mailto:bregan@...?Subject=Re%3A%20PCRs%20at%20the%20hospital> sender 
|
             Reply to  <mailto:hipaaems@yahoogroups.com?Subject=
Re%3A%20PCRs%20at%20the%20hospital> group  |
             Reply 
<http://groups.yahoo.com/group/hipaaems/post;_ylc=X3oDMTJwbmlwb2ZwBF9TAzk3MzU5Nz\
E1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARtc2dJZAMyMwRzZWMDZG1zZwRzbGsDcn\
BseQRzdGltZQMxMjA4NTk2OTA3?act=reply&messageNum=23> via web post

             Messages in this topic
           
<http://groups.yahoo.com/group/hipaaems/message/12;_ylc=X3oDMTMyNzhmczJpBF9TAzk3\
MzU5NzE1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARtc2dJZAMyMwRzZWMDZG1zZwRz\
bGsDdnRwYwRzdGltZQMxMjA4NTk2OTA3BHRwY0lkAzEy>  (8)




         Visit Your Group      
<http://groups.yahoo.com/group/hipaaems;_ylc=X3oDMTJmbmw4aW9uBF9TAzk3MzU5NzE1BGd\
ycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDdnRsBHNsawN2Z2hwBHN0aW1lAzEyMDg\
1OTY5MDc->


Meditation and
Lovingkindness
<http://us.ard.yahoo.com/SIG=13rnbppq5/M=493064.12016231.12582634.9706571/D=grph\
ealth/S=1705061104:NC/Y=YAHOO/EXP=1208604107/L=/B=g52_GULaX9w-/J=120859690715150\
9/A=5191951/R=0/SIG=11iiaadso/*http://new.groups.yahoo.com/giftoflovingkindness>
A Yahoo! Group
to share and learn.

Yahoo! Health
Early Detection
<http://us.ard.yahoo.com/SIG=13r1cembr/M=493064.12016303.12582636.9706571/D=grph\
ealth/S=1705061104:NC/Y=YAHOO/EXP=1208604107/L=/B=hJ2_GULaX9w-/J=120859690715150\
9/A=5191946/R=0/SIG=12u9heqpd/*http://health.yahoo.com/breastcancer-symptoms/bre\
ast-cancer-symptoms/healthwise--tv3621.html>
Know the symptoms
of breast cancer.

Biz Resources
Y! Small Business
<http://us.ard.yahoo.com/SIG=13rfq6dvp/M=493064.12016255.12445662.8674578/D=grph\
ealth/S=1705061104:NC/Y=YAHOO/EXP=1208604107/L=/B=hZ2_GULaX9w-/J=120859690715150\
9/A=4025321/R=0/SIG=12a352npd/*http://us.rd.yahoo.com/evt=44092/*http://smallbus\
iness.yahoo.com/r-index>
Articles, tools,
forms, and more.


Need to Reply?
Click one of the "Reply" links to respond to a specific message in the Daily
Digest.

       Create New Topic    
<http://groups.yahoo.com/group/hipaaems/post;_ylc=X3oDMTJmcWxpaHBpBF9TAzk3MzU5Nz\
E1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDZnRyBHNsawNudHBjBHN0aW1lAz\
EyMDg1OTY5MDc->  |
       Visit Your Group on the Web
<http://groups.yahoo.com/group/hipaaems;_ylc=X3oDMTJkNDNobGQyBF9TAzk3MzU5NzE1BGd\
ycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDZnRyBHNsawNocARzdGltZQMxMjA4NTk\
2OTA3>
  Messages
<http://groups.yahoo.com/group/hipaaems/messages;_ylc=X3oDMTJmNGR2bms2BF9TAzk3Mz\
U5NzE1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDZnRyBHNsawNtc2dzBHN0aW\
1lAzEyMDg1OTY5MDc->  | Files
<http://groups.yahoo.com/group/hipaaems/files;_ylc=X3oDMTJnbnN0bjFqBF9TAzk3MzU5N\
zE1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDZnRyBHNsawNmaWxlcwRzdGltZ\
QMxMjA4NTk2OTA3>  | Photos
<http://groups.yahoo.com/group/hipaaems/photos;_ylc=X3oDMTJmamJxOThjBF9TAzk3MzU5\
NzE1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDZnRyBHNsawNwaG90BHN0aW1l\
AzEyMDg1OTY5MDc->  | Links
<http://groups.yahoo.com/group/hipaaems/links;_ylc=X3oDMTJnNmNiNDkzBF9TAzk3MzU5N\
zE1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDZnRyBHNsawNsaW5rcwRzdGltZ\
QMxMjA4NTk2OTA3>  | Database
<http://groups.yahoo.com/group/hipaaems/database;_ylc=X3oDMTJkYzlsdmpqBF9TAzk3Mz\
U5NzE1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDZnRyBHNsawNkYgRzdGltZQ\
MxMjA4NTk2OTA3>  | Polls
<http://groups.yahoo.com/group/hipaaems/polls;_ylc=X3oDMTJnaHBscHZzBF9TAzk3MzU5N\
zE1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDZnRyBHNsawNwb2xscwRzdGltZ\
QMxMjA4NTk2OTA3>  | Members
<http://groups.yahoo.com/group/hipaaems/members;_ylc=X3oDMTJmcW1ndDh1BF9TAzk3MzU\
5NzE1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDZnRyBHNsawNtYnJzBHN0aW1\
lAzEyMDg1OTY5MDc->  | Calendar
<http://groups.yahoo.com/group/hipaaems/calendar;_ylc=X3oDMTJlZXFnbHU3BF9TAzk3Mz\
U5NzE1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDZnRyBHNsawNjYWwEc3RpbW\
UDMTIwODU5NjkwNw-->
  
<http://groups.yahoo.com/;_ylc=X3oDMTJlc2F2dGFsBF9TAzk3MzU5NzE1BGdycElkAzIxOTQwN\
zYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDZnRyBHNsawNnZnAEc3RpbWUDMTIwODU5NjkwNw-->
  Change settings via the Web
<http://groups.yahoo.com/group/hipaaems/join;_ylc=X3oDMTJncGhhOGpuBF9TAzk3MzU5Nz\
E1BGdycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDZnRyBHNsawNzdG5ncwRzdGltZQ\
MxMjA4NTk2OTA3>  (Yahoo! ID required)
  Change settings via email: Switch delivery to Individual
<mailto:hipaaems-normal@yahoogroups.com?subject=Email Delivery: Indiviual Email>
| Switch format to Traditional
<mailto:hipaaems-traditional@yahoogroups.com?subject=Change Delivery Format:
Traditional>

       Visit Your Group    
<http://groups.yahoo.com/group/hipaaems;_ylc=X3oDMTJldTh0ZDVmBF9TAzk3MzU5NzE1BGd\
ycElkAzIxOTQwNzYwBGdycHNwSWQDMTcwNTA2MTEwNARzZWMDZnRyBHNsawNocGYEc3RpbWUDMTIwODU\
5NjkwNw-->  |
       Yahoo! Groups Terms of Use     <http://docs.yahoo.com/info/terms/>  |
       Unsubscribe    
<mailto:hipaaems-unsubscribe@yahoogroups.com?subject=Unsubscribe>    
<http://geo.yahoo.com/serv?s=97359715/grpId=21940760/grpspId=1705061104/msgId=8/\
stime=1208596906/nc1=5191951/nc2=5191946/nc3=4025321>

Boy Jim, that sure clears up a lot of issues for us, if I can get our
attorney to agree.Thank you.
BR--

"(1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who:

(i) On behalf of such covered entity ..., but other than in the capacity of a member of the workforce of such covered entity ..., performs, or assists in the performance of:

(A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or

(B) Any other function or activity regulated by this subchapter; or

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity ..., where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person."

--- In hipaaems@yahoogroups.com, "Will Dunn" <dunnww@...> wrote:
>
> Hello everyone.
>
> I am (relatively) new to an agency that does not leave field patient
> care reports at the hospital once care has been handed over.  I
> complained about this for a variety of reasons.
>
> I am told that there was an instance in the past where following a
> formal records release from the hospital for purposes of litigation,
> our PCR turned up--a surprise since there had been no formal records
> request from us.
>
> I have been under the impression that once we left that PCR with the
> hospital it's part of the medical record.
>
> The management here, after an opinion from our legal counsel, supports
> the practice of not leaving PCRs with the hospital since we know they
> could release it without patient consent, a HIPAA violation, except in
> the instances where it is required by law.
>
> I believe that this practice isn't doing the patient any favors, and,
> perhaps, contributing to worse patient care downstream.
>
> Anyone have any thoughts?
>
> Thanks very much.
>
> --wwd
>
Will,

If your agency has executed a valid "business associates" contract
with the hospital in question, it is legal and advisable to leave a
PCR with them, after all HIPAA never intended that patient care should
  be compromised by a lack of communication.  The reality is that your
agency should execute such an agreement with every facility they
transport to and keep them on file.
-BR

--- In hipaaems@yahoogroups.com, "emtpkelly" <cfems@...> wrote:
>
> I am interested in hearing how others handle ride-alongs who are not
> members of the agency: EMT or paramedic students, prospective members,
> citizen observers, even members of the news media.  Do you allow them?
> If so, who do you allow and what HIPAA provisions do you have in
place?
>
> Thanks,
> Jim
>

In the back of my mind when I started this thread was a particular case
from 2005.

First, some background for those unfamiliar with the case.   After a
complaint to the US Department of Health & Human Services Office of
Civil Rights (OCR), Washington, DC Fire & EMS was told by OCR that they
effectively had to discontinue their ride-along program.   OCR's stance
was that patient authorization was required prior to any disclosure to
non-member ride-alongs.   But, as OCR observed, DCFEMS would have no
opportunity (nor would any 911 responder) to identify patients in
advance to seek authorization.   So, therefore, the only conclusion OCR
could make is that the program must be discontinued.

After we heard about this case, we conducted our own internal review of
our ride-along program.   From the beginning of our Privacy Rule
compliance we have treated ride-alongs as members of our workforce, as
defined by the Privacy Rule.   And as members of our workforce, they
received training appropriate to their ride-along experience.  We
concluded our policy and practices were acceptable.

A subsequent JEMS article by Doug Wolfberg and Steve Wirth (January
2006) questioned the OCR ruling and effectively affirmed our position.
Doug and Steve concluded that OCR had overreached with its response.
They concluded that "ride-along programs ... are permissible if done
properly."   And a critical component of doing them properly is assuring
that ride-alongs receive appropriate training, as Joe and Dwayne's
agencies do.

So I and at least one other group member who responded to me privately
are curious:  What is the status of this particular case?   Did OCR ever
back down?   What is DCFEMS doing now?   Have others heard of similar
complaints and similar (attempted) actions by OCR, or for that matter,
any more general guidance to the industry?

Thanks,
Jim

We conduct an "orientation" for all riders - it's a class offered 1-2 times per
month and is required before riding is allowed - addresses safety, bloodborne
pathogens, and HIPAA as well as a dress code.  The class is good for one year at
which point they are required to retake if they wish to ride again.
Dwayne
Guilord County

________________________________

From: hipaaems@yahoogroups.com on behalf of emtpkelly
Sent: Wed 4/2/2008 2:23 PM
To: hipaaems@yahoogroups.com
Subject: [HIPAA & EMS] Ride-alongs



I am interested in hearing how others handle ride-alongs who are not
members of the agency: EMT or paramedic students, prospective members,
citizen observers, even members of the news media. Do you allow them?
If so, who do you allow and what HIPAA provisions do you have in place?

Thanks,
Jim

I am interested in hearing how others handle ride-alongs who are not
members of the agency: EMT or paramedic students, prospective members,
citizen observers, even members of the news media.  Do you allow them?
If so, who do you allow and what HIPAA provisions do you have in place?

Thanks,
Jim

Hello, Dwayne.  First I'll start with a hearty "welcome."  And then a
"thanks" for such a thorough response, including the actual Privacy Rule
citations.   I was at home when I first responded to Will, and I didn't
have the Rule with me.  I often bring things home from the office, but
HIPAA stuff usually is not among them. ;-)  It is helpful to me, and to
others, I'm sure, to revisit the wording of the Rule periodically.

I have a couple of specific comments plugged in below.  I also will be
pretty wordy for now, in part to provide background to the HIPAA newbies
and in part because I sometimes don't know when to shut up. :-)


--- In hipaaems@yahoogroups.com, "Dwayne Young" <dwayne.young@...>
wrote:
>
> Hello Everyone - I'll start with a long post and then tone in down a
little!
>
> This group should be a big help to folks and everyone should remember
the different interpretations and opinions the entire healthcare
industry now has on HIPAA and its impact when reading and discussing the
standards - some of these issues have only been discussed but not tested
by an actual event...
>
> Below are our stances on the issues discussed - I welcome comments and
criticism...
>
> Our agency practices leaving the records at the hospital; in fact, the
trauma legislation in NC has a requirement in the trauma system program
that prehospital care be a part of the evaluation; during a trauma
center site visit by the state office of EMS, the pre-hospital record is
on their check list of items to review in the hospital medical record.
You have to keep in mind that state privacy laws may be more stringent
and require more that the federal laws - they just can't be less...
>
> Also, the standard has an area that may address disclosure of
information not "owned" by the covered entity:
>
> (e) Implementation specification: documentation. A covered entity must
document the following and retain the documentation as required by §
164.530(j):
> (1) The designated record sets that are subject to access by
individuals; and
> (2) The titles of the persons or offices responsible for receiving and
processing requests for access by individuals.
>
> Everyone needs to have a designated record set - when a request is
then made, we have a defined record that everyone can
   >follow.  If the hospital does not have the EMS record as part of their
Designated Record Set, one could argue it was disclosed
   >inappropriately.  It's all going to come back to local policy and
interpretation.


I agree that one could make that argument.  But to tie back into Will's
original question, I contend that it is the hospital's violation, not
the EMS agency's.  We certainly can't be held responsible for
inappropriate redisclosure by those to whom we have made allowable
disclosures.  If his counsel took that practice to its extreme, he would
disallow ANY disclosure.

I can't see why a hospital would not include their copy of the PCR as
part of the DRS.  The DRS includes, among other things, PHI with which
the covered entity makes treatment decisions about the patient.  I will
assume the hospitals in Will's area, like those in mine, might
occasionally find the information important for treatment.

But that may be somewhat beside the point.  As your citation suggests,
the DRS includes "official" records that must be retained for access by
the patient if requested, among other things.  But the protection of PHI
is not limited to what is in the DRS.  Any and all PHI must be protected
by the covered entity, regardless of its form and location.


>
> As to subpoenas, be careful when responding as there are specific
criteria for proper disclosure even in the presence of a subpoena.  The
patient still has to be notified of the closure...  see the standard
below:
>
> (e) Standard: disclosures for judicial and administrative proceedings.
>
> (1) Permitted disclosures. A covered entity may disclose protected
health information in the course of any judicial or administrative
proceeding:
> (i) In response to an order of a court or administrative tribunal,
provided that the covered entity discloses only the protected health
information expressly authorized by such order; or
> (ii) In response to a subpoena, discovery request, or other lawful
process, that is not accompanied by an order of a court or
administrative tribunal, if:
> (A) The covered entity receives satisfactory assurance, as described
in paragraph (e)(1)(iii) of this section, from the party seeking the
information that reasonable efforts have been made by such party to
ensure that the individual who is the subject of the protected health
information that has been requested has been given notice of the
request; or
> (B) The covered entity receives satisfactory assurance, as described
in paragraph (e)(1)(iv) of this section, from the party seeking the
information that reasonable efforts have been made by such party to
secure a qualified protective order that meets the requirements of
paragraph (e)(1)(v) of this section.


No question, which is why I said earlier, "assuming the subpoena meets
HIPAA requirements for patient notification and applicable state laws. "

It is interesting to me how many lawyers don't know (or try to
circumvent) their own state laws for medical record subpoenas.  Virginia
law has a very precise process -- that dovetails with HIPAA well -- that
mandates certain exact wording in the subpoena.  The statements tell the
recipient that the patient or his counsel have received notice of the
subpoena, and the recipient MUST not (not just MAY not) release the
record until 15 days have passed, and has received notice from the
issuing attorney that: 1) the patient's attorney has elected not file a
motion to quash (the usual case given that most subpoenas are from
defendants in personal injury claims), 2) the patient has filed a motion
to quash and the court has resolved it, or 3) a motion to quash is
pending, in which case we are to seal the record and submit it to the
Circuit Court Clerk to hold until the motion is resolved.   It gives
this non-lawyer a certain perverse pleasure to be able to call an
attorney's office to tell them their subpoena is invalid.



>
> You have to read the entire standard to see how it all interconnects
based on the "what if" scenarios.
>
> Hope this helps in the discussions...
>
> Dwayne R. Young, BS, REMTP
> ES Manager Planning and Research
> Guilford County Emergency Services
> 1002 Meadowood Street
> Greensboro, NC 27409
> (336) 641-4980 (Office)
> (336) 641-6538 (Fax)
>
> Confidentiality Notice
>
>
> The information contained in this message contains personally
identifiable health information and must be treated with strict
confidence.  The information contained herein is intended only for the
addressee listed above and should be used only for the purposes of
health treatment, payment, or other healthcare operations as defined by
Guilford County Emergency Services, or, for other means previously
agreed upon by both parties.   Please contact the sender at the
designated number as soon as possible to ensure corrective actions are
taken so that the intended recipient is contacted.  If the reader of
this message is not the intended recipient, you are hereby notified that
any dissemination, distribution, or copying of this communications is
strictly prohibited.  If you have received this in error, please notify
us by telephone and delete the message immediately.  Thank You
>
>
>
>
> ________________________________
>
> From: hipaaems@yahoogroups.com [mailto:hipaaems@yahoogroups.com] On
Behalf Of emtpkelly
> Sent: Monday, March 31, 2008 10:00 PM
> To: hipaaems@yahoogroups.com
> Subject: [HIPAA & EMS] Re: PCRs at the hospital
>
>
>
> --- In hipaaems@yahoogroups.com <mailto:hipaaems%40yahoogroups.com> ,
"Will Dunn" dunnww@ wrote:
> >
> > Hello everyone.
> >
> > I am (relatively) new to an agency that does not leave field patient
> > care reports at the hospital once care has been handed over. I
> > complained about this for a variety of reasons.
> >
> > I am told that there was an instance in the past where following a
> > formal records release from the hospital for purposes of litigation,
> > our PCR turned up--a surprise since there had been no formal records
> > request from us.
> >
> > I have been under the impression that once we left that PCR with the
> > hospital it's part of the medical record.
> >
> > The management here, after an opinion from our legal counsel,
supports
> > the practice of not leaving PCRs with the hospital since we know
they
> > could release it without patient consent, a HIPAA violation, except
in
> > the instances where it is required by law.
> >
> > I believe that this practice isn't doing the patient any favors,
and,
> > perhaps, contributing to worse patient care downstream.
> >
> > Anyone have any thoughts?
> >
> > Thanks very much.
> >
> > --wwd
> >
> Hi, Will. Welcome to the group!
>
> I agree that not leaving the PCR at the hospital could work to the
> detriment of the patient. Docs in my area probably don't use the PCR
> much, but they do use them. We get an occasional call from the
> hospital when the PCR doesn't show up, especially from inpatient units
> like ICU.
>
> Where is your medical director in this discussion? Maybe he/she can
> bring some weight to bear.
>
> I probably should add this next statement to the group's home page. I
> am not a lawyer, and I suspect most list members won't be either.
> Even the lawyers that might choose to join here probably will tell you
> their response is not legal advice for a specific situation. So your
> own legal counsel's guidance is what you should follow. They have to
> defend you if they're wrong, so presumably they will have researched
> and considered the issue thoroughly before rendering an opinion.
>
> Having said that, I don't see a HIPAA issue with leaving a PCR at the
> hospital. It serves a legitimate treatment purpose, and we never want
> to let HIPAA stand in the way of treatment. Once we turn it over it
> becomes part of the hospital's medical record. If the hospital gets a
> subpoena for the record, then they must comply, assuming the subpoena
> meets HIPAA requirements for patient notification and applicable state
> laws. That is one of several occasions where HIPAA allows release of
> PHI without patient authorization. (FYI, there is a subtle but
> significant difference between the terms "authorization" and "consent"
> in HIPAA. But that's for another day.) If the hospital follows all
> laws in the process, obviously everyone is OK legally. If they're
> not, it's their record and their HIPAA violation, not yours, IMHO.
>
> What do your state EMS regulations and state law have to say? I would
> hope your attorney considered them. If your state's laws are more
> stringent in restricting disclosure, then they prevail over HIPAA.
> (HIPAA prevails if it is more restrictive.) EMS regulations may have
> a say in whether you leave a PCR. In Virginia, the regulations
> require a PCR copy to be delivered to the ER within 24 hours of the
> patient's delivery.
>
> Hope that helps. Others?
>
> Jim
>

Hello Everyone - I'll start with a long post and then tone in down a little! 

This group should be a big help to folks and everyone should remember the different interpretations and opinions the entire healthcare industry now has on HIPAA and its impact when reading and discussing the standards - some of these issues have only been discussed but not tested by an actual event... 

 
Below are our stances on the issues discussed - I welcome comments and criticism...

Our agency practices leaving the records at the hospital; in fact, the trauma legislation in NC has a requirement in the trauma system program that prehospital care be a part of the evaluation; during a trauma center site visit by the state office of EMS, the pre-hospital record is on their check list of items to review in the hospital medical record.  You have to keep in mind that state privacy laws may be more stringent and require more that the federal laws - they just can't be less…

Also, the standard has an area that may address disclosure of information not "owned" by the covered entity:

(e) Implementation specification: documentation. A covered entity must document the following and retain the documentation as required by § 164.530(j):

(1) The designated record sets that are subject to access by individuals; and
(2) The titles of the persons or offices responsible for receiving and processing requests for access by individuals.

Everyone needs to have a designated record set - when a request is then made, we have a defined record that everyone can follow.  If the hospital does not have the EMS record as part of their Designated Record Set, one could argue it was disclosed inappropriately.  It's all going to come back to local policy and interpretation.

 
As to subpoenas, be careful when responding as there are specific criteria for proper disclosure even in the presence of a subpoena.  The patient still has to be notified of the closure...  see the standard below:

 
(e) Standard: disclosures for judicial and administrative proceedings.

(1) Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding:

(i) In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or

(ii) In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if:

(A) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iii) of this section, from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request; or

(B) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph (e)(1)(v) of this section.

 
You have to read the entire standard to see how it all interconnects based on the "what if" scenarios.

Hope this helps in the discussions…

Dwayne R. Young, BS, REMTP
ES Manager Planning and Research
Guilford County Emergency Services
1002 Meadowood Street
Greensboro, NC 27409
(336) 641-4980 (Office)
(336) 641-6538 (Fax)
 
Confidentiality Notice
 

The information contained in this message contains personally identifiable health information and must be treated with strict confidence.  The information contained herein is intended only for the addressee listed above and should be used only for the purposes of health treatment, payment, or other healthcare operations as defined by Guilford County Emergency Services, or, for other means previously agreed upon by both parties.   Please contact the sender at the designated number as soon as possible to ensure corrective actions are taken so that the intended recipient is contacted.  If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communications is strictly prohibited.  If you have received this in error, please notify us by telephone and delete the message immediately.  Thank You

________________________________

From: hipaaems@yahoogroups.com [mailto:hipaaems@yahoogroups.com] On Behalf Of emtpkelly
Sent: Monday, March 31, 2008 10:00 PM
To: hipaaems@yahoogroups.com
Subject: [HIPAA & EMS] Re: PCRs at the hospital

--- In hipaaems@yahoogroups.com <mailto:hipaaems%40yahoogroups.com> , "Will Dunn" <dunnww@...> wrote:
>
> Hello everyone.
>
> I am (relatively) new to an agency that does not leave field patient
> care reports at the hospital once care has been handed over. I
> complained about this for a variety of reasons.
>
> I am told that there was an instance in the past where following a
> formal records release from the hospital for purposes of litigation,
> our PCR turned up--a surprise since there had been no formal records
> request from us.
>
> I have been under the impression that once we left that PCR with the
> hospital it's part of the medical record.
>
> The management here, after an opinion from our legal counsel, supports
> the practice of not leaving PCRs with the hospital since we know they
> could release it without patient consent, a HIPAA violation, except in
> the instances where it is required by law.
>
> I believe that this practice isn't doing the patient any favors, and,
> perhaps, contributing to worse patient care downstream.
>
> Anyone have any thoughts?
>
> Thanks very much.
>
> --wwd
>
Hi, Will. Welcome to the group!

I agree that not leaving the PCR at the hospital could work to the
detriment of the patient. Docs in my area probably don't use the PCR
much, but they do use them. We get an occasional call from the
hospital when the PCR doesn't show up, especially from inpatient units
like ICU.

Where is your medical director in this discussion? Maybe he/she can
bring some weight to bear.

I probably should add this next statement to the group's home page. I
am not a lawyer, and I suspect most list members won't be either.
Even the lawyers that might choose to join here probably will tell you
their response is not legal advice for a specific situation. So your
own legal counsel's guidance is what you should follow. They have to
defend you if they're wrong, so presumably they will have researched
and considered the issue thoroughly before rendering an opinion.

Having said that, I don't see a HIPAA issue with leaving a PCR at the
hospital. It serves a legitimate treatment purpose, and we never want
to let HIPAA stand in the way of treatment. Once we turn it over it
becomes part of the hospital's medical record. If the hospital gets a
subpoena for the record, then they must comply, assuming the subpoena
meets HIPAA requirements for patient notification and applicable state
laws. That is one of several occasions where HIPAA allows release of
PHI without patient authorization. (FYI, there is a subtle but
significant difference between the terms "authorization" and "consent"
in HIPAA. But that's for another day.) If the hospital follows all
laws in the process, obviously everyone is OK legally. If they're
not, it's their record and their HIPAA violation, not yours, IMHO.

What do your state EMS regulations and state law have to say? I would
hope your attorney considered them. If your state's laws are more
stringent in restricting disclosure, then they prevail over HIPAA.
(HIPAA prevails if it is more restrictive.) EMS regulations may have
a say in whether you leave a PCR. In Virginia, the regulations
require a PCR copy to be delivered to the ER within 24 hours of the
patient's delivery.

Hope that helps. Others?

Jim

--- In hipaaems@yahoogroups.com, "Will Dunn" <dunnww@...> wrote:
>
> Hello everyone.
>
> I am (relatively) new to an agency that does not leave field patient
> care reports at the hospital once care has been handed over.  I
> complained about this for a variety of reasons.
>
> I am told that there was an instance in the past where following a
> formal records release from the hospital for purposes of litigation,
> our PCR turned up--a surprise since there had been no formal records
> request from us.
>
> I have been under the impression that once we left that PCR with the
> hospital it's part of the medical record.
>
> The management here, after an opinion from our legal counsel, supports
> the practice of not leaving PCRs with the hospital since we know they
> could release it without patient consent, a HIPAA violation, except in
> the instances where it is required by law.
>
> I believe that this practice isn't doing the patient any favors, and,
> perhaps, contributing to worse patient care downstream.
>
> Anyone have any thoughts?
>
> Thanks very much.
>
> --wwd
>
Hi, Will.  Welcome to the group!

I agree that not leaving the PCR at the hospital could work to the
detriment of the patient.  Docs in my area probably don't use the PCR
much, but they do use them.  We get an occasional call from the
hospital when the PCR doesn't show up, especially from inpatient units
like ICU.

Where is your medical director in this discussion?  Maybe he/she can
bring some weight to bear.

I probably should add this next statement to the group's home page.  I
am not a lawyer, and I suspect most list members won't be either.
Even the lawyers that might choose to join here probably will tell you
their response is not legal advice for a specific situation.  So your
own legal counsel's guidance is what you should follow.  They have to
defend you if they're wrong, so presumably they will have researched
and considered the issue thoroughly before rendering an opinion.

Having said that, I don't see a HIPAA issue with leaving a PCR at the
hospital.  It serves a legitimate treatment purpose, and we never want
to let HIPAA stand in the way of treatment.  Once we turn it over it
becomes part of the hospital's medical record.  If the hospital gets a
subpoena for the record, then they must comply, assuming the subpoena
meets HIPAA requirements for patient notification and applicable state
laws. That is one of several occasions where HIPAA allows release of
PHI without patient authorization.  (FYI, there is a subtle but
significant difference between the terms "authorization" and "consent"
in HIPAA.  But that's for another day.)  If the hospital follows all
laws in the process, obviously everyone is OK legally.  If they're
not, it's their record and their HIPAA violation, not yours, IMHO.

What do your state EMS regulations and state law have to say?  I would
hope your attorney considered them.  If your state's laws are more
stringent in restricting disclosure, then they prevail over HIPAA.
(HIPAA prevails if it is more restrictive.)  EMS regulations may have
a say in whether you leave a PCR.  In Virginia, the regulations
require a PCR copy to be delivered to the ER within 24 hours of the
patient's delivery.

Hope that helps.  Others?

Jim

Hello everyone.

I am (relatively) new to an agency that does not leave field patient
care reports at the hospital once care has been handed over.  I
complained about this for a variety of reasons.

I am told that there was an instance in the past where following a
formal records release from the hospital for purposes of litigation,
our PCR turned up--a surprise since there had been no formal records
request from us.

I have been under the impression that once we left that PCR with the
hospital it's part of the medical record.

The management here, after an opinion from our legal counsel, supports
the practice of not leaving PCRs with the hospital since we know they
could release it without patient consent, a HIPAA violation, except in
the instances where it is required by law.

I believe that this practice isn't doing the patient any favors, and,
perhaps, contributing to worse patient care downstream.

Anyone have any thoughts?

Thanks very much.

--wwd

--- In hipaaems@yahoogroups.com, Bart Regan <bregan@...> wrote:
>
> An excellent idea Jim, wish I'd thought of it.
>
Thanks, Bart.  Welcome aboard!

Jim

Thought I'd share this with the group; it's in the Files section.

Law enforcement disclosures, as presumably most know, can be tricky.
We don't expect field providers who are confronted with requests for
PHI from police to remember every allowable disclosure.  For quick
reference, we developed this flow chart and had it copied and
laminated for every EMS vehicle in the department.

Thanks,
Jim

Here in Tennessee, my department is handling PHI according to HIPAA.
All department members have been in-serviced and, so far, the media has
respected this.

An excellent idea Jim, wish I'd thought of it.

--- In hipaaems@yahoogroups.com, "joekanzler15" <joe.kanzler@...> wrote:
>
> Jim,
>
> Great idea.
> Look forward to sharing information.
> I am the Privacy Officer for Manatee EMS in sometimes sunny Florida as
> well as other hats.
>
> Joe Kanzler
> Captain
>

Welcome aboard, Joe!

Jim,

Great idea.
Look forward to sharing information.
I am the Privacy Officer for Manatee EMS in sometimes sunny Florida as
well as other hats.

Joe Kanzler
Captain

Let's get this group's very first issue out on the table for
discussion.  First, take a look at this article for background:

http://www.ems1.com/news/articles/391465-Wisc-agencies-continue-to-deny-ambulanc\
e-records

If by some slim chance (in our still very small membership) we have
anyone familiar with Wisconsin law, I would especially like to hear
your take on this case.  Looks like the Wisconsin A.G. thinks some
of the information is public.  That's not how I view Virginia law or
HIPAA.

But regardless, how many of you governmental EMS folks have been
confronted by members of the media (or anyone else, for that matter)
challenging whether information from your PCRs is protected?  Have any
of them made formal requests under your state's Freedom of Information
law?  Have they filed suit or followed any other prescribed appeal
process after first being denied?  What was the resolution?

Thanks,
Jim

--- In hipaaems@yahoogroups.com, "Cliff Parker" <cparker@...> wrote:
>
> I am looking forward to the intereaction in this new group.
> I am Cliff Parker, Captain / Safety Officer for Charleston County
(SC)
> EMS.  My additional duties include being the HIPAA "go to" person for
> this agency.
>

Hi, Cliff.  Welcome aboard!  Looking forward to the dialog with you.
Feel free to talk the group up among your colleagues in Charleston (and
elsewhere)!

Jim

I am looking forward to the intereaction in this new group.
I am Cliff Parker, Captain / Safety Officer for Charleston County (SC)
EMS.  My additional duties include being the HIPAA "go to" person for
this agency.

Greetings to all interested in discussions of HIPAA issues in EMS!
Might as well start with an intro.  I encourage new members to do the
same in this thread.

My name is Jim Kelly.  I am the group owner and sole (as of now)
moderator.  I have been involved in EMS since 1973, first as a junior
volunteer, then later at various times with a private ambulance
company, fire-based EMS, medevac helicopter, and third-service
governmental EMS agency.  I have been an EMT since 1975 and a
paramedic since 1983.  I have done time in the street, in the office,
and in the classroom teaching both certification and merit badge courses.

Currently I am my organization's HIPAA Privacy Officer.  I was cracy
enough to actually volunteer for that role when the HIPAA Privacy Rule
was implemented in 2003.  And for some strange reason, no one around
here wants it.  But that's OK; I almost enjoy it.  Sick, huh?
Actually, I've had an interest in EMS legal issues in general, so this
is right up my alley.

It occurred to me recently that there doesn't appear to be a
discussion group dedicated to EMS HIPAA-related issues.  Occasionally
I'll see HIPAA issues pop up in other EMS groups and lists, but those
discussions seem to be secondary to the main focus of the groups --
and to the main interests of the members.  Rarely, I'll see an EMS
issue pop up in one of the mainstream HIPAA groups, but most of those
groups' members are hospital privacy and/or security officers and the
like discussing issues that have little direct relevance to EMS.

For now I've configured the group settings to allow members to post
photos (with moderator approval), files, links, polls, and databases.
  Please follow the prescribed posting guidelines, common sense, and of
course, the law when you post.

So, here it is.  I plan to promote this within the EMS community
through existing contacts, organizations, and websites.  I encourage
members to do the same.  Please alert your colleagues in other
agencies, your regional council, your state EMS office ... whatever or
wherever you see fit.  The greater the number of knowledgeable -- or
inquisitive -- members, the better the overall group.