The fire service creates and manages a lot of records including personnel files, personnel medical records, inspection reports, personnel action forms (better known as discipline or corrective action), vacation requests and many others. Many of those records have some protection, a lot of protection or no protection subject to public disclosure laws.
One set of records with the highest level of protections are the medical records created during EMS responses protecting patient health information known as PHI. Washington law RCW 70.02 defines the Confidentiality of Medical Records affecting all providers and is similar to most if not all states dealing with patient health information (1). Only 42 States provide either criminal or civil penalties for improper disclosure.
We have a fundamental but not absolute right to privacy that is found in tradition and the law. The most protected is our right to the confidentiality of identifiable personal health information, as well as others balance individual privacy interests against societal interests of the need to know (2).
The Hippocratic Oath, dating back hundreds of years requires physicians and now other health care providers including EMT’s and Paramedics to keep secret all knowledge of individual patient’s health information which in itself is a struggle.
Personal patient health information (PHI) is maintained not only by health care professionals but others in the continuum of care of the patients to include ambulance, laboratories, X-ray departments and other caregivers. Secrets are better held by one person, but the health care industry has hundreds of people that may be attending one patient.
If you are an EMS agency billing for services, there are additional individuals sharing that information in the form of a 3rd party billing agency and must be covered under an agreement between the parties known as a Business Associate Agreement (3). If you do not bill for service you are not held to this requirement.
All states provide statutory protection for personal health data maintained by public agencies, and permit disclosure for one or more purposes most commonly are statistical evaluations, contact of persons diagnosed to have sexually transmitted and infectious diseases, epidemiological investigations, and use in court pursuant to subpoena or court order. In certain circumstances there is a need to know without the patient’s authorization especially in the mental health arena when there is a direct threat against another person or community by a patient and the provider has an obligation to notify the target person or the police in the community. Most states have an exception to the therapist-patient privilege for dangerous patients, often referred to as the Tarasoff duty. (Tarasoff v. Regents of Univ. of Cal., 17 Cal.3d 425 (1976).) Depending on the jurisdiction, the exception either allows or requires therapists to report statements by patients that indicate dangerousness. The law might, for instance, say that therapists must disclose statements when the patient presents a risk of serious harm to others and disclosure is necessary to prevent that harm.
On the federal level, the Privacy Act of 1974 provides limited protection against the disclosure by the government of individual health records maintained by government agencies, such as the Veterans Administration and the Department of Defense and under the Americans with Disabilities Act of 1990 (ADA) prohibits discrimination on the basis of a disability, including HIV or AIDS, but does not directly protect privacy; rather it only provides a remedy for discrimination based on breaches of confidentiality.
Remembering the federal Health Information Portability and Accountability Act (HIPAA) provides a baseline of protection for all health information. Many states, pre-HIPAA, had legislation protecting PHI and guided the release of medical information to others only under certain conditions. The HIPAA was primarily for health insurance portability when you move from job to job to job and the eligibility issues as a result of that move, there is a small section in addressing the protection of PHI and our emergency world went crazy attempting to comply with an obscure law (4). In most situations PHI was already protected and it has generally been the case for the release of medicalinformation relies on a signed release from the patient or guardian.
Although medical records created by EMS responders are confidential, there are times your department may receive a request for medical records. Those requests must be accompanied by a proper written request and the medical records release form must be signed by the patient accompanying the request. My legal suggestion is to either run the request by your legal counsel or have a qualified Records Management Officer in your department. For example, Washington State under RCW 40.14.040 there is such a statute declaring, “each department or other agency of the state government shall designate a records officer to supervise its records program and to represent the office in all contacts with the records committee, hereinafter created, and the division of archives and records management.” If your department does not have the staffing for this important position, make sure you run all requests for records through the Chief or your legal counsel
Department firefighter and staff personnel and medical files must be separated into two separate files dividing PHI medical information from general employment information. The bar is slightly lower for a request for a “personnel file” and if you mix medical and personnel information in one file, it is all available with a simple request under a Public Records Request.
Firefighters are one of the best sources of information (scuttlebutt), but what if that information discussed in the station is about your personal health issues. Can you prevent station scuttlebutt about your medical conditions? In general, there is no penalty for discussing your medical issues you may have discussed with another employee and they inadvertently talk to others. If the employer is the sole source of that information and breaches that confidentiality, there may be a penalty under HIPAA and if confidential medical information is used to leverage you out of the organization, that may be discriminatory.
An employer is not defined as a covered entity based solely on being an employer unless it is self-insured. When an employer sponsors an ERISA health plan, the entity administering the employee health plan is the "covered entity." Typically covered entities are medical plans, health care providers and health care clearinghouses. Since medical information that is protected must be both individually identifiable PHI and information that falls under the administration of a covered plan or entity, employers that are not health care providers or clearinghouses are generally not covered entities. Each case is unique in its fact pattern but never-the-less, the less discussion about other employees medical issues, the better off you and the organization will be. The Department must have a policy in place preventing such discussion.
Computerized medical records created by departments on EMS responses and downloaded must be protected from incursions from both inside and outside the department. The recent Electronic Medical Records (EMR) technology have certainly made medical reporting easier but more vulnerable to hacking or unauthorized access. Look at the examples in the medical or pharmaceutical industry with millions of patient records stolen from their servers and other data storage facilities. The fire and EMS services must do all reasonably possible to protect patient care information with robust fire walls and up to date software.
Retention and Destruction is the final chapter of the creation and protection of PHI and other records. Every state has a records management schedule outlining our public entities manage all of their records. In Washington State, EMS records are retained for eight years and fire response records are held for six years then destroyed, generally be shredding paper, or wiping or destroying electronic records. (5)
DO NOT toss PHI material in a dumpster as CVS pharmacy found out by dumping prescription infomration into their dumpsters suffering a major fine for a HIPAA violation of not protecting PHI (6).
Protection of a patient’s medical records and PHI is your responsibility. Do all you can to shield and protect this important and confidential information.
Medical Record Confidentiality - Protecting PHI
by John K. Murphy
Aug 24, 2019
The fire service creates and manages a lot of records including personnel files, personnel medical records, inspection reports, personnel action forms (better known as discipline or corrective action), vacation requests and many others. Many of those records have some protection, a lot of protection or no protection subject to public disclosure laws.
One set of records with the highest level of protections are the medical records created during EMS responses protecting patient health information known as PHI. Washington law RCW 70.02 defines the Confidentiality of Medical Records affecting all providers and is similar to most if not all states dealing with patient health information (1). Only 42 States provide either criminal or civil penalties for improper disclosure.
We have a fundamental but not absolute right to privacy that is found in tradition and the law. The most protected is our right to the confidentiality of identifiable personal health information, as well as others balance individual privacy interests against societal interests of the need to know (2).
The Hippocratic Oath, dating back hundreds of years requires physicians and now other health care providers including EMT’s and Paramedics to keep secret all knowledge of individual patient’s health information which in itself is a struggle.
Personal patient health information (PHI) is maintained not only by health care professionals but others in the continuum of care of the patients to include ambulance, laboratories, X-ray departments and other caregivers. Secrets are better held by one person, but the health care industry has hundreds of people that may be attending one patient.
If you are an EMS agency billing for services, there are additional individuals sharing that information in the form of a 3rd party billing agency and must be covered under an agreement between the parties known as a Business Associate Agreement (3). If you do not bill for service you are not held to this requirement.
All states provide statutory protection for personal health data maintained by public agencies, and permit disclosure for one or more purposes most commonly are statistical evaluations, contact of persons diagnosed to have sexually transmitted and infectious diseases, epidemiological investigations, and use in court pursuant to subpoena or court order. In certain circumstances there is a need to know without the patient’s authorization especially in the mental health arena when there is a direct threat against another person or community by a patient and the provider has an obligation to notify the target person or the police in the community. Most states have an exception to the therapist-patient privilege for dangerous patients, often referred to as the Tarasoff duty. (Tarasoff v. Regents of Univ. of Cal., 17 Cal.3d 425 (1976).) Depending on the jurisdiction, the exception either allows or requires therapists to report statements by patients that indicate dangerousness. The law might, for instance, say that therapists must disclose statements when the patient presents a risk of serious harm to others and disclosure is necessary to prevent that harm.
On the federal level, the Privacy Act of 1974 provides limited protection against the disclosure by the government of individual health records maintained by government agencies, such as the Veterans Administration and the Department of Defense and under the Americans with Disabilities Act of 1990 (ADA) prohibits discrimination on the basis of a disability, including HIV or AIDS, but does not directly protect privacy; rather it only provides a remedy for discrimination based on breaches of confidentiality.
Remembering the federal Health Information Portability and Accountability Act (HIPAA) provides a baseline of protection for all health information. Many states, pre-HIPAA, had legislation protecting PHI and guided the release of medical information to others only under certain conditions. The HIPAA was primarily for health insurance portability when you move from job to job to job and the eligibility issues as a result of that move, there is a small section in addressing the protection of PHI and our emergency world went crazy attempting to comply with an obscure law (4). In most situations PHI was already protected and it has generally been the case for the release of medical information relies on a signed release from the patient or guardian.
Although medical records created by EMS responders are confidential, there are times your department may receive a request for medical records. Those requests must be accompanied by a proper written request and the medical records release form must be signed by the patient accompanying the request. My legal suggestion is to either run the request by your legal counsel or have a qualified Records Management Officer in your department. For example, Washington State under RCW 40.14.040 there is such a statute declaring, “each department or other agency of the state government shall designate a records officer to supervise its records program and to represent the office in all contacts with the records committee, hereinafter created, and the division of archives and records management.” If your department does not have the staffing for this important position, make sure you run all requests for records through the Chief or your legal counsel
Department firefighter and staff personnel and medical files must be separated into two separate files dividing PHI medical information from general employment information. The bar is slightly lower for a request for a “personnel file” and if you mix medical and personnel information in one file, it is all available with a simple request under a Public Records Request.
Firefighters are one of the best sources of information (scuttlebutt), but what if that information discussed in the station is about your personal health issues. Can you prevent station scuttlebutt about your medical conditions? In general, there is no penalty for discussing your medical issues you may have discussed with another employee and they inadvertently talk to others. If the employer is the sole source of that information and breaches that confidentiality, there may be a penalty under HIPAA and if confidential medical information is used to leverage you out of the organization, that may be discriminatory.
An employer is not defined as a covered entity based solely on being an employer unless it is self-insured. When an employer sponsors an ERISA health plan, the entity administering the employee health plan is the "covered entity." Typically covered entities are medical plans, health care providers and health care clearinghouses. Since medical information that is protected must be both individually identifiable PHI and information that falls under the administration of a covered plan or entity, employers that are not health care providers or clearinghouses are generally not covered entities. Each case is unique in its fact pattern but never-the-less, the less discussion about other employees medical issues, the better off you and the organization will be. The Department must have a policy in place preventing such discussion.
Computerized medical records created by departments on EMS responses and downloaded must be protected from incursions from both inside and outside the department. The recent Electronic Medical Records (EMR) technology have certainly made medical reporting easier but more vulnerable to hacking or unauthorized access. Look at the examples in the medical or pharmaceutical industry with millions of patient records stolen from their servers and other data storage facilities. The fire and EMS services must do all reasonably possible to protect patient care information with robust fire walls and up to date software.
Retention and Destruction is the final chapter of the creation and protection of PHI and other records. Every state has a records management schedule outlining our public entities manage all of their records. In Washington State, EMS records are retained for eight years and fire response records are held for six years then destroyed, generally be shredding paper, or wiping or destroying electronic records. (5)
DO NOT toss PHI material in a dumpster as CVS pharmacy found out by dumping prescription infomration into their dumpsters suffering a major fine for a HIPAA violation of not protecting PHI (6).
Protection of a patient’s medical records and PHI is your responsibility. Do all you can to shield and protect this important and confidential information.
End Notes
1) https://statelaws.findlaw.com/health-care-laws/medical-records.html
2) Confidentiality of Medical Records – AHIMA - http://bok.ahima.org/doc?oid=60048
3) Business Agreements - https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
4) HIPAA - http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/introdution.html
5) Records Retention - https://www.sos.wa.gov/_assets/archives/recordsmanagement/fire-districts-and-emergency-medical-1.0.pdf
6) CVS HIPAA Violation - https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/cvs/index.html