Since the Health Insurance Portability and Accountability Act (Hippa) was struck into law in August of 1996, it has mystified and terrified healthcare professionals everywhere. The perceptions of HIPAA range from those who say “never say anything, anywhere, to anyone” to those who say “HIPAA didn’t change anything”. Well… Neither are true.
HIPAA seeks to do a few things. It was designed to make healthcare coverage “portable”. This means that pre-existing conditions would no longer be excluded in new insurance policies–so long as the patient had insurance up until the new insurance went into effect.
Further, the standardization of electronic records keeping and claims management was a large target of this bill–and this is where the primary concerns of HIPAA come into effect. With this the Federal Government realized the potential for abuse of patient information and created the security standards that we have all grown to fear.
With that, it is important to understand who is obligated to abide by HIPAA. It has always been percieved that EVERYONE that is around a patient is a “covered entity”–in that anyone on a scene had to follow HIPAA policies. This is NOT the case though.
In EMS the “covered entities” are simple. Any “health care provider” (it could be said that pretty much anyone at a scene is a health care provider–in one aspect or another) who submits information electronically–whether for billing or reporting purposes.
This means that a fire department that has paramedics but does not transport or bill the patient, or file electronic reports is NOT a covered entity and does NOT have to follow HIPAA privacy guidelines or standards. That being said–you are very likely required to meet a state healthcare privacy law’s standards, which usually have higher standards than HIPAA.
Not so complicated, eh?
Now the question is… what is Protected Health Information.
“PHI is a subset of IIHI, or individually identifiable health information. That obviously include information with the patient’s identity still attached. But it also includes information where it would be possible to discern the identity of the individual by virtue of some indirerct means. If it’s reasonably likely that someone could identify the individual from the information you’re using or disclosing, then you’re using or disclosing IIHI, which means you’re using or disclosing PHI, which means you’re violating HIPAA (unless it’s a use or disclosure for an allowed purpose, like treatment).”–Jeff Drummond at Jackson Walker Law.
This means that in reality, it is very difficult to tell a “war story” without disclosing HIPAA protected information. Because of this, Jeff recomends that medbloggers fictionalize the story. Change everything but concept. You can even keep the details pretty close, assuming you change it so that your reader can not identify the character in your story.
SO… you’re story about a 23 year old white female becomes a story about a 31 year old Hispanic male(unless female is essential to your story). Your story about a 12 year old Asian boy’s parents becomes one about a 10 year old Australian’s parents.
Get it? Now, if you can tell a story(that makes sense) without disclosing ANY PHI, then you are safe. Details of the event, such as age, race, description, treatment, and/or location mean that you could easily be crossing the dreaded HIPAA line…
Remember–Just because you are NOT violating HIPAA, you have both a code of ethics and State Privacy Laws to keep in mind when disclosing any patient information.
Sources:
EMAIL from Jeff Drummond at JW.com(hipaablog.blogspot.com)
http://www.cms.hhs.gov/HealthInsReformforConsume/03_FiveStepstoUnderstandingHIPAA.asp
http://www.merginet.com/index.cfm?searched=/admin_management/legal/HIPAAPrivacy.cfm
http://www.merginet.com/index.cfm?pg=legal&fn=privacyviolation
http://www.hipaaps.com/main/background.html
