Content provided by ZOLL Data Systems
By Ryan Stark
Why is it that HIPAA is not an issue when EMS agencies share patient information with hospitals, yet it is often a roadblock when EMS agencies ask for outcome data? Here’s the thing: HIPAA is not an issue.
The Federal privacy law permits and endorses bi-directional health information exchange (HIE) between EMS and healthcare facilities. Misconceptions about HIPAA have created an artificial barrier to vital bi-directional data exchange between care providers that could improve patient outcomes and advance evidence-based practices in prehospital care.
PWW and NEMSIS Collaborate to Tear Down the “HIPAA Barrier”
The national EMS industry law firm, Page, Wolfberg & Wirth (PWW), was recently asked by the National EMS Information System (NEMSIS) to clarify how HIPAA applies to bi-directional sharing of patient information between EMS and other healthcare providers.
This summer, PWW and NEMSIS released the white paper, “An Imaginary Barrier: How HIPAA Promotes Bi-directional Patient Data Exchange With Emergency Medical Services.”
This white paper is a tool that EMS agencies can use when dealing with facilities that continue to employ the “HIPAA excuse.” It also goes beyond knocking down the HIPAA wall and explains:
- Why bi-directional sharing with EMS is critical in today’s healthcare ecosystem
- How HIPAA and Federal agencies endorse bi-directional sharing
- How HIPAA’s Security and Breach Notification Rules address fears about the security of shared data
Four Reasons Why Bi-directional Sharing Is More Critical Than Ever Today
-
It is already improving patient care.
Data sharing between EMS and other healthcare practitioners is already yielding significant benefits for several EMS agencies in the U.S. Access to medications, allergies, recent hospitalizations, and past medical history enables EMS practitioners to make informed decisions about transport to a particular facility, prehospital interventions, and patient preferences, such as end-of-life decisions. On the flip side, having access to hospital discharge, summary diagnoses, outcome, and inpatient treatment information significantly enhances continuous quality improvement, leading to better patient outcomes in both the prehospital and the hospital setting. -
It is needed in a pandemic.
Facilities may — and should — share health information with EMS agencies, including patient outcome information (such as the infectious status of a patient). EMS clinicians deserve to know the infectious status of the patient right away. Knowing the patient’s COVID status also directs the patient to the appropriate destination — sometimes, the patient’s home to quarantine. - It can help curb the opioid crisis.
Recent Federal guidance gives healthcare providers broad authority to share necessary health information to help opioid patients. EMS clinicians may inform other providers and family members about a patient’s opioid abuse after determining that the information is needed for treatment or discovering that the patient poses a serious and imminent threat to their health. Curbing the opioid crisis requires information sharing with those who can break the cycle of opioid abuse. - It is required for the Emergency Triage, Treat and Transport (ET3) model.
Health information exchange between EMS and other healthcare providers is critical for the success of the Center for Medicare and Medicaid Services’ (CMS) ET3 Model, slated to start in January 2021. The ET3 Model calls for participants to submit an Interoperability Plan that demonstrates the ability to share patient information among providers in EMS systems. Effective triage of patients in the field depends upon a complete picture of the patient’s past and present medical condition
HIPAA and Federal Agencies Permit and Promote Bi-directional Sharing
HIPAA not only permits hospitals and other care providers to share the outcome and other patient data with EMS agencies, but the Federal agencies that enforce HIPAA unequivocally endorse bi-directional exchange of that data.
Under HIPAA, healthcare providers can share protected health information (PHI) with other healthcare providers for the treatment and healthcare operations activities of the other provider without patient consent or authorization. HIPAA permits hospitals (and other facilities) to share with EMS agencies PHI about the patient’s treatment, the patient’s outcome, and the discharge diagnoses of the patient so that ambulance services can provide appropriate treatment if and when they encounter the patient in the future. In addition, if the EMS agency conducts clinical QA/QI on patients transported to a hospital, the hospital may provide outcome and disposition data to the EMS agency for the clinical QA/QI program.
EMS Agencies Must Secure Patient Data Just Like Hospitals
A significant concern that hospitals raise about sharing the outcome with EMS agencies is that the information will not be properly secured by those agencies. This concern is assuaged by the fact that EMS agencies are required to employ their own safeguards for PHI that they receive. EMS agencies must have in place the same (or roughly the same) safeguards that hospitals are required to employ. And EMS agencies are subject to penalties from HHS if they fail to comply with the Security Rule, just like hospitals. Thus, there are no greater risks for hospitals sharing PHI with EMS agencies than there are with the EMS agencies providing their PHI to the hospitals, as they routinely do when they transfer care upon arrival.
Hospitals Are Not Responsible for Breaches by EMS Agencies
Finally, hospitals generally are not responsible for breaches of PHI by EMS agencies. Once PHI is received by an EMS agency, any breach of that PHI becomes the responsibility of the EMS agency under HIPAA. If a hospital provisioned secure access to its patient database or securely transmitted PHI to an EMS agency for treatment or quality assurance activities of the EMS practitioner, the hospital would generally not be responsible for any improper uses and disclosures — including any breaches — of the PHI that happen at the EMS agency. Any breach would be the responsibility of the EMS agency that received the PHI, just as a breach by a hospital of its PHI (including an EMS patient care report that becomes part of the hospital’s records) would be the responsibility of the hospital.
We hope that meaningful data sharing between facilities and EMS agencies will become the norm and put aside, once and for all, the myth that HIPAA is a barrier to bi-directional sharing.