Privacy of patient records in California is addressed in two foundation pieces of legislation: HIPAA at the federal level, and CMIA at the state level. While there are a myriad of nuances in both pieces of legislation, their definitions, and in the HIPAA implementation regulations, there is one very basic and common element – patient medical information may be disclosed for treatment purposes without the patient’s prior authorization. Patient psychological and substance abuse information are covered by a more complex set of laws and regulations, and the excellent infographic on the CalOHII web site can be very helpful in determination of when patient consent is needed for requesting disclosure of sensitive data: see http://www.ohii.ca.gov/calohi/ohii-patient-authorization-guidance-tool.htm.
While it is true that the original HIPAA regulations applied only to “covered entities” (specifically those providers that bill for services), regulatory revisions present in the HITECH implementation regulations expanded the reach of HIPAA to all entities, whether or not a Business Associate agreement exists, who receive, use, store, or disclose patient information. So, the takeaway here is that EMS providers are entitled to ask for and receive medical information on patients they are treating or about to treat, just the same as any caregiver providing treatment in any doctor’s office, clinic, or hospital. The law does not limit who can provide treatment. The point being, EMS access to patient information for treatment purposes is just as valid and natural as ED access to records – all of the rules are the same.
EMS ePCRs are also a form of EHR, and would therefor also be covered by the same rules for maintaining the security of those records both during transmission and display, and at rest. The security provisions in HIPAA would apply equally and without exception to any implementation of an ePCR and the use of the ePCR in the field – including transmission and exchange of information. Hospitals and medical groups need not be concerned about sending data to an EMS provider in response to an authenticated request because the legal requirements for the secure maintenance and use of such data are identical.
There has been much concern over whether or not EMS ePCRs can also gather patient identifiable post-treatment information for the purpose of quality improvement and analytics. HIPAA would permit such data sharing between covered entities for administrative purposes, but California law is somewhat ambiguous. There is a bill presently before the California Legislature (Assembly Bill 503) which removes any ambiguity and which is supported by the CHA and a bi-partisan coalition of legislators. Once this bill becomes law (perhaps this year?) it will become routine for hospital EDs to share an outcome dataset with the EMS agencies and LEMSAs.
Data exchange from the ePCR to the ED’s electronic medical record is also a very natural and expected occurrence as both organizations are involved with the treatment of the patient. While it is true that hospital EMRs typically do not accommodate much of the information held in an ePCR, because such information is specific to the EMS encounter itself, California already has some basic reporting requirements for all ED visits (OSHPD), and has significantly more reporting requirements for Trauma. As state and federal agencies and the insurance companies seek to expand quality and performance indicators, I would expect that a well-designed subset the ePCR data will eventually be needed to automate both existing and near-future analytics and reporting requirements. It is therefore encouraging that the SAFR objectives are exploring bi-directional data exchange and discrete management of EMS/ED datasets.
David A. Minch, President/COO of HealthShare Bay Area and President/Board Chair of the California Association of Health Information Exchanges (CAHIE), was invited to provide a guest-author post for this blog. We invite anyone with a voice on the issues relevant to HIE in EMS to share your expertise.