Concerns Over Patient Confidentiality Part II
One of the main goals of this blog is to link the affect of public policy to the delivery of health care, especially as it relates to emergency medical services. An example would be how the public investment in a statewide radio network positively enhanced various public agencies’ performance during the I-35 bridge collapse and the Republican National Convention. There are many such issues that seem to be fertile ground for public discussion.
The Health Insurance Portability and Accountability Act, or HIPAA, however, was not one that had immediately come to mind.
Soon after this website’s beginnings, a reader forwarded an anonymous email voicing the concern that Ambulance Driver, in its 911 Update series, was violating HIPAA laws as it pertained to patient confidentiality. This was rather surprising given the care given not to disclose personal health information and the efforts made not to link data to a specific patient.
Since this subject has been dropped in the lap of Ambulance Driver, and it does directly relate to the goal stated above, we may as well talk about it.
The first call was made to the Ambulance Department manager requesting to have this blog’s content reviewed by the hospital’s HIPAA compliance officer.This request was made March 3rd and, in what may very well be a
bureaucratic world record, a reply was sent the very next day.
Permission has not been granted to disclose the reply but a fair synopsis would be:
-
A policy on this subject is in the works
-
Providing dates of service is a problem
-
Providing location of service any more specific than a state is a problem.
-
Blogging on the course of your work is not advisable
-
Blogging on the subject of patient care is not advisable
Ambulance Driver is unconvinced that a patient’s identity could be gleaned from the information provided on its 911 Updates. However, after reviewing a legal summary of the law, one has to admit that the employer’s reasoning does have merit. HIPAA is a morass. For a health care agency to be cautious is just being prudent. The employer did not write the law, they are merely trying to comply.
HIPAA law seems to indicate that one may state, “I picked up a patient in Illinois last week with a broken leg.” On the other hand one may not say, “On March 2nd I picked up a patient in Chicago with a broken leg.” Seems silly, doesn’t it?
While not discussed in their response, the employer probably has some other thoughts on this topic. They have thousands of employees, hundreds of which may use social networks such as Twitter, Facebook and My Space. A few may be blogging. In this context, protection of patient confidentiality would be
a concern.
Ambulance Driver will do its best to alleviate the employer’s concerns over this website’s content and is confident that the situation can be worked out to the satisfaction of both parties. This has been submitted to an attorney familiar with HIPAA law and inquiries made to my Congressman in an effort to obtain a definitive answer to this question. All material will be shared with this blog’s readers and with the employer.
If any of my millions of readers have any comments, please feel free to share.
Duke, I hope this can be worked out because I think you’re performing an important service here. For me to track back and figure out a patient identity from your posts would be virtually impossible.
Jason DeRusha
6 Mar 09 at 3:17 pm
Duke, you are correct in saying that HIPAA is a morass. I have and am currently studying to become a Certified HIPAA Security Specialist, so I do have more than a bit of knowledge in this area.
The goal of HIPAA was to make it impossible for personal health information to be accessed by someone not directly associated with the care of that specific patient. For the most part, people are unaware of how much of a pain this set of laws is not only to comply with but to enforce.
For Ambulance Driver the example that came to my mind has to do with a third party contractor that is doing some sort of evaluation on patient care. They can be provided information such as: Sex, year of birth, aliment, treatment, even cost of care and family history – items that cannot be provided are: Name, full date of birth, address, phone number, social security number, etc. Again, if you can tie specific information to a specific patient HIPAA has been violated.
Now, to the point – I, as a reader, am unable to determine that George Harrison, who lives in Chicago, broke his leg on the 2nd of March from this blog. As Ambulance Driver’s employer, I could not disclose patient information to unauthorized sources.
Ring….Ring
“Good Afternoon, Ambulance Driver’s Employer.”
“Hello, I heard that a guy was picked up sometime yesterday by your service that broke his leg – could you tell me who this person was so I could contact them?”
“No.”
“Well, could you tell me at what address this occurred?”
“No.”
“What can you tell me?”
“Nothing more than you already know.”
The point of this exercise is that even if you tried to get specific patient information directly related to this blog, you would find your search in vein, much like putting toothpaste back in the tube. There is simply no way that this blog violates HIPAA, the way in which the blog is written and the precautions the author has taken in protecting the very thing that is being debated.
HIPAA Guy
6 Mar 09 at 4:36 pm
to be further series’ or is that it after this one finishes?
South Park
7 Jan 10 at 6:14 pm
Health reform will ruin our system.
Jill Plusher
8 Jan 10 at 9:05 pm