EMS LEGAL TIPS & ADVICE
Patient privacy can only go so far
By Stephen R. Wirth, Esq., EMT-P
Many communication practices play an important role in ensuring that a patient receives prompt and effective prehospital healthcare. Due to the nature
of these practices, as well as the unique environment of EMS field medicine, the potential
exists for the patient’s protected health information (PHI) to be disclosed “incidentally.” Incidental disclosure is part of the normal course
of providing care to the patient, or, put another
way, is “incident to” that care.
A bystander may overhear an EMS provider’s conversation with another provider about
the patient, see the care that’s being provided
on scene, or overhear patient information being
communicated to the hospital. These would be
considered incidental disclosures.
The Health Insurance Portability and
Accountability Act (HIPAA) isn’t intended to
impede these customary and essential communications and practices. The regulations don’t
require that all risks of incidental disclosure
of patient information be eliminated. Instead,
HIPAA adopts a common-sense approach,
and permits certain incidental uses and disclosures of PHI to occur—as long as your agency
has reasonable safeguards in place to minimize
disclosures and protect the patient’s privacy.
REDUCE INCIDENTAL DISCLOSURES
Pay attention to who may be within earshot
when making verbal statements about a patient’s
health information, and follow common-sense procedures for avoiding accidental or
inadvertent disclosures. Here are five areas
where incidental disclosures are likely to occur
in the field, and suggestions for reasonable
safeguards to reduce their impact:
1. Verbal patient information. Regardless of
physical location, only discuss PHI with those
who are involved in the care of the patient.
When discussing PHI with patients, take rea-
sonable steps to make sure that only those
involved in the care of the patient are within
earshot. If it doesn’t interfere with patient care,
EMS providers should try to remove those not
engaged in patient care before discussing.
2. Bystanders seeing a patient. This may be
unavoidable in the uncontrolled environment of
EMS field medicine. The priority should always
be caring for the patient. If you’re at the scene of
an extended extrication and the patient is visible to the public, particularly the news media,
it would be reasonable to use a tarp to shield
the public and media from viewing the patient.
Should you have curtains or screens that
cover the patient compartment windows? There
are real safety concerns for the crew and the
patient if you can’t adequately see out the window. You shouldn’t do things to protect patient
privacy if they interfere with your ability to
safely provide care. Each situation needs to be
evaluated independently. If you can shade the
windows easily while still maintaining visibility,
then do so. Newer technologies, such as mirrored windows and windows that can go from
clear to opaque, are becoming more common
and should be used if you have them.
3. Paper patient care reports (PCRs). All paper
PCRs should be stored in secure areas when not
in use. No paper records concerning a patient
should be left in open bins or on desktops or
other surfaces. Additionally, billing records,
including notes, remittance advices, charge slips
or claim forms shouldn’t be left out in the open.
They should be stored in an area with access
limited only to those who need the information
for the completion of their duties.
4. Electronic PCRs (ePCRs). Computer terminals and other mobile devices should be secure,
and staff members must be sensitive to who may
be in viewing range of a monitor. All mobile
devices such as laptops, toughbooks, tablets
and cellphones should always remain in the
physical possession of the individual to whom
they are assigned.
5. Multiple patients. Just as hospitals aren’t
required to give every patient a private room,
neither are ambulances limited to transport-
ing only one patient at a time. In such a case,
HIPAA requires that you take reasonable pre-
cautions to minimize the chance of an inciden-
tal disclosure of PHI. It wouldn’t be a HIPAA
violation to communicate information about
multiple patients while a patient can overhear;
those are simply unavoidable incidental disclo-
sures. Reasonable precautions might include
making the radio transmission from the front
of the ambulance and closing the door between
the cab and the patient compartment.
Reasonable safeguards to limit incidental disclosures of PHI will vary, and depend on many
factors. Agencies must analyze their own needs
and circumstances, and assess the potential
risks to patient privacy. EMS agencies should
also consider the potential effects on patient
care and other issues, such as the financial and
administrative burden of implementing safeguards. The bottom line: All EMS providers
and staff should be sensitive to the possibility
of incidental disclosures of patient information
and should avoid incidental disclosures to others
who don’t need to know the information. JEMS
1. Wolfberg D, Wirth S, editors. The ambulance service guide to
HIPAA compliance, fourth edition. Page, Wolfberg & Wirth, LLC:
Mechanicsburg, Pa., 2013.
2. U.S. Department of Health and Human Services. (2002.) 45
CFR 164.502(a)( 1)(iii). Fact Sheet: incidental uses and disclosures. Retrieved Dec. 4, 2017, from www.hhs.gov/hipaa/for-professionals/privacy/guidance/incidental-uses-and-disclo-sures/ index.html.
Stephen R. Wirth, Esq., EMT-P, is an EMS
attorney and founding partner of Page, Wolfberg & Wirth, which represents EMS agencies
throughout the United States. He has worked
as a firefighter, EMT, paramedic, flight paramedic, EMS instructor, fire officer and EMS executive.
Pro Bono is written by the attorneys
at Page, Wolfberg & Wirth, The
National EMS Industry Law Firm.