RE: HIPPA and Patient Follow-up

First, we are just a week away from implementation deadline - so hurry and get your HIPAA compliance program in place (the Feds actually recommended that it should have been in place 6 months ago so the bugs would be ironed out by the 14th...). Secondly, like Rollie, I am not a lawyer, but I will be next month when I graduate from law school, so let me take a crack at the questions (don't construe that to mean I'm actually, providing advice - I'm NOT - just commentary...)

Complex answer: The HIPAA Privacy Rule permits an ambulance service or other health care provider to disclose protected health information about an individual, with or without the individual's authorization, to another health care provider, such as a hospital, for that provider's treatment of the individual, payment for services or operations (a.k.a. TPO). If you consider that a follow up letter is related to "treatment" then look to 45 CFR 164.501 of the Privacy Rule that defines treatment as the provision, coordination or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient or the referral of a patient for health care from one health care provider to another. 45 CFR 164.506 specifically states that a covered entity may disclose protected health information for treatment activities of a health care provider. Therefore, 45 CFR 164.501 and 45 CFR 164.506 provides EMS personnel with the authority to receive protected health information for purposes of transport and subsequently permits EMS personnel to disclose protected health information to another health care provider such as a hospital for continued patient treatment. Depending upon how you draft your policy related to follow up and how closely tied your service is to the providers you work with, using the letters under this umbrella may meet the Privacy rule. Remember that you must keep a record of how you use and individuals PHI in the event that they request a disclosure history The Privacy Rule does not require you to document any information, including oral information, that is used or disclosed for treatment, payment or health care operations, however, there are certain documentation requirements for some information disclosures that are for other purposes. For example, some disclosures must be documented in order to meet the standard for providing a disclosure history to an individual upon request. Where a documentation requirement exists in the Rule, it applies to all relevant communications, whether in oral or some other form. So if you disclose information about a case of SARS to a public health authority as permitted by the Rule at 45 CFR 164.512, you must maintain a record of that disclosure regardless of whether the disclosure was made orally, by phone, or in writing.

Another way to look at is is to look to the definition of "health care operations" in the Privacy Rule provides that disclosure of PHI is OK when "conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers." You can shape your policies and procedures for minimum necessary uses and disclosures to permit medical trainees access to patients' medical information, including entire medical records. Depending upon what info you choose to share, no justification is needed in those instances where the minimum necessary standard does not apply, such as disclosures to or requests by a health care provider for treatment purposes or disclosures to the individual who is the subject of the protected health information.

Two other areas of interest are disclosure of PHI, without individuals' authorization, to public officials responding to a bioterrorism threat or other public health emergency and release of PHI to law enforcement?

The Rule recognizes that various agencies and public officials will need protected health information to deal effectively with a bioterrorism threat or emergency. To facilitate the communications that are essential to a quick and effective response to such events, the Privacy Rule permits covered entities to disclose needed information to public officials in a variety of ways. Covered entities may disclose protected health information, without the individual's authorization, to a public health authority acting as authorized by law in response to a bioterrorism threat or public health emergency (see 45 CFR 164.512(b), public health activities). The Privacy Rule also permits a covered entity to disclose protected health information to public officials who are reasonably able to prevent or lessen a serious and imminent threat to public health or safety related to bioterrorism (see 45 CFR 164.512(j), to avert a serious threat to health or safety). In addition, disclosure of protected health information, without the individual's authorization, is permitted where the circumstances of the emergency implicates law enforcement activities (see 45 CFR 164.512(f)); national security and intelligence activities (see 45 CFR 164.512(k)(2)); or judicial and administrative proceedings (see 45 CFR 164.512(e)).

The Rule does not expand current law enforcement access to individually identifiable health information. In fact, it limits access to a greater degree than currently exists, since the Rule establishes new procedures and safeguards that restrict the circumstances under which a covered entity may give such information to law enforcement officers. For example, the Rule limits the type of information that covered entities may disclose to law enforcement, absent a warrant or other prior process, when law enforcement is seeking to identify or locate a suspect. It specifically prohibits disclosure of DNA information for this purpose, absent some other legal requirements such as a warrant. Similarly, under most circumstances, the Privacy Rule requires covered entities to obtain permission from persons who have been the victim of domestic violence or abuse before disclosing information about them to law enforcement. In most States, such permission is not required today. Where State law imposes additional restrictions on disclosure of health information to law enforcement, those State laws continue to apply. Even in those circumstances when disclosure to law enforcement is permitted by the Rule, the Privacy Rule does not require covered entities to disclose any information. Some other Federal or State law may require a disclosure, and the Privacy Rule does not interfere with the operation of these other laws. However, unless the disclosure is required by some other law, covered entities should use their professional judgment to decide whether to disclose information, reflecting their own policies and ethical principles. In other words, doctors, hospitals, and health plans could continue to follow their own policies to protect privacy in such instances.

COMMENTARY: Some have called HIPAA the "lawyers right to work act" because so many lawyers will be needed to interpret the Rule. I believe the reality is that if you use the PHI in such a way that you aren't maliciously broadcasting sensitive material to the general public, you should be OK. You could as the question to 10 attorneys and get 10 answers. The real issue is that you have a policy that shows you have exercised due diligence in following the Rule as set forth. There are some additional safeguards you could do such as a advance letter to all providers you share follow-up with outlining your Privacy policy and how you will use PHI and placing a warning/disclaimer on each follow-up letter advising the reader that the information is restricted and is specifically used for TPO and cannot be used for any other purpose. Run what ever you have through your agencies/hospitals/programs/ risk manager and see what they say. I hope this helps.