There is a lot of confusion and misinformation out there regarding HIPAA (Health Insurance Portability and Accountability Act). This law was enacted in 1996 with the intent of protecting the health insurance benefits of workers who lose or change their jobs, providing standards for electronic health care transactions, and protecting a patient’s sensitive health information. This last part has caused much grief among trauma professionals.
It is commonplace for a trauma patient to require the services of many providers, from the initial prehospital crew, doctors and nurses at the initial hospital, yet another ambulance or aeromedical crew, professionals at a receiving trauma center, rehab or transitional care providers, and the patient’s primary physician to name a few. Unfortunately, because there can be significant financial penalties for violating the HIPAA privacy guidelines, providers are more likely to err (incorrectly) on the side of denying information to others outside their own institution.
All of the people mentioned above are considered “covered entities” and must abide by the HIPAA Privacy Rule. This rule allows us to release protected information for treatment, payment and “health care operations” within certain limits. The first and last items are the key provisions for most trauma professionals.
Treatment includes provision, coordination and management of care, as well as consultations and referrals (such as transferring to a trauma center). Think of this as the forward flow of information about your patient that accompanies them during their travels.
Health care operations include administrative, financial, legal and quality improvement activities. These quality improvement activities depend on the reverse flow of information to professionals who have already taken care of the patient. They need this feedback to ensure they continue to provide the best care possible to everyone they touch.
Bottom line: Trauma professionals do not have to deny patient information to others if they follow the rules. Obviously, full information must be provided to EMS personnel and receiving physicians when a patient is transferred to a trauma center. But sending information the other way is also okay when used for performance improvement purposes. This includes providing feedback to prehospital providers, physicians, and nurses who were involved in the patient’s care at every point before the transfer. The key is that the information must be limited and relevant to that specific encounter.
Feedback letters and forms, phone conversations and other types of communications for PI are fine! But stay away from email, which is not secure and is usually a violation of your institutional privacy policies.
Always consult your hospital compliance personnel if you have specific questions about HIPAA compliance.
Reference: HIPAA Privacy Rule