Though lauded as a standard-bearer for medical privacy nationwide, a federal law that took effect in April doesn’t seem to be doing Clif Poole much good.
The Vacaville resident was riding in an ambulance last May when the driver asked him about his medical history. When Poole asked what would happen to the information, he was told the county wanted it.
But according to a new federal laws that took effect this year, Poole thought the only people entitled to patient records – other than patients themselves – are those providing treatment or those paying the bill.
“Anyone else is not entitled to medical records,” he said. “The (county) does not need to know who this record is about.”
Whether Poole is right seems to be a matter of opinion.
But it’s certain the new Health Insurance Portability and Accountability Act creates more questions than it answers – especially when it comes to how local governments handle medical records.
One patient’s concern
Poole has had medical problems in the past and doesn’t mind talking about them.
But it bothers him the county is collecting personal data on its residents for no apparent reason. He’s concerned local governments could use patient records to look for criminal activity.
“I believe this is a very serious subject that few people are aware of,” Poole said. “I want it ceased and desisted, period.”
Poole brought his concerns to the Solano County Board of Supervisors, who oversee paramedic service in the county. So far, he’s received no reply.
Solano County EMS Director Michael Frenn said he has a “respectful disagreement” with Poole on the issue.
Medical records, including patient names, are needed to ensure residents get the treatment they need, Frenn said. Records also allow the county to survey residents about the quality of ambulance care.
“We have the overall responsibility and medical oversight for the entire EMS system,” Frenn said. “We’re not only entitled to the information, but it’s necessary to obtain it.”
Every ambulance ride generates four copies of a “patient care report,” one of which goes to Frenn’s office.
“All the information is kept in locked storage room and access is absolutely restricted,” he said.
Other California counties collect medical records, too.
Contra Costa County keeps them along with patient names, said Art Lathrop, the county’s EMS director.
EMS agencies need records to investigate complaints from patients and to monitor the quality of service, he said.
“I would suspect that it would be pretty common for EMS agencies to have those records,” Lathrop said.
The law on privacy
HIPAA, which covers other aspects of medical care delivery such as electronic record keeping, provides strict rules about who is entitled to confidential patient information.
But the laws are as complex as the nation’s tangled health care system, and opinions differ on who is entitled to what.
Although the act was passed in 1996, HIPAA’s privacy provisions didn’t take effect until April. Generally, it covers health-care providers, health-plan groups and insurance companies who pay for patient care, and other groups only partly involved with patient care.
Privacy groups argue the laws don’t go far enough.
Under HIPAA, consumers have the right to inspect and change their own medical records, and organizations must provide patients with their privacy policies and tell them whether their information has been disclosed to anyone else. But medical providers, for example, don’t need someone’s permission before disclosing his or her records to other covered entities.
Earlier this year, California’s Emergency Medical Services Authority decided EMS agencies that contract out ambulance services – such as Solano County – may receive patient data as a “trading partner,” as defined by HIPAA. But some say the situation raises concerns.
Under HIPAA, covered entities must disclose only the minimum amount of patient information that is needed to other entities.
Katharina Kopp, program manager for the Health Privacy Report, another nonprofit that supports medical privacy, doesn’t think an oversight agency needs patient names or identifiable information to do its job.
“From how it sounds, you might not need all that information to carry out that purpose,” Kopp said.
EMS providers have a reason to ask patients about their medical histories, they say, but EMS agencies must put in safeguards for protecting that information, said Tena Friery, research director of the Privacy Rights Clearinghouse, a nonprofit group that supports consumer privacy.
And counties shouldn’t use medical records to search for criminal activity such as domestic violence or drug use, she said.
“This is just another bit of concern,” Friery said.
How the records are used
There is some interest in using medical records to investigate cases of domestic violence in Solano County.
Ambulance crews are often the first on the scene following a domestic disturbance, District 1 Supervisor Barbara Kondylis said.
“People are more likely to open up to medical people,” she said. “When police arrive, everyone clams up.”
After hearing Poole’s concerns, Kondylis asked county staff for a report on the issue. But it doesn’t appear medical records kept by the county are being used to investigate domestic violence.
Patient care reports are sometimes subpoenaed if victims of domestic violence later recant their statements, said Timothy Baffico, a sheriff’s detective who works with Solano County’s Family Violence Response Team.
But records come from paramedics and hospitals, who are required under California law to report domestic violence incidents.
“If someone subpoenaed the information, we always redirect them to the provider of service,” Frenn said.
According to the EMS agency, officials perform audits on its ambulance records to ensure paramedics and hospitals respond in time and provide proper treatment.
The county has been keeping those records since 1990, Frenn said. But Poole’s concerns about privacy aren’t unreasonable.
“I think anyone should be concerned,” he said. “So to that extent, I understand.”
A case of confusion
It’s not easy figuring out how HIPAA regulations apply to EMS agencies.
Even those whose work revolves around ambulance care say HIPAA is confusing on the issue.
Paramedics, who provide treatment to patients, are allowed to keep patient information under HIPAA. They can also disclose information to public agencies with a health care oversight role, said Steve Wirth, an attorney with Pennsylvania law firm Page, Wolfberg & Wirth, which specializes in EMS law.
But HIPAA is “very ambiguous” in certain areas, particularly those applying to paramedic services, he added.
“The cost of compliance and nuances in details are very complex and unlike anything an ambulance service or other health care provider has had to do in terms of privacy,” Wirth said. “It’s created major costs and frustration from all health care providers.”
In other areas, emergency dispatchers and paramedic crews stopped broadcasting patient names on radio frequencies because of concerns over the new privacy law. That’s taking things too far, Wirth said.
Poole agrees HIPAA laws are confusing, but still has doubts about the county’s purpose with patient data.
If local governments’ role is oversight and they need patient records, agencies could link records using numbers rather than names, he said.
“While trying to be proper, (HIPAA) needs some cleaning up,” Poole said. “Nevertheless, it doesn’t give the county the right, in my estimation, to have my personal medical data.”
Reach Warren Lutz at 427-6955 or at firstname.lastname@example.org.