Paramedic 1.22 – Medical/Legal and Ethics: Confidentiality

This module addresses patient confidentiality
and many of the legal aspects associated with maintaining patient information. Once completed with this module, you should
be able to discuss the obligation to protect patient information; discuss HIPAA, its provisions,
and its applicability and impact on EMS; discuss confidentiality arising from the physician-patient
relationship; describe privileged communications; and, explain possible repercussions for a
breach of patient confidentiality. This module addresses legalities related to
patient confidentiality. In providing this information, nothing in
this presentation should be construed as legal advice. Rather, the information provided is merely
a broad overview of this legal subject as denoted within the national paramedic educational
standards. Please be aware that every state has different
laws that impact EMS agencies and providers, and these laws may change over time by application
of legislative action or court decisions. Federal, state, and local laws and other legal
provisions not discussed within this presentation may also impact EMS agencies and providers. Additionally, information that was current
or applicable at the time this presentation was produced may not be at the time you are
watching this presentation and new laws may have been added as well. Lastly, the legal topics and doctrines discussed
within these presentations are not the totality of all laws that apply to EMS agencies and
providers. There are numerous other laws and provisions
that impact diverse aspects of providing EMS. If you or any other EMS provider has questions
related to the laws that apply within the realm of providing EMS, additional guidance
and assistance should be obtained from a licensed attorney within your area who has subject
matter expertise in the specific area of law in question. To begin, common law has evolved over time
to recognize the importance of certain relationships within our society over and above other societal
concerns. One such recognized relationship is that between
a patient and his or her physician. Our laws routinely recognize that it is of
critical importance for a patient to be able to share information with his or her physician
without fear of that information being used “against” the patient. As an example, a person seeking assistance
with a substance abuse problem should be able to talk about the problem with his or her
physician to better inform the physician and aid in developing an appropriate care plan
for the patient. If the patient must be afraid of that full
disclosure being reported to the police, that would be a problem that undermines the faith
and confidence placed within that professional physician-patient relationship. While this privilege has developed over time
within American common law, many states have even codified the protections within this
relationship in law. In many cases, the physician’s assessment
findings, treatments rendered, and other information provided to the physician by the patient are
protected from disclosure by the law. (There are other such relationships at common
law as well, such as the relationship between a member of the clergy and the penitent, an
attorney and the client, and within the spousal relationship.) Within the realm of EMS, it is important to
recognize that a paramedic is not a physician. As such, the protections associated with the
physician-patient relationship do not always apply between a paramedic and a patient. (Some states have extended the protections
of this relationship to paramedics. In Wisconsin, the protections of the physician-patient
relationship do not extend to the EMS provider and his or her patient.) Given differences in the application of patient
privacy over time, in addition to other problems associated with patients being able to actually
access their own personal healthcare records, Congress passed the Health Insurance Privacy
and Accountability Act of 1996 (which was subsequently modified in 2005 by the Patient
Safety and Quality Improvement Act). This law did several things for patients to
not only protect their personal health information from unauthorized disclosure, but to also
ensure such data is adequately and appropriately secured while giving patients the ability
to access their own personal health records. HIPAA is routinely separated into or defined
by two major provisions, the HIPAA Privacy Rule and HIPAA Security Rule. The Privacy Rule impacts the use and disclosure
of patient health information and establishes patient privacy rights while also recognizing
the need to share patient data in certain situations. The Security Rule establishes standards for
the security of patient data that is held or transferred in an electronic form. While HIPAA specifically covers healthcare
providers who transmit health information in electronic form, it is hard to imagine
any EMS agency that would not fall within its provisions. Even first response agencies who arguably
do not transmit patient data electronically may still be covered by virtue of being a
“business entity” that works with another HIPAA-covered entity. Beyond HIPAA, many states also have their
own patient privacy laws that routinely apply to EMS providers. Often, HIPAA is cited as the reason for not
sharing protected patient health information with other parties or entities. Remember, however, that HIPAA sought to strike
a balance between patient privacy rights and the needs of the healthcare system to actually
function. As a result, several types of disclosures
are recognized as permissible by HIPPA. These privileged communications include disclosures
that are necessary for the functioning of the healthcare system. For example, it would make no sense for an
EMS agency to not share patient information with a receiving hospital. Such a disclosure is obviously permitted by
HIPAA. Utilizing patient data to drive education
and continuous quality improvement activities is permissible. When the law requires the release of information,
HIPAA does not stand in the way. This would include state laws that require
EMS providers to report suspected child abuse, when a subpoena is issued by a court, or even
when a state’s open records law requires the disclosure of certain information (Wisconsin
has such a law that requires disclosure of certain EMS run information in the event of
an open records request of a governmental EMS agency). Third-party billing services must have access
to certain medical information as well. Lastly, there are additional circumstances
in which medical information may be released, either with or without patient consent, depending
upon the circumstances. In any release of patient health information,
HIPAA mandates that a “minimum necessary” policy is followed. That means the minimum number of people necessary
for processing the release of information are involved in that release and that the
minimum amount of protected patient information be released to accomplish the purpose of the
release. Ultimately, HIPAA is a very complicated piece
of federal legislation and this brief introduction hardly scratches the surface of what HIPAA
compliance entails. This information also does not include unique
state-specific laws that further protect patient privacy rights. The short story for EMS providers is that
patients have very specific privacy rights that must be protected. In this day of social media and cell phone
cameras, a release of patient information is all too easy. EMS agencies and providers must be ever vigilant
to ensure patient privacy is protected and releases of information do not occur. If a release of protected patient health information
does occur, the HIPAA privacy rule requires agencies to proactively notify people who
may have been impacted. While HIPAA does not create a private cause
of action (meaning the impacted person cannot file a personal lawsuit against the agency
for the breach), the federal Department of Health and Human Services Office of Civil
Rights may issue penalties of up to $1.5 million per year. Given a willful or knowing violation of HIPAA,
the US Department of Justice may also be involved and seek criminal penalties of up to $250,000
and 10 years in prison against the guilty party. Within states that have their own patient
confidentiality laws, there may be additional penalties for a breach of patient confidentiality
that may include personal civil liability for a breach (as is the case in Wisconsin). Outside of patient confidentiality laws, other
defamation claims, such as libel or slander could potentially be pursued against an individual
EMS provider as well. In closing, patient confidentiality is very
important within the healthcare realm and every EMS provider must be familiar with all
of the patient confidentiality laws that apply within his or her respective state. This presentation provided just a very brief
overview of HIPAA and potential state laws related to patient privacy and you should
now be able to discuss the paramedic’s obligation to protect patient information; discuss HIPAA,
its provisions, and its applicability to and impact on EMS; discuss confidentiality arising
from the physician-patient relationship; describe privileged communications; and, explain possible
repercussions for a breach of patient confidentiality. As with all of the legal topics discussed
within these modules, EMS students and providers are encouraged to seek additional information
and training through educational institutions and related resources, their EMS agencies,
and qualified attorneys within their respective jurisdictions. This presentation was prepared by Waukesha
County Technical College in Pewaukee, Wisconsin and is distributed with an attribution, non-commercial,
share alike 4.0 international Creative Commons license. Copyright 2019, Waukesha County Technical
College. For information on WCTC’s numerous fire
and EMS educational offerings, please visit us online at

Leave a Reply

(*) Required, Your email will not be published