Protecting Patient Privacy in Community Paramedic Programs

Mobile integrated healthcare and community paramedic (MIH-CP) programs face a seemingly complex landscape when it comes to sharing and receiving protected health information (PHI). With an expanded role in the community, EMS operations are finding they may not have policies and procedures to guide community paramedics as they engage in this workflow. However, the decisions community paramedics make in regards to information-sharing can carry greater responsibility, require greater discretion or self-control, and introduce greater risk. For this reason administrators are right to be concerned about developing policies, procedures and training for patient privacy in their MIH-CP programs.

This article focuses on a theoretical approach to patient privacy, rather than a technical approach. As it stands now, no single standard can indicate what is permitted and not permitted for the broad spectrum of MIH-CP programs. Each program must perform its own needs assessment and work with its legal teams to determine any relevant state law or additional requirements in place due to program funding, structure or treatment operations. If the idea of patient privacy feels overwhelming, don’t be discouraged. An agency willing to engage in a systematic approach to policy development will find good news; these laws aren’t as set on thwarting your patient care attempts as you thought.

MIH-CP at the Intersection

The variety of existing MIH-CP programs reflects the diversity of EMS systems. Just like the general EMS discipline, MIH-CP programs operate at the intersection of healthcare, public health and public safety. For example:

• A healthcare version of MIH-CP might deal primarily with chronic disease management or post-hospital discharge follow-up.
• A public health version of MIH-CP might include prevention, communicable disease monitoring or immunization programs.
• A public safety version of MIH-CP might be involved in crisis intervention, frequent-user care coordination, or alternative destinations to preserve response readiness.
• A single MIH-CP program might operate in any combination of these.

Healthcare agencies and MIH-CP programs focused solely on healthcare often have straightforward approaches to patient privacy because the majority of their transactions occur under the medical umbrella. However, if your MIH-CP program extends beyond the medical umbrella, chances are you have struggled, or are struggling, to make sense of privacy laws.

Medical privacy laws do address non-medical disclosures. For example, the Health Insurance Portability and Accountability Act (HIPAA) allows for disclosures for reasons other than healthcare activities, like public health interests, oversight and safety issues. A series of these permitted disclosures under HIPAA is contained in Title 45 of the Code of Federal Regulations, parts 160 and 164. Figure 1 shows samples of permitted disclosures (a majority drawn from §164.512 of HIPAA) organized to illustrate the types of disclosures with possible applications to the different MIH-CP categories.

The mission of the MIH-CP program will determine what specific policies and procedures are needed for client care. Understanding the landscape of disclosures can help you identify and prioritize the order in which you choose to tackle the accompanying policies and procedures.

Consent Forms: The Catchall Solution

One of the first and most important actions for your MIH-CP program is to develop a consent or authorization form to obtain permission from the client to disclose information for purposes of care. It is relatively uncomplicated to work with an attorney to create or modify a consent form. Additionally, an attorney should determine if your agency is able to operate with one form, or if you need any additional authorization forms for sensitive health issues.

Once the program has a consent form, the simplest, most conservative route to privacy compliance is to require that CPs use this form to gain consent from every client. In this case the CP is obtaining consent at times where the agency may not necessarily need it. On the other hand, it can give the CP authorization to disclose information to any entity specified on the consent or authorization form. This could include entities to which HIPAA provides no provisions or where there is ambiguity.

This is certainly a valid approach, and some agencies may be able to operate fully with a 100% consent policy. However, some programs require the CP to initiate care prior to any opportunity for consent. Examples of these situations include care for clients with cognitive disabilities from dementia or mental illness, cognitive impairment due to substance abuse, or when the client is a threat to the safety of self or others. In other words, CP programs with a crisis intervention component, or those that deal with cognitively vulnerable individuals, may not be as effective without policies and procedures to cover disclosures in these cases.

Going Further With Policy Development

If the program requires additional policies to supplement a consent form, a systematic approach will make policy development less intimidating. The following instructions represent one approach to building a comprehensive set of policies and procedures, though it is certainly not the only approach.

Step #1: Perform a Gap Analysis

A gap analysis may sound formal or arduous, but a person familiar with the workflow of the CP could perhaps accomplish this in less than a day. In this case a gap analysis involves comparing existing policies and forms to a list of desired policies (see Figure 2).

The goal of this process is to create a wish list of disclosures. If the disclosure doesn’t seem permitted under current law, include it anyway. The resulting list should contain items that seem both possible and impossible, not to get away with as much as possible but to create tools that will help the CP be the best advocate for the patient.

Step #2: Create a Disclosure Matrix Form

Divide the list from Step #1 into two parts: one list for the type of information disclosed, and another for the recipient. For example:

• Information type—Medical information, number of hospital visits, mental health diagnosis, etc.
• Recipient types—Law enforcement, hospitals, primary care physicians, etc.

Refine the list into categories. For example:

• Information category—Medical information, mental health information, substance abuse information, social information, service utilization.
• Recipient category—Coresponder on an incident; law enforcement; covered entity; noncovered entity.

Use the category lists to create a disclosure matrix. For an example, see Figure 3. 

Step #3: Complete the Disclosure Matrix

The next step is to complete the privacy matrix. The agency may already have policies for some of the boxes. For the remaining boxes, it is best to involve the agency’s legal team.

For each box, answer the question “Under what ethical and legal circumstances can I provide this disclosure?” Privacy law usually settles down into the following categories:

• Permitted without authorization from the client;
• Permitted when disclosed to a partner or business associate under a formal agreement;
• Permitted with authorization from the client;
• Required by law.

There may be times when your agency chooses to be more stringent than privacy laws. In that case you could add other categories. For example:

• Never;
• Permitted without client authorization but requires management approval.

This may be especially relevant for disclosures that require discretion. For example, disclosures to avert a serious threat require that the threat be credible and that the disclosure is expected to lessen the threat. It may be that management wants to exercise discretion and assess credibility before allowing the CP to make the disclosure.

With the matrix complete, the privacy concepts are ready to be written into policy.

Policies in Action

Once the MIH-CP program has a comprehensive set of privacy standards, administrators should implement training, compliance and ongoing assessments and revisions of the policies and procedures. Additionally, as a closing concept, there is a cultural component to this new set of rules: CPs need training to deal with the casual, and sometimes inappropriate, exchanges of information that take place in a community setting that is not isolated to a 9-1-1 incident. The CP should be prepared with helpful scripts or otherwise understand that awkward social exchanges are normal when upholding the agency’s privacy standards. With a comprehensive set of policies and procedures, along with cultural preparedness, MIH-CP programs can eliminate a majority of the ambiguity associated with privacy compliance and focus on other aspects of the new MIH-CP discipline.

More Than HIPAA

HIPAA may not be the only privacy standard that’s applicable to your MIH-CP program, though it is the most dominant. Other laws and situations may apply:

• State privacy laws—States may have their own privacy laws to consider. HIPAA has specific text to define the relationship between federal and state laws, and an attorney is best suited to interpret this relationship.
• Privacy requirements associated with federal funding—MIH-CP programs that anticipate receiving federal funds for targeted efforts, such as substance abuse or mental health efforts, may need to look at additional privacy standards.
• Privacy requirements associated with organizational structure—If you employ care providers other than CPs, like certain licensed mental health professionals, your organization may be subject to a higher level of confidentiality.

A summary of selected federal laws and regulations addressing confidentiality, privacy and security can be found at https://www.healthit.govhttps://s3.amazonaws.com/HMP/hmp_ln/imported/privacy-security/federal-privacy-laws-table2-26-10-final.pdf.

Communication Complexities

As mobile integrated healthcare and community paramedic (MIH-CP) programs create new services to help patients, one of the challenges they will face is how best to develop important policies and procedures to guide CPs in their new roles. One critical consideration will be how to provide patients the new types of assistance they need while maintaining the patient’s privacy. This month community paramedic innovator Anne Jensen describes a comprehensive approach to developing those policies and procedures that will help CPs and their administrators think through the various ways patients’ information will need to be exchanged.

Community paramedics conduct a broad assessment of the patient that reveals medical, mental health, social, economic, environmental and other factors that influence the patient’s health. To provide the variety of resources needed to help the patient, CPs not only need to share these new types of information with healthcare entities, but with mental health, social service agencies, police and others that may not be covered by the agency’s current privacy-related policies and procedures. Anne’s framework for defining the types of information and entities that might be involved is an incredibly useful tool for agencies and attorneys to understand the complex but mission-critical nature of these communications. Thanks to Anne for sharing her experience and guidance in navigating these new regulatory areas. —Dan Swayze

Anne M. Jensen, BS, EMT-P, is the Resource Access Program coordinator for San Diego Fire-Rescue Department and Rural/Metro of San Diego. With an inclination toward technology, she emphasizes meaningful patient care, using technology to expand capacity to serve and mitigate risk. E-mail ajensen@sandiego.gov.