Mark has chimed in about an update to the Project, the Trans-Atlantic Paramedic exchange I’m always reminding you of. Pop over and read his post, answer his question, then come back for my thoughts on whether blogs are bad.
It seems that the powers that be on both sides of the pond are still nervous about the reality of patient confidentiality laws, and rightly so. It is understandable to be worried about litigation if one of your people is blogging, facebooking/Myspacing or tweeting the address of a patient, a patient’s name, history, likeness or scene photo, but what about those of us trying to make an impact on the Profession of EMS?
These same supervisors who are nervous about Mark’s blog being perceived as NHS driven and my supervisors to even allow me to tell you my name, surely sit down with other professionals and share tales of “the big one” or “the call that went wrong.” Are those violations of privacy rights?
What about ACLS scenarios? Each time we enter the classroom we are encouraged to share stories of patient outcomes and interventions. Are those violations of privacy rights?
Many of you may be shaking your heads and saying, “That’s different, it’s not in the public realm,” I say sure it is. I go home, tell the wife about a rough call or scenario in class, she tells a friend, etc etc.
We share information all the time, and mostly even more details than have even been shared in this arena. Privacy is so private that people will scream for help on a busy sidewalk, then refuse to give their name because they don’t want a bill. Will rail on and on about their medical history, in front of dozens of strangers, then I have to get a form signed saying I promise not to share their information with anyone outside of our billing system. That’s makes sense, right?
I took this opportunity to re-read the Health Insurance Privacy and Portability Act (HIPPA) and find out once and for all if what I’ve been doing is allowed. Here’s a shocker…yes.
From the text of HIPPA:
What Information is Protected
Protected Health Information. The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”12
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
De-Identified Health Information. There are no restrictions on the use or disclosure of de-identified health information.14 De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.15
Take note of the “and” following the bullet points under Protected Health Information. If I post about someone who, even if I change all the information, can still be identified by someone not there at the time, it becomes questionable.
I understand the reason for privacy rights, believe me, but I also understand how sharing information of a non-sensitive manner can help move our understanding of this Profession forward by leaps and bounds.
I don’t know what privacy laws are relevant in the UK, but I’m sure Mark is well aware of his limitations, as evidenced in his post.
Blogging can do harm Mark, when done recklessly and without respect to our patients, clients, employers and co-workers.
But when done following the intent AND letter of the law, it can only help.
I’ll explain more when you pick me up from the airport in Newcastle during our blog born EMS exchange to advance patient care. But keep that private, OK?