Are You HIPAA Compliant for STEMI ECGs? E-Communicating With EMS

Dr. Kirk Garrett, Christiana Hospital, Wilmington, Delaware, asks the cardiac cath expert group about the way emergency medical services (EMS) transmits electrocardiograms (ECGs) to the hospital for ST-elevation myocardial infarction (STEMI) and ways to remain HIPAA (Health Insurance Portability and Accountability Act of 1996) compliant. He comments:

“We don’t have a HIPAA-compliant means of communicating with EMS personnel. Concerns about patient confidentiality prevent us from exchanging patient identifiers or transmitting ECGs using unsecured electronic means for suspected STEMI patients on the way to the hospital. We’ve elected to activate the lab on the presumption of the STEMI being real, but we’re depending on the skills of EMS personnel to read the ECG, something that can be variable. Recently, 40% of our after-hour alerts have turned out to be false alarms. Here’s what the U.S. Health and Human Services website¹ (emphasis mine) says about HIPAA compliance:

“A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations.

“I’ve heard some places interpret this to mean EMS transmission of ECGs and patient information for suspected STEMI patients is allowed over an unsecured line. Does anyone know about this, or have any experience with it?”

Mort Kern: Kirk, when I was on STEMI call, we (mostly me) required a text image of the ECG with the identification information folded over. It was not HIPAA protected but it was de-identified. False activation based on STEMI ECG interpretation was also high, >30% of the time. The communication among the university physicians now uses encrypted texting, but I do not believe ambulance services have this encrypted method. I’m not really worried someone is going to hack my text to see an ECG with no name on it. As I read the HIPAA rules (below), I believe you can use this method for patient care among the treating parties.

HIPAA Rules (in brief)

For a complete understanding of the HIPAA rules you can review the summary found at the U.S. Health and Human Services website¹, which provides The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”). The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Privacy Rule standards address the use and disclosure of individuals’ health information — called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing.

Protected Health Information

The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).” “Individually identifiable health information” is information, including demographic data, that relates to:

1. The individual’s past, present or future physical or mental health or condition,
2. The provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and
3. That identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
4. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security number).

De-Identified Health Information

There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.

Be HIPAA Compliant or Else: Civil Money Penalties

The Office for Civil Rights may impose a penalty on a covered entity for a failure to comply with a requirement of the Privacy Rule. Penalties will vary significantly, depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement (Table 1).

Jim Blankenship: We see 2 problems with EMS: 1) sending names and patient identifiers over public airways (for which we don’t have a solution) and 2) transmitting ECGs. Our emergency medical technicians (EMTs) send cell phone pictures of the ECG from the EMT to the emergency department (ED) receiving doc, something that works surprisingly well. In rural Pennsylvania, cell phone transmission is not always possible. In those cases, the ED doc chooses to activate the STEMI alert (or not) based on the ED doc’s impression of how certain the EMT is of the STEMI, and the ED doc’s previous experience with that EMT team. We do get occasional “false positives”, but not too many.

Lloyd Klein: There are system-wide apps available that are HIPAA compatible. Advocate Hospital system in Illinois uses one. The problem is that photo attachments can be hard to work with. This app is fine in the ED, not so good from the field. The fellows still prefer to text in the usual way.

Jimmy Tcheng: I would recommend that a lawyer be consulted, as the foundation of the question is legal and regulatory, not clinical. There are 2 components of information exchange — data in transit and data retention. By its nature, voice communication is just data in transit (and thus disappears). Images, however, have the opportunity to be retained on both capture and destination devices.

My understanding is that mobile telephony is protected the same way as wired telephony in terms of FCC regulations regarding wire-tapping, etc. Thus mobile telephony = wired telephony (and = VOIP) in terms of protected voice communication regarding patient care as well as the transmission (data in transit) of ECG images. The issue is that the image (protected health information or PHI) can be retained on both the sending device and the receiving device. This gets further compounded when one considers automatic backup to the cloud of content on mobile devices.

On the other hand, 2-way radio communication is not (natively) secure, as it can be listened to by anyone, so transmission of PHI, etc., over the airwaves should not be encouraged. Duke University has developed and is testing a secure, HIPAA-compliant app for mobile phones for initial STEMI management — contact management, secure capture of ECG images, encrypted communication (both voice and data) via mobile telephony, and automatic wiping of the images off devices after a set time (couple of hours), fire-walled from the rest of the device. It addresses the known limitations of the available apps and can be installed on personal or EMS-managed mobile phones. It even geo-maps and tracks the location of the caller. Stay tuned.

Richard F. Wright: Sending a photo of an ECG without protected health info is totally fine... just don’t include the name or other identifying data.

Jeff Marshall: As far as EMS sending ECGs, there are several well-vetted legal opinions regarding patient data that is used for “operational” care of emergency patients (i.e., transmitted patient data over the radio and other means of communication) by covered entities (i.e., hospitals and doctors). Here’s one brief synopsis from the EMS angle:

HIPAA: The Intersection of Patient Privacy With Emergency Dispatch

Myth: Ambulance services are violating HIPAA if they give patient information to the hospital over the radio.

Fact: HIPAA permits any and all treatment-related disclosures of patient information between health care providers. Ambulances are freely permitted to give patient information to hospitals over the radio for treatment purposes.

“HIPAA permits covered entities to use and disclose any PHI for the purposes of patient care and for health-care ‘operations’ purposes. HIPAA permits these types of communications between an ambulance service and any other party who has a legitimate need for the information including: dispatch centers, hospitals or other facilities, an online medical control physician, or between ambulance crews and police, fire or other responding EMS agencies. Further, HIPAA does not state that the disclosures must be in any particular form. Thus, HIPAA does not prohibit ambulance providers from communicating PHI to necessary parties via normal channels of communications, including over standard radio frequencies.”²

Additionally, our hospital has gone an extra step to add protection using a program called GD CAREpoint (General Devices). This program allows us to receive and send recordings of radio/phone communication between dispatch/EMS, and images of the EKG to the STEMI docs with patient identifiers over a secure application and/or secure email within a few seconds of receiving the data. We’ve been told that text messages are probably not the best way to send info, but if photos of the EKGs are de-identified (i.e., no patient name or identifier), then sending a picture is not a HIPAA violation. Our STEMI coordinator has worked through these issues with the legal eagles over the last 17 years, and I am quite confident that this is solid advice.

How Secure are Mobile Devices?

Mobile devices are not as secure as in-house computers within an organization’s secure network. Most of our cell phones and other mobile devices aren’t equipped with protective technology like encryption, firewalls and antivirus software.³ There are additional risks for using a mobile device connected to a healthcare system’s resources that may include physical loss or theft of the device, transmitting data via text or email over an unsecured Wi-Fi network, using an outdated operating system, inadequate or lack of authentication, and sharing a mobile device with others and inadvertently exposing confidential data. Mobile devices are easily stolen or lost. Many mobile users skip using a protective password for cell phone access, and many users tend to neglect encrypting emails sent or received on mobile devices. Smartphones and other mobile devices for healthcare matters are potentially a risky business.

The Bottom Line

To communicate with EMS and transmit STEMI ECGs, the photo or other method of sending the ECG without patient identifiers is permitted by the HIPAA rule. However, all other patient information sent by smartphone or other computing devices should meet the security needs of your health care organization and its security rules. Keeping HIPAA rules in mind is the ethically right thing to do and breaking the rules can cost you more than just a slap on the hand. 

1. U.S. Department of Health & Human Services. Health Information Privacy. Available online at https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. Accessed January 16, 2019.
2. Communication from Douglas M. Wolfberg, Stephen R. Wirth & Ryan S. Stark, Esquires.
3. Salomon S. HIPAA compliance & cell phones: staying compliant while staying connected. I.S. Partners. June 27, 2018. Available online at https://www.ispartnersllc.com/blog/hipaa-compliance-cell-phones/. Accessed January 16, 2019.