OPHI-PCR and HIPAA
Why is public health data collected?
The EMS and Trauma Systems Section, Montana Department of Public Health and Human Services is charged under Title 50, Chapter 6 of Montana Code Annotated with establishing an emergency medical services program that is in the interest of the social well-being and health and safety of the state and all its people. As with any local, state or federal public health authority, EMS & Trauma Systems recognizes the importance of collecting protected health information (PHI) to accomplish essential public health objectives.Public health practice and research, including such traditional public health activities as program operations, public health surveillance, program evaluation, disaster preparedness, and public health research use PHI to implement strategies which identify, monitor, and respond to disease, death, and disability among populations.
What is identifiable information and why is it collected by public health authorities like EMSTS?
Identifiable patient information are those data items that can be used to individually identify a person. With OPHI-PCR data, this would include the patient’s social security number, patient residence (city, county, FIPS code, Zip code) and date of birth (DOB). Even though HIPAA does not apply to submitting data to public health authorities - such as EMS data being submitted to EMSTS - the importance of collecting public health data is recognized by HIPAA provisions. In particular, the Act stipulates in 45 C.F.R. § 164.512(b)(1) that covered entities may disclose protected health information without an individual’s authorization to a public health authority such as EMSTS for the purpose of public health activities. Identifiable data, such as submitting PCR data with social security numbers and dates of birth, is essential to put EMS data to work. As EMSTS plans to move towards a new EMS data collection system, OPHI-PCR, a major goal with this project is to tie EMS data to the statewide trauma registry, hospital discharge information, MHP crash reports and more. The benefits of tying EMS data to trauma registry and hospital data is that it will allow us to measure the effectiveness of care that EMS providers provide, otherwise known as “outcomes”. Without patient identifiers, information from separate databases cannot be tied together. In order for an EMS case to be matched to a hospital case the two records, must be linked by more than one identifier, i.e. a record may only be successfully linked if the date of the incident, the patient’s social security number and date of birth can be matched. When an EMS and hospital record are matched, it will be possible to identify if the EMS provider’s suspected diagnosis, which is used to choose treatment protocols, turned out to be the patients actual diagnosis. The hospital admission status, such as whether the patient was discharged from the emergency department, admitted to the hospital or admitted to an ICU are indicators of the level of severity of the patient’s illness or injury.
Does HIPAA apply when submitting data to Montana EMSTS?
No. Montana DPHHS / EMSTS is a public health authority as defined by HIPAA, 45 C.F.R. § 164.501. HIPAA’s Privacy Rule allows public health authorities to collect patient identifiable information as part of a public health activity; see 45 C.F.R. § 164.512(b). Data collection through EMSTS’ Online Prehospital Information data system (OPHI-PCR) is one example of a public health activity. DPHHS has a long history of protecting and preserving the confidentiality of individually identifiable health information. To ensure privacy of patient data, access to OPHI-PCR is managed on a person-by-person basis. Each individual who uses OPHI-PCR must have their own secured user account. All changes to data are audited, including identification of the user account used. The computer(s) you use to access OPHI-PCR do not need to be secured any differently than other computers, since the computers themselves contain no data. All data is stored on State servers, which are housed in physically-secured state facilities.
Are EMS services required to have Business Agreemetns with DPHHS / EMSTS?
Under authority delegated to the Department under 50-6-323 MCA and 37.104.212 ARM, licensed EMS services are required to submit data to the Department. As a state agency with authority to collect and maintain identifiable data we are exempt from the Health Information Portability and Accountability Act. Because of this, licensed EMS services that provide data to the EMS and Trauma Systems Section are not required to complete Business Associate Agreements.