After the meeting, Ark City Daily Bytes requested and inspected numerous emails, spanning more than a year and a half, from local government officials in order to verify claims made that night. The findings of this investigation are shared in this and future stories.
Citizens interested in speaking out on this issue are urged to contact their county commissioner. Contact information can be found at www.cowleycounty.org/commission and a map of the commission districts is located at www.cowleycounty.org/wp-content/uploads/2011/09/Commission_Districts.pdf.
To HIPAA or not?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a set of laws that provide data privacy and security provisions for safeguarding medical information.
HIPAA also establishes strong punitive measures for violators of the law, including both civil and criminal penalties, so public agencies often are very sensitive when it comes to managing the risks of inadvertently releasing privileged health data.
Dispatchers employed by Cowley County Emergency Communications (CCEC) were instructed last year by CCEC Director Carl Fortner to type “HIPAA,” instead of patients’ names, in their Computer Aided Dispatch (CAD) software’s data fields.
In addition to patient names, other “personally identifiable information” Fortner instructed dispatchers to leave out of the CAD system included dates of birth and Social Security information.
However, this instruction caused some consternation from local public safety agencies who interpreted the move as withholding vital information from their first responders. The most notable objection came from Arkansas City Police Chief Dan Ward, who maintains the data is not CCEC’s to control or amend.
(Read more about the dispute over who controls and is responsible for criminal justice information at wp.me/p7A1jR-2IC.)
HIPAA and suicidal calls
“Carl, (on Jan. 16) we had a call involving a suicidal person,” Ward wrote Jan. 17 in an email to Fortner and Cowley County Sheriff Dave Falletti.
“Fortunately in this instance the subject came into the station and called dispatch from our lobby phone. However, in looking at the call record … you will see the suicidal persons name is not listed and instead it reads (HIPAA). This leaves the officers blind and without knowing who the suicidal person is while responding and it makes it impossible to look up past calls when responding to new ones.”
Responding to these types of calls is VERY dangerous for the officers and the person who is suicidal. We want to have as much information as possible when being dispatched to these calls. This includes past interactions of a similar nature.”
Ward referred to a previous email exchange involving HIPAA and fire or medical calls, but said HIPAA does not apply in the same way to suicidal calls. “Law Enforcement has a (HIPAA) exemption and we are not a medical provider,” he explained.
He also referred to prior agreements, which former county administrator Jeremy Willmoth was privy to, that ensure CAD data and other such criminal justice information belong to the responding agency, not the county dispatching center.
“The data you collect and put in the CAD call belongs to the responding law enforcement agency … Before your arrival here in Cowley we reached an agreement with (Willmoth) that the data in CAD belongs to the responding law enforcement agency. There are written, signed agreements which remove any (HIPAA) liability from your agency,” Ward said to Fortner.
“Part of that agreement is that your agency and your employees are not allowed to disseminate any of our information without our approval. If you should receive an open records request for information on a call such as this, your agency would simply notify the responding law enforcement agency and they will handle the open records request.”
Ward concluded his email by stating the Arkansas City Police Department and other public safety agencies would be the ones taking the heat for any inadvertent HIPAA violations, and he politely asked that Fortner stop the practice he had asked his dispatchers to follow.
“In the event that any information from a CAD call is released as a result of an opens record request, the agency releasing the information can redact any (HIPAA) information prior to release if they choose,” Ward wrote.
“This should remove any concern on your part when it comes to (HIPAA) liability. I would request that the practice of entering (HIPAA) instead of the persons information into CAD calls … be discontinued.
“Not gathering this information in the first place is not a best practice.”
In an immediate reply to Ward, Cowley County Undersheriff Jeff Moore expressed interest in Fortner’s response, writing, “Any chance you would share (Fortner’s) reply, if he replies?”
Fortner explains policy
Fortner, in a comment made Feb. 24 on the Ark City Daily Bytes website, made a claim mirroring Ward’s statement.
“Since I came here, there have been no disputes over ownership of records. Our staff have always followed the standards agreed to between the County and emergency response community. If someone seeks records, we direct them to the holder of those records,” Fortner wrote.
However, in an email sent by Fortner on Oct. 10, 2016, he seemed to contradict that statement.
“As a final check prior to release, I — in coordination with the appropriate EMS provider, and the County Attorney, if appropriate — will review the audio and CAD reports for all Public Records Requests to ensure that no HIPAA-protected data is inadvertently released,” he said.
“CAD is a public record, and inclusion of this data — even if the patient is the caller — is restricted by (HIPAA). In situations where the patient is the caller, just place HIPAA in the Complainant field. Certainly do not put the patient’s name in the call comments section, even if the data is volunteered by a caller, a passerby, or anyone else.”
In response to Ward’s Jan. 17 email, Fortner offered an additional explanation as to why the complainant fields were being filled in with “HIPAA.”
“I’ve instructed County staff to put ‘HIPAA’ in all medical incident types, where the caller is also the patient. This was done out of an abundance of caution to avoid any potential privacy issues. Immediately moving beyond the ‘Complainant’ field when the caller is also the patient, ensures that we can more quickly transition to pre-arrival or post-dispatch instructions without delay.”
However, those instructions pertained specifically to medical calls, not law enforcement ones, and Fortner admitted the dispatch made an error.
“The Call-Taker on this incident you describer incorrectly put ‘HIPAA’ in the complainant name on your ‘law enforcement’ call,” he replied to Ward on Jan. 17.
“But as you point out, this was a law enforcement event because the caller did not need medical care. … I have reiterated the guideline to the employee involved, and her supervisor.”
Regarding the underlying issue of ownership of and responsibility for law enforcement records, including CAD calls, Fortner cited the document Ward referenced, “Cowley County, Kansas Emergency Communications Department Policy on Open Records Requests to the Department,” but said the document had not been signed by Willmoth or County Counselor Mark Krusor.
He also said the policy did not address the issue of callers’ names and questioned its approval by the “911 Governing Board,” which he interpreted to mean the Emergency Communications Advisory Board (ECAB) based on the identities of those who signed the document.
Fortner again stated his assertion that ECAB is an advisory board, not a governing board, and suggested deferring the matter until Willmoth left county employment at the end of January and deferring to Krusor’s judgment on the matter. (Read more about the disagreement over the authority and powers of ECAB at http://wp.me/p7A1jR-2B2, http://wp.me/p7A1jR-2HQ, and http://wp.me/p7A1jR-2IC.)
“In two weeks, (Willmoth) will no longer work for the County so I think it appropriate to run all of this by the new administrator and the county counselor before we make any permanent changes. My instructions to CCEC staff have been in the form of Interim Guidance. I have not written any policy that supersedes anything in the referenced document. … If (Krusor) says we need to enter the 1st party caller’s name in the ‘Complainant’ field, when processing medical calls, then it will be so entered.”
Purpose of HIPAA
Some of the roots of the disagreement between Fortner and Ward can be found in the original purpose and intent of HIPAA.
“The law was never intended to be an impediment to patient health or to the receipt of proper health care,” according to a July 2014 article by labor attorneys Meredith Campbell and Joy Einstein, entitled “Emergency Medical Dispatches and HIPAA: Are You HIPAA Compliant?”
Only a few specific categories of entities are subject by HIPAA requirements, according to the Centers for Medicare & Medicaid Services website. It defines a covered entity as one of the following:
- a health plan, such as health insurance companies, health maintenance organizations (HMOs), employer-sponsored health plans or government programs that pay for health care, such as Medicare, Medicaid, and military and veterans health programs.
- a health care clearinghouse, such as an organization that processes nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations.
- a health care provider that transmits any health information, such as claims, in electronic form — including, but not limited to, doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies.
The article by Campbell and Einstein states “…dispatchers, such as 911 dispatchers, are not (a covered entity) because they do not engage in covered electronic transactions, such as directly billing insurers for services or transmitting healthcare enrollment information.”
“HIPAA does not apply to communications required to treat patients or to information shared for operations purposes. Since information shared by a dispatch agency is shared to treat patients and to operate effectively as a dispatch service, HIPAA most often does not apply to the communications. These are considered incidental disclosures, which HIPAA’s provisions specifically permit.”
This clarification, along with the protection that any open records requests for CAD information are to be reviewed by the public service agency that handled the call before the record is released, seem to absolve CCEC of any responsibility for patient information, medical call or otherwise.
Editor’s note: This is the seventh part of a multi-part series. Prior installments can be viewed at:
- Part 1: Consolidated 911 dispatch issues highlighted in series of public emails — http://wp.me/p7A1jR-2AH
- Part 2: Vote on MDT software exposes schisms on 911 ECAB advisory board — http://wp.me/p7A1jR-2B2
- Part 3: Request for increased officer safety turns into dispatch funding discussion — http://wp.me/p7A1jR-2Ek
- Part 4: Friction seen in disputes between county, rural fire over call sign, pagers — http://wp.me/p7A1jR-2GO
- Part 5: EMS removal from ECAB, sub-committee formation raise questions — http://wp.me/p7A1jR-2HQ
- Part 6: Disagreement over 911 control, ECAB raises federal compliance concerns — http://wp.me/p7A1jR-2IC