Privacy Safeguard Protocols in Effect as of 31 Aug 2005
Download Consumer Privacy Information Kit Describing Legal Protections
COEKG's published protocols are continually updated and accessible for public inspection at all times.
Status as of Sep 2005:
Internet: No Live Records Currently Accessible Via Public Internet
Exempla Intranet: Mock EKG's accessible to authorized COEKG researchers only, no real world EKG's posted
Offline Records Maintenance:
Hardcopies: Attended at all times or stored behind at least two locks (eg. facility door and locked safe or interior vault)
Electronic Data: Encrypted when unattended, accessed only from within firewalled security network
All transactions, plans, access and authentication procedures used by COEKG maintain strict compliance with HIPAA guidelines as published and revised by the Centers for Medicaid and Medicare Services a division of the United States Department of Health and Human Services.
This page describes how electrocardiograms shared by our exchange program may be used and disclosed and how you can access this information.
In this notice we use the terms "we," "us," and "our" to describe COEKG. All policies refer to this project as a whole and all of our online real estate, the same terms apply to all of our domains (mirror sites):
I. WHAT IS "PROTECTED HEALTH INFORMATION"?
Protected health information ("PHI") is health information that contains identifiers, such as your name, address, date of birth, Social Security number, or other information that reveals who you are. For example, your EKG is considered PHI because it is labeled with your name and other identifiers.
If you have an EKG or other medical data in the COEKG database and also are an employee of COEKG, PHI does not include the health information in your employment records. Both of these data files are kept separate, each with different access pathways.
II. ABOUT OUR RESPONSIBILITY TO PROTECT YOUR PHI
By law, we must:
1. protect the privacy of your PHI;
2. tell you about your rights and our legal duties with respect to your PHI; and
3. tell you about our privacy practices and follow this privacy notice currently in effect.
Back to top
III. YOUR RIGHTS REGARDING YOUR PHI
This section explains your rights regarding your PHI, with respect to COEKG this refers to your EKG records. This section also describes how you can exercise these rights.
Your right to see and receive copies of your EKG:
In general, patients have a right to see and receive copies of their PHI in designated record sets, such as a medical record or billing record. With respect to COEKG, this means that you can view and correct your EKG data through the same input portals that Emergency Care Providers use. COEKG does not independently acquire or interpret EKG data, but we attempt to facilitate access via emergency or other surrogate providers when it is not practical for your primary care provider to attend to your medical emergency. COEKG is not responsible for clinical decision making or EKG interpretations rendered on our data. We will make every effort to insure the accuracy of our database, but ultimately, EKG data is only as good as the data input we receive. There is no live data posted as of 10 Sep 2005. We are launching Phase One of a prototype project. As the database is populated, we will develop procedures to let you know if there are problems with your data. COEKG will instruct providers and patients on methods for adding EKG data on their own behalf. Because of security concerns and access restrictions, EKG copies can not be provided presently via computer from home, but with proper authentication, records can be accessed over the mail. Send your requests to: COEKG, 3101 Marlin Drive, Longmont CO 80503.
After we receive your written request, we will let you know when and how you can see or obtain a copy of your EKG. In certain circumstances, if you agree, we will fax you a copy of your EKG, we do not provide interpretation services. We are permitted to charge you a fee for the copies we provide. If we don't have the record you asked for but we know who does, we will tell you who to contact to request it.
In limited situations, we may deny some or all of your requests to see or receive copies of your EKG, but if we do, we will tell you why in writing and explain your right, if any, to have our denial reviewed.
Your right to choose how we send your EKG:
EKGs are sent to registered surrogate providers (Colorado Emergency Departments) free of charge. You may ask us to send your EKG directly to you or an unregistered clinician at a verified address or by different means (for example, fax, email or regular mail). When we can reasonably and lawfully agree to your request, we will. However, we are permitted to charge you for any additional cost of verifying the destination. Address verification is for your protection. We send EKGs directly to individuals in extraordinary circumstances, but COEKG preferentially sends data directly to a patient's health care provider.
Back to top
Your right to correct or update your EKG:
If you believe there is a mistake in your EKG or that important information or a more current EKG tracing is missing, you may request that we correct or add to the record. Please write to us and tell us what you are asking for and why we should make the correction or addition. Send your requests to COEKG, 3101 Marlin Drive, Longmont CO 80503. We will respond in writing after receiving your request. If we approve your request, we will make the correction or addition to your EKG. If we deny your request, we will tell you why and explain your right to file a written statement of disagreement.
Your right to an accounting of disclosures of your EKG:
You may ask us for a list of our disclosures of your EKG. As of the project Beta launch (July 2005) there have been no disclosures except for disclosures of test EKGs to beta site requestors. Write to us at COEKG, 3101 Marlin Drive, Longmont CO 80503, at any time. Except in a legitimate medical emergency, we do not disclose any identifying information without a patient's direct consent. These data are never used for commercial purposes.
An accounting does not include certain disclosures, for example, disclosures to carry out treatment, payment and health care operations; disclosures for which COEKG had a signed authorization; disclosures of your EKG to you; disclosures from a COEKG facility directory; disclosures for notifications for disaster relief purposes; or disclosures to persons involved in your care and persons acting on your behalf.
Back to top
Your right to request limits on uses and disclosures of your EKG:
COEKG is a non-profit EKG data sharing service designed to benefit all patients. In the clinical setting, an emergent EKG is best interpreted in comparison to a baseline tracing. If for some reason, you do not understand this or desire to have comparison EKGs hidden from future health care providers, you may "opt-out" at any time for any reason. Notify us at COEKG c/o Dr John Ogle, 3101 Marlin Drive, Longmont CO 80503, and after verifying your identity, COEKG will consider your request. However, by Colorado law, providers do not have to agree to your request. Because COEKG strongly believes that historical EKG data is needed to optimally manage the care of patients, it is our policy not to agree to unverified requests for restrictions from clinical use. Research regulations differ slightly. COEKG reserves the right to consolidate data for non-clinical (research) use, but individuals can opt out of this in most circumstances. If we use your data for research purposes, such use will be "de-identified" and released in aggregate form only without any identity information provided to researchers. You can request that we limit our uses and disclosures of your EKG to treatment purposes, and health care operations only (excluding research).
Your right to receive a paper copy of this notice:
You also have a right to receive a paper copy of this notice upon request. Please refer to section VII of this notice on how to request a copy.
IV. COEKG AFFILIATES SUBJECT TO THIS NOTICE
This notice applies to COEKG, and HIPAA regulations apply to all of our partners.
To provide you with the health care you expect, to treat you, and to conduct operations, such as quality assurance, accreditation, licensing and compliance, all hospitals routinely share EKG data with your consent. This traditionally involves a series of phone calls, faxing a consent to the sending hospital, then copying your EKG and finally faxing a copy from the sending to the requesting facility. If all goes well, the treating clinician eventually has a baseline EKG to compare with current EKG data. In an emergency, consent to obtain historical EKG data may be implied, but any shared data is customarily and legally granted the same privacy safeguards as internal data. Although COEKG can not guarantee the practices of all of our affiliates, we do not enroll partners without verifying their legitimacy.
COEKG personnel may have access to your EKG either as employees, physicians, volunteers or persons working with us in other capacities. Any professional who has access will be trained in HIPAA procedures.
This Notice of Privacy Practices does not apply to our contracted providers who are not part of COEKG's workforce, but all of our affiliates have their own privacy policies which are as strong or stronger than that mandated by the HIPAA guidelines as published and revised by the Centers for Medicaid and Medicare Services a division of the United States Department of Health and human Services. Please contact partner providers directly for information about their privacy practices. The most relevant "partner provider" to you is the participating health care facility where your EKGs have been acquired, interpreted, recorded or filed.
Back to top
V. HOW WE MAY USE AND DISCLOSE YOUR EKG
Your confidentiality is important to us. COEKG physicians and employees are required to maintain the confidentiality of the EKG of all patients, and we have policies, procedures and other safeguards to help protect your EKG from improper use and disclosure. Our data is not linked with social security, DMV or any criminal records. Sometimes, COEKG is required or allowed by law to use and disclose certain PHI without your written permission. We briefly describe these uses and disclosures below and give you some examples.
How your EKG is used or disclosed without your written permission will vary depending, for example, on the intended purpose of the use or disclosure.
- Treatment: This is the most important use and disclosure of your EKG. Physicians, nurses, and other health care personnel, including trainees, involved in your care may need to use and disclose your EKG to diagnose your condition and evaluate your health care needs. COEKG facilitates use and disclosure of your EKG in order to provide and coordinate the care and services you need: for example, prescriptions, X-rays, lab work, additional (serial) EKG's, admission and telemetry decisions, recommendation for further functional studies such as a treadmill or even angiography. These decisions often carry serious consequences and the more clinical data available, the better the decision making process. If you need care from health care providers who are not linked to COEKG, such as community Emergency Departments, we will help them get linked to the network, and in an emergency, we may disclose your EKG to them.
- Health care operations: We may use and disclose your PHI for certain health care operations, for example, quality assessment and improvement, training and evaluation of health care professionals, licensing, and accreditation. COEKG does not release your EKG to insurance companies or other providers for the purpose of determining premiums and other costs of providing health care.
- Specific types of PHI: COEKG acknowledges that there are stricter requirements for use and disclosure of certain types of PHI, for example, information about drug and alcohol abuse, AIDS and HIV, mental health, genetic testing, and artificial insemination. However, there are still circumstances in which these types of information may be used or disclosed without your authorization. If you become a patient in our chemical dependency program, we will give you a separate written notice, as required by law, about your privacy rights for your chemical dependency program PHI. Currently these strict types of PHI are outside of the scope of COEKG. Our mission is to facilitate electrocardiogram (EKG) exchange only.
- Communications with family and others when you are present: Sometimes a family member or other person involved in your care will be present when your providers are discussing your EKG with you. If you have mental capacity and object, please tell your provider and they won't discuss your EKG or they should ask the person to leave.
- Communications with family and others when you are not present: There may be times when it is necessary to disclose your EKG to a family member or other person involved in your care because there is an emergency, you are not present, or you lack the decision making capacity to agree or object. In those instances, we will use our professional judgment to determine if it's in your best interest to disclose your EKG. If so, we will limit the disclosure to the PHI that is directly relevant to the person's involvement with your health care. For example, we may allow a surrogate to sign an EKG release on your behalf, so that physicians can access a base line tracing. In an emergency, with an unconscious patient, we assume "implied consent" to access your old EKG data to assist with current decision making on your behalf.
- Disclosure in case of disaster relief: Although unlikely, if COEKG is privy to your particular circumstance, we are obligated to disclose your name, city of residence, age, gender, and general condition to a public or private disaster relief organization to assist disaster relief efforts, unless you object at the time. These organizations also must safeguard any personal information.
- Disclosures to parents as personal representatives of minors: the focused and limited scope of COEKG permits and mandates that we release to parents or legal guardians all EKG data obtained on behalf of minors
- Research: COEKG understands the importance of clinical research, and we aim to support benevolent and noncommercial use of aggregate data. Our research support is limited to collection and analysis of health data. Research of all kinds may involve the use or disclosure of your EKG. Your EKG can generally be used or disclosed for research without your permission if an Institutional Review Board (IRB) approves such use or disclosure. An IRB is a committee that is responsible, under federal law, for reviewing and approving human subjects research to protect the safety of the participants and the confidentiality of PHI.
- Organ donation: In Colorado, we may use or disclose PHI to organ procurement organizations to assist with organ, eye or other tissue donations unless you specifically object.
- Public health activities: Public health activities cover many functions performed or authorized by government agencies to promote and protect the public's health and may require us to disclose your EKG.
- Health oversight: As health care providers and health plans, we are subject to oversight conducted by federal and state agencies. These agencies may conduct audits of our operations and activities and in that process, they may review your EKG.
- Disclosures to your employer or your employee organization: If you are enrolled in a Health Plan of Colorado through your employer or an employee organization, we may share certain PHI with them without your authorization, but only when allowed by law. For example, we may disclose your PHI for a workers' compensation claim or to determine whether you are enrolled in the plan or whether premiums have been paid on your behalf. For other purposes, such as for inquiries by your employer or employee organization on your behalf, we will obtain your authorization when necessary under applicable law.
- Workers' compensation: In order to comply with Colorado workers' compensation laws, we may use and disclose your PHI. For example, we may communicate your medical information regarding a work-related injury or illness to claims administrators, insurance carriers, and others responsible for evaluating your claim for workers' compensation benefits.
- Military activity and national security: We may sometimes use or disclose the EKG of armed forces personnel to the applicable military authorities when they believe it is necessary to properly carry out military missions. We may also disclose your EKG to authorized federal officials as necessary for national security and intelligence activities or for protection of the President and other government officials and dignitaries.
- Marketing: We do not use or disclose your PHI to contact you about benefits, services or supplies that a 3rd party might offer you. We do not lease, sell, share or release your private information to any 3rd party commercial or "for-profit" purposes.
- Fundraising: We may use or disclose PHI only to contact you to raise funds for our charitable organization.
- Required by law: In some circumstances federal or state law requires that we disclose your EKG to others. For example, the Secretary of the Department of Health and Human Services may review a provider's compliance efforts, which may include seeing your EKG.
- Lawsuits and other legal disputes: We may use and disclose you EKG in responding to a court or administrative order, a subpoena, or a discovery request. We may also use and disclose PHI to the extent permitted by law without your authorization, for example, to defend a lawsuit or arbitration.
- Law enforcement: We may disclose PHI to authorized officials for law enforcement purposes, for example, to respond to a search warrant, report a crime on our premises, or help identify or locate someone.
- Serious threat to health or safety: We may use and disclose your PHI if we believe it is necessary to avoid a serious threat to your health or safety or to someone else's.
- Abuse or neglect: By law, we may disclose PHI to the appropriate authority to report suspected child abuse or neglect or to identify suspected victims of abuse, neglect, or domestic violence.
- Coroners and funeral directors: We may disclose PHI to a coroner or medical examiner to permit identification of a body, determine cause of death, or for other official duties. We may also disclose PHI to funeral directors.
- Inmates: Under the federal law that requires us to give you this notice, inmates do not have the same rights to control their PHI as other individuals. If you are an inmate of a correctional institution or in the custody of a law enforcement official, we may disclose your EKG to the correctional institution or the law enforcement official for certain purposes, for example, to protect your health or safety or someone else's.
Back to top
VI. ALL OTHER USES AND DISCLOSURES OF YOUR EKG REQUIRE YOUR PRIOR WRITTEN AUTHORIZATION
Except for those uses and disclosures described above, we will not use or disclose your EKG without your written authorization. When your authorization is required and you authorize us to use or disclose your EKG for some purpose, you may revoke that authorization by notifying us in writing at any time. Please note that the revocation will not apply to any authorized use or disclosure of your EKG that took place before we received your revocation.
VII. HOW TO CONTACT US ABOUT THIS NOTICE OR TO COMPLAIN ABOUT OUR PRIVACY PRACTICES
If you have any questions about this notice, want to request a copy of the notice, or want to lodge a complaint about our privacy practices, please let us know by contacting the Privacy Department at:
You may also write to the Customer Service Department at: COEKG Privacy, 3101 Marlin Drive, Longmont, CO 80503. You also may notify the Secretary of the Department of Health and Human Services (HHS) to lodge a complaint about our privacy practices.
We will not take retaliatory action against you if you file a complaint about our privacy practices.
VIII. CHANGES TO THIS NOTICE
We may change this notice and our privacy practices at any time, as long as the change is consistent with state and federal law. Any revised notice will apply both to the PHI we already have about you at the time of the change, and any PHI created or received after the change takes effect. If we make an important change to our privacy practices, we will promptly change this notice and post a new notice at the following Internet address: COEKG.org/privacy.htm. Except for changes required by law, we will not implement an important change to our privacy practices before we revise this notice.
IX. EFFECTIVE DATE OF THIS NOTICE
This notice is effective on July 10, 2005.