The Health Insurance Portability and Accountability Act (HIPAA)

1
The Health Insurance Portability and
Accountability Act(HIPAA)

• Implications for Operations in the EMS Environment

2
Content to be Covered

• -What is HIPAA
• -Penalties for Non-compliance
• -The Privacy and Security Rules
• -Obligations (Organizational and Individual)
• -Policies and Procedures
• -Common Questions/Concerns
• -Summary

3
What is HIPAA

• Federal legislation first passed in 1996
• Part of the Social Security Administration Act
  that
• Protects confidentiality and security of health
  information as it is used, disclosed, and
  electronically transmitted
• Creates a standard framework for transmitting
  electronic protected health information (ePHI)

4
Penalties for Non-Compliance

• Legislated
• Civil- 1000.00 per violation (up to 25,000 per
  year) for each requirement of rule violated
• Federal Criminal- Up to 50,000 and 1 year in
  prison for disclosing protected health
  information (PHI) up to 5 years and 100,000
  for getting PHI under false pretenses
• Up to 250,000 and 10 years for obtaining or
  disclosing PHI for sale, commercial advantage,
  personal gain, or malice.

5
Penalties for Non-compliance

• Liability may fall to the individual
• Sanctions in Gates County include actions up to
  and including dismissal
• May result in Medical Director action against
  your professional credential

6
What is PHI?

• Individually identifiable data
• Verbal, paper, or electronic
• Name, DOB, SSN, address, insurance information
• Past, present, future medical condition/treatment
  information

• Map X/Y or latitude/longitude information
• Phone number(s)
• Documents for insurance/treatment/ pharmacy
  records, etc. obtained during your encounter
• Other individually identifiable data

7
The Privacy Rule

• Designed to protect information while allowing it
  to flow, without impeding care or public health
• Primarily implemented through policies,
  procedures, and education
• These tools should ensure confidentiality and
  restrict disclosure

8
The Security Rule

• Protects the same information when it is stored
  or transmitted electronically
• Designed to guard integrity, confidentiality, and
  availability through
• Administrative procedures
• Physical safeguards
• Technical security measures
• Transmission protection standards

9
Who (that we work with) is covered by HIPAA?

• EMS
• Receiving hospitals
• Patients private physicians
• Billing Company

10
What are the obligations of Gates County EMS
under HIPAA?

• Name a Privacy Officer
• Determine who needs access, and their level of
  access, to PHI
• Implement, train and update staff on HIPAA
  policies, and keep records of same
• Secure required but aged records

11
What are the obligations of Gates County EMS
under HIPAA?

• Develop and maintain a policy for misuse of PHI
  data
• Report violations per policy
• Identify and seek business associate agreements
  from those who process PHI for EMS

12
What are the obligations of EMS Technicians under
HIPAA?

• Complete required training
• Safeguard records, computers, and oral PHI
• Give (and ensure patient or guardian understands)
  our privacy practices. Obtain signatures of
  receipt and understanding
• Know how the regulation impacts you
• Sign a confidentiality agreement
• Report violations to Privacy Officer

13
Privacy Actions by EMS Technicians

• Destroy, using supplied shredders, any
  handwritten notes containing PHI once they have
  been entered to your report
• Destroy any extra printed copies of the patient
  care report (PCR) using a shredder
• Be aware of your surroundings during permissible
  oral disclosures to limit those who may overhear

14
Privacy Actions by EMS Technicians (Contd)

• Understand and comply with the requirements of
  the privacy policy
• Report any inadvertent disclosures to the Privacy
  Officer
• Recommend actions to improve privacy practices

15
Patient Requests for Medical Records

• Provide, on request, a printed copy of the
  patient care report to the patient if requested
  during the encounter
• Refer all after-the-fact requests to the Privacy
  Officer. These include
• Patient/Guardian/Health Care Power of Attorney
  (HCPOA) requests
• Law Enforcement/Courts/Insurance
  companies/Attorney requests

16
Patient Requests to Restrict Disclosure of Their
PHI

• Refer the patient/guardian/HCPOA to the Privacy
  Officer. If an immediate restriction, the EMS
  Chief should be consulted
• Inform them that they are allowed to make this
  request
• Inform them that these requests will ultimately
  be reviewed by the Privacy Officer

17
Requests to Amend Medical Records

• Refer these requests to the Privacy Officer who
  will review these requests
• Patients request/desired amendments will be
  included with medical record file
• The Privacy Officer and EMS Chief will decide if
  PCR will be directly modified

18
What Disclosures are Authorized?

• Information directly to the patient/guardian/HCPOA
  
• Required disclosures regarding abuse/neglect of
  elders, children, the disabled
• To report a crime, or to avert a serious threat
  to the health or safety of the public
• Pre-approved data for research
• These disclosures are still recorded!

19
Inadvertent Disclosures

• Disclosures of PHI or ePHI which should not have
  occurred
• Examples
• Billing information left on a copier and
  discovered by someone else
• Discussion about treatment options for a patient
  were overheard by someone without a need to know
• A patient care report faxed to a hospital after
  the encounter was faxed to the wrong number
• Report these disclosures to the Privacy Officer

20
Inadvertent Disclosures (Contd)

• The EMS environment is not controlled as it may
  be in constructed clinical treatment areas
• Verbal reports to receiving healthcare providers,
  and necessary treatment discussions, may be
  overheard by others in the treatment area
• We must still exercise reasonable efforts to
  limit the ability of others to overhear PHI
  without negatively impacting care
• Where reasonable effort is used, these
  disclosures do not have to be logged

21
Limiting Inadvertent Disclosures

• Ask spectators to move away
• Position yourself to obscure view and minimize
  volume of speech necessary to discuss PHI with
  patients/providers, unless it impacts care or
  safety
• Hold no discussions regarding your patients or
  your calls with persons who have no legitimate
  need to know
• Have necessary discussions in protected areas
  when possible

22
Contact the Privacy Officer if you

• Receive requests from government agencies,
  subpoenas, or search warrants
• Receive a complaint (staff if prohibited from
  retaliating against anyone who makes a complaint)
• Receive request to amend PHI
• Make or know of an inadvertent disclosure of PHI
• Have any questions about HIPAA issues

23
Common Disclosures for EMS Field Personnel

• Disclosure to assisting/receiving healthcare
  providers is unrestricted, to promote complete
  and safe care
• Disclosure to Law Enforcement on scene/at
  hospital is limited to non-PHI disclosures (such
  as your units destination), except for
  Emergency Disclosures covered in other slides

24
Common Disclosures for EMS Field Personnel

• Family and friends present during the encounter
  may receive only necessary information to effect
  proper patient care or information specifically
  authorized by the patient
• If conscious and alert, patient must authorize
  any disclosure
• If unconscious/altered mental status, or
  treatment makes the patient inaccessible,
  disclose only to persons necessary to effect
  patients care. Limit only to necessary PHI
  elements, and disclose only if you can reasonably
  infer patient would not object

25
Common Questions/Concerns Related to HIPAA
(Contd)

• First responding crews to a call I was on asked
  to know the patients working diagnosis/outcome.
  As this was related to care after they left the
  patient, is this disclosure permitted?
• This information is being relayed to a treating
  healthcare provider with whom the patient
  established a relationship. It is also a quality
  assurance measure to help inform future treatment
  and care decisions for similar patient
  encounters. It IS permissible to disclose this to
  responders who were on the call in secure
  surroundings.

26
Common Questions/Concerns Related to HIPAA

• Ive been dispatched to an address that I cannot
  find, and have the patients name in my dispatch
  information. Because patient name is PHI, am I
  prohibited from using it?
• When necessary to effect patient care, it is
  permissible to disclose necessary PHI
• It IS permissible to ask a neighbor how to find
  the Jones residence, or Grace Jones house, to
  prevent delays in care
• It is not permissible to disclose the complaint,
  suspected patient status, etc.

27
Common Questions/Concerns Related to HIPAA
(Contd)

• I reported to a relieving crew that I responded
  to a drowning patient (so that the crew will give
  extra attention to the truck check off). They
  asked about the patients clinical course, and
  the events leading up to the drowning. Can I
  disclose this to them?
• NO. As the crew was not a provider of care to
  your patient, and because victim identities often
  become public (this may allow a crew to associate
  other PHI to a name), this information cannot be
  disclosed. Such a case may be recommended for
  review in a formal peer review session, in which
  de-identified information may be used to
  illustrate valuable teaching points.

28
Physical Security Initiatives

• Keep station doors locked in accordance with EMS
  policies
• Maintain custody of PCR laptops as directed by
  policy
• Identify and/or report suspected unauthorized
  persons on EMS property, incident scenes, or
  hospital private areas

29
Physical Security Initiatives (Contd)

• Maintain record storage bins in functional,
  locked condition per policy
• Transfer printed records directly to staff at
  hospitals, and EMS printed copies directly to
  secure storage per policy
• Do not attempt to save PHI to other devices

30
Physical Security Initiatives (contd)

• Medical record storage cabinets will remain
  locked whenever a record is not actively being
  removed or replaced
• Any office in which paper PHI is handled but that
  does not use specialized, locking storage bins
  will remain locked when not occupied

31
Physical/Technical Security Initiatives

• Gates County EMS encrypts all computers on which
  PHI is managed
• These devices should remain locked/logged off
  when not actively in use

32
Emergency Disclosures

• One of our toughest HIPAA issues to manage is
  communication with Law Enforcement Officers
  (LEOs)
• Generally not HIPAA covered entities
• They often have legal rights to access PHI
• They often need to know PHI to do their job
• Are trained to extract information from those who
  have it
• We have relationships wed like to maintain

33
Emergency Disclosures to LEOs

• Permissible When
• LEO request PHI to identify/locate a suspect,
  fugitive, material witness, or missing person
• Patient admits to EMS participation in a violent
  crime that may have caused serious physical harm
  to others
• We believe that the patient is escaped from
  prison or other lawful custody

34
Emergency Disclosures to LEOs (Contd)

• Limit disclosure to
• Name and address
• Date of birth (place if known)
• Social Security Number
• Type if injury
• Date and time treated

• Distinguishing Physical Characteristics
• Height
• Weight
• Eye Color
• Hair Color
• Scars/tattoos
• /- Facial Hair

Patient previous medical history, specific
treatments rendered should not be disclosed!
35
Emergency Disclosures to LEO- Crime Victims

• Child/Elder/Caregiver/Domestic abuse are covered
  by other sections
• Disclose PHI of patient who is a victim only with
  patient consent
• Exception Patient is incapacitated or other
  emergency exists and
• LEO states info will not be used against patient
  and delay for court order would adversely affect
  investigation or public safety
• Only if you believe it is in patients best
  interest

36
LEO Disclosure- Crime Reporting

• We may disclose PHI when necessary to alert law
  enforcement to a crime, and communicate
• the nature of the crime
• the location of the crime
• the location of crime victims (if known)
• the identity, description, or location of the
  perpetrator of the crime (if known or reported to
  us)

37
Emergency Disclosures

• To prevent possible immediate threats to
  individuals or the public, including general
  public health, an EMERGENCY DISCLOSURE can be
  made to anyone reasonably able to reduce the
  threat
• May be an LEO, 911 operator, the owner of a
  business against which a patient is making
  threats, etc.

38
For LEO/Emergency Disclosures NOT Court Ordered

• Complete a Gates County EMS Incident Report
• Include rationale
• Person and agency PHI disclosed to
• Nature of PHI disclosed (but not the patient PHI

39
Emergency Disclosures NOT Court Ordered

• Limit disclosure to
• Name and address
• Date of birth (place if known)
• Social Security Number
• Type if injury
• Date and time treated

• Distinguishing Physical Characteristics
• Height
• Weight
• Eye Color
• Hair Color
• Scars/tattoos
• /- Facial Hair

Patient previous medical history, specific
treatments rendered should not be disclosed!
40
Child/Elder/Caregiver Abuse or Neglect

• Report to the receiving health care facility
• Disclose to Gates County Social Services employee
  charged with protection of children, elders, or
  the incapacitated
• This applies when the EMS Technician believes
  that disclosure is necessary to prevent serious
  harm to the individual or other potential victims
  or the victim agrees to the disclosure.
• Gates County Social Services can be contacted by
  Gates County Central Communications and having
  the on call person contact you.

41
Summary

• Your practices should allow care, ensure the
  patients privacy and safety, and comply with law
• Professional discretion is necessary in making
  limited disclosure to non-treating 3rd parties
  necessary to effect patient care
• Compliance with Gates County EMS's implementation
  of HIPAA policies is mandatory

42
Summary (Contd)

• The Privacy Officer is Bubba Pauley
• Please contact with any HIPAA questions
• 24-hour cell is (252)339-7429
• E-mail is bubba.pauley_at_gatesrescue.org (do not
  include PHI in email questions or disclosure
  reports)
• All inadvertent disclosures should be reported as
  per policy and to Bubba immediately upon
  recognition

43
Summary Continued

• Notify the Privacy Officer immediately in the
  event of a lost electronic device containing PHI
• Employees are responsible for complying with
  required behaviors to help reduce the risk of
  loss
• Discretion, technical safeguards, and
  professional work practices will protect us and
  the patient

44
Summary Continued

• Law enforcement request for PHI are challenging
  to navigate
• In general, disclosures to prevent immediate harm
  to others or prevent immediate collapse of
  investigations are permitted
• Permission from the patient should always be
  obtained where possible