Presentation on theme: "HIPAA: Basic to Advanced (What it is and what it isn’t) Jonathan Moore Director, Fire & EMS Operations/ GIS International Association of Fire Fighters."— Presentation transcript:
HIPAA: Basic to Advanced (What it is and what it isn’t) Jonathan Moore Director, Fire & EMS Operations/ GIS International Association of Fire Fighters
What is HIPAA? Health Insurance Portability and Accountability Act HIPAA Security Rule Focused on Patient Information Privacy
DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 45 CFR Parts 160, 162, and 164 [CMS-0049-F] RIN 0938-AI57 Health Insurance Reform: Security Standards AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS. ACTION: Final rule. SUMMARY: This final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers. The use of the security standards will improve the Medicare and Medicaid programs, and other Federal health programs and private health programs, and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for certain electronic health information. This final rule implements some of the requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Are you covered by HIPAA? Are you an EMS provider? Do you bill for your EMS services? Do you bill Medicare? Do you transmit Medicare billing information electronically?
Covered Entities Health Plans Health Care Clearinghouse Health Care Provider –Who transmits any health information in electronic form in connection with a “covered transaction” –Claim filing is most common covered transaction, but there are others
Common Covered Electronic Transactions Claims filing Remittance advice Coordination of benefits Claim status Health plan enrollment/disenrollment Eligibility Referral certification
What is the worry about “transactions”? Protected Health Information “PHI”
Three Basic Permitted Uses of PHI Treatment, Payment and Operations Called the “TPO” Uses Consent, authorization or other permission is NOT REQUIRED for these uses
“OOPS” Incidental Disclosures Happen and are “Expected” Examples? –Radio Communications –ER Arrival “Report” Protections? –“Reasonable Safeguards” Does not require that you implement new technologies for privacy purposes
Dispatch Communications Scanner World… Internet CAD pages Martin County Emergency Services "FIRE/RESCUE SCANNER“ Martin County Emergency Services "FIRE/RESCUE SCANNER“Martin County Emergency Services "FIRE/RESCUE SCANNER“
Dispatch Communications Most public safety and EMS communications are treatment related You have to find the patient and SHOULD have an idea what the nature of the problem is Any radio disclosure of patient information for location or treatment purposes is permitted
And What About Law Enforcement? ….be careful here…..
Law Enforcement Disclosures HIPAA limits the disclosures that EMS providers can make EMS providers are patient care advocates, not law enforcement information sources Permissible law enforcement disclosures are limited to specific situations.Covered under Section
Permissible Law Enforcement Disclosures…Overview 1. When required by law or pursuant to process (e.g., gunshot wound reporting) 2. Identification and location purposes (victim or material witness, includes type of injury) 3. Response to request for information about a victim of a crime (can’t be used against the victim, needed to determine violation of law, in the best interests of the individual)
Permissible Law Enforcement Disclosures…Overview 4. Decedents (if suspected death may be from criminal conduct) 5. Crime on the premises (evidence of criminal conduct) 6. Reporting crime in emergencies (identity, description and location of perpetrator)
Required By Law/Pursuant to Process Health care providers permitted to disclose PHI under HIPAA for injury reporting when required by state law –Examples Gunshot injuries Burns Animal bites Check state law for specifics
Required By Law/Pursuant to Process Court orders Warrant Grand jury subpoena Civil investigative demand, administrative subpoena or other authorized, official request The PHI must be relevant and material to legitimate law enforcement inquiry
Identification and Location To identify or locate a: –Suspect –Fugitive –Material witness –Missing person
Identification and Location The covered entity may only furnish: –Name –Address –DOB –SSN –Blood type –Type of injury –Date/time of treatment –Date/time of death* –Description of distinguishing physical characteristics
Crime Victims May disclose PHI in response to a law enforcement request, where the individual is a possible crime victim IF patient agrees; OR If patients unable to agree because of condition, may release PHI if: –Law enforcement represents that the info is needed immediately; AND –Won’t be used against the victim*
Decedents May release PHI to alert law enforcement of a patient’s death, IF the death may have resulted from criminal activity You are not required to make a “legal conclusion” that the death resulted from a crime Only a “suspicion” is required Note: there is a general exception for releasing PHI to coroners and funeral directors for non crime-related deaths
Crime on Premises Health care provider can disclose PHI to report a crime at the provider’s premises Need only have a “good faith belief” that the information may constitute evidence of a crime on the premises Examples: Child Abuse, Assault
Reporting Crime in Emergencies Emergency care providers may release PHI to law enforcement to alert them to: –Commission and nature of a crime –Location of the crime or of the victim –Identity, description and location of perpetrator
“Channel 11 News Reports…..” What can you say to the Media? OR What can the Media say?
Media Disclosures and HIPAA There are no express provisions in the Privacy Rule addressing media disclosures However, EMS organizations are often put in the position of fielding media requests Is it possible to strike a balance?
Media Disclosures and HIPAA Disclosures made with patient authorization –Use a HIPAA-compliant authorization form –Must specifically inform the patient of the information to be disclosed and to whom it will be disclosed –Disclosures must be limited to those in the authorization
Media Disclosures and HIPAA Disclosures of de-identified information De-identified PHI is information that: –Does not identify an individual; AND –There is no reasonable basis to believe the information could be used to identify an individual
“De-Identification”? The following information must be removed: –Name –Geographic identifiers smaller than a state –Phone/fax/ address –SSN –Medical records numbers –Photographs –Account numbers –License numbers –Other unique identifiers
Permissible Media Disclosures General information about the incident, number of victims and hospital destinations –Example: “a total of five patients were transported from the accident scene. Four were taken by ambulance to the City Hospital and one by helicopter to the County Trauma Center.”
Permissible Media Disclosures General information about the incident location, if it cannot reasonably be used to identify an individual patient –Example: “we responded to an incident at the Downtown Outlet Center and transported one patient to the hospital.” –NOT: “we responded to a residence in the 100 block of Hobart Street and transported a patient from the scene to the local hospital.”
Permissible Media Disclosures Information about the crew and other responding agencies –Example: “Paramedics Smith and Wesson responded on behalf of Speedy Ambulance Service. The Awesome City Fire Department, County Sheriff’s office, and other agencies also responded.”
Permissible Media Disclosures General information about patient condition if it cannot reasonably be used to identify a patient –Example: “Last month we transported 300 patients, 80% were transported to emergency room, 20% had alternative destinations.” –Example: “Over ‘Motorcycle Weekend’ we transported 27 victims of motorcycle collisions, only 50% of those patients were wearing helmets.”
How Soon Must You Comply? April 20, 2005!
Comply With What? The Security Rule… “Security” is a grey area The regulation incorporates concepts of: –Scalability –Flexibility –Generalization The Rule itself reads more like a guide – hope your interpretation/implementation meets someone else’s understanding of the “Rule”
Security Rule Applies only to electronic PHI (“e-PHI”) e-PHI is any PHI that is in electronic form prior to transmission
What Can We Do About This? Administrative Safeguards Physical Safeguards Technical Safeguards
Administrative Safeguards Policies and procedures; disciplinary standards, to ensure that your personnel protect your patients’ PHI Compliance officer Training
Physical Safeguards Security of your buildings, offices, cabinets, etc. where e-PHI is stored, as well as your computers, workstations and electronic media
Technical Safeguards Protections such as passwords, backups and other security features on your computers, networks, PDAs, laptops, etc.
HIPAA “In Your Face” Not a catch-all for protecting providers or patients Can make ‘fact finding’ difficult for discipline or grievance processes Other privacy protections are available
Medical Information Privacy IAFF Dominick F. Barbera EMS in the Fire Service Conference Kurt Rumsfeld IAFF Legal Counsel June, 2007
Legal Disclaimer Please note that this presentation is offered solely for informational purposes, and is not intended, nor should it be relied upon, as legal advice. An individual or affiliate in need of legal advice or assistance on any topic covered in this presentation should contact and confer with legal counsel to obtain legal advice appropriate to his or her particular situation.
Dealing with HIPAA as a Union Representative Frank, a member of your union, is disciplined for allegedly failing to follow patient care protocol during an EMS response. Frank says he did everything “by the book” and that the “paperwork will prove it.” During the grievance process, you request the company’s records related to the response, but management refuses your request because the records contain protected health information under HIPAA. How do you respond?
Dealing with HIPAA as a Union Representative Disclosure of PHI is permitted for “resolution of internal grievances.” 45 C.F.R Incidental disclosures do not violate the Privacy Rule “if the minimum necessary and reasonable safeguards are met.” 45 C.F.R (a)(1)(iii) Consider redacting information or entering into a confidentiality agreement.
Dealing with HIPAA as a Union Representative Alleging that EMS employees have been taking excessive and unnecessary sick leave, your employer institutes a policy requiring anyone taking sick leave for more than one shift to obtain a certificate from a doctor certifying that such leave was necessary and that the employee can return to work. During negotiations, you demand documentation substantiating the employer’s concerns regarding sick leave abuse. Your employer refuses your demand on grounds that, as an EMS provider, it is a “covered entity” under HIPAA, and therefore cannnot release any records that contain protected health information of its employees.
Dealing with HIPAA as a Union Representative “Covered entities must comply with [HIPAA’s Privacy Rule] in their health care capacity, not in their capacity as employers. For example, information in hospital personnel files about a nurse’s sick leave is not protected health information under this rule.” 65 Fed. Reg. 82,612 (2000) “Employment records held by a covered entity in its role as an employer” are excluded from the definition of “protected health information.” 45 C.F.R
What laws govern your employer’s decision to require employee medical exams and its handling of employee medical records? Fasten your seat belts.
Limits on Employers’ Use of Employee Medical Information Americans with Disabilities Act (ADA) Family and Medical Leave Act (FMLA) Title VII of the 1964 Civil Rights Act U.S. and State Constitutions State Statutory and Common Law Rights –Invasion of privacy –Defamation
Americans with Disabilities Act (ADA) “A covered entity shall not require a medical examination and shall not make inquiries of an employee as to whether such employee is an individual with a disability or as to the nature or severity of the disability, unless such examination or inquiry is shown to be job-related and consistent with business necessity.” 42 U.S.C (b)(4)(A)
ADA (cont’d) “A covered entity may make inquiries into the ability of an employee to perform job-related functions.” 42 U.S.C (b)(4)(B) Information regarding the medical condition or history of any employee must be collected and maintained on separate forms and in separate medical files and is treated as a confidential medical record. 42 U.S.C (b)(4)(C) Supervisors and managers may be informed regarding necessary restrictions on the work or duties of employees, and first aid and safety personnel may be informed, when appropriate, if the disability might require emergency treatment. 42 U.S.C (b)(3)
ADA – Periodic Medical Exams “Periodic medical examinations for public safety positions that are narrowly tailored to address specific job-related concerns and are shown to be consistent with business necessity would be permissible.” Watson v. City of Miami Beach, 177 F.3d 932 (11 th Cir. 1999) (quoting EEOC Compliance Manual) In Watson, city required incumbent police officers to submit to TB tests, because of police exposure to high-risk individuals, even where such exams required the officers to reveal their HIV-AIDS status (since this was necessary to properly diagnose and treat an individual with TB) ADA also allows for “voluntary medical examinations…which are part of an employee health program available to employees.” 29 U.S.C (d)(4)(C)
ADA - Fitness for Duty Exams An employer may require incumbent employees to obtain medical certification before returning to work after an injury or medical procedure to demonstrate the employee’s ability to perform job-related functions. 29 C.F.R (c); Porter v. United States Alumoweld Co., 125 F.3d 243 (4 th Cir. 1997) An employer can require a medical exam for an employee who has record of chronic absenteeism. Yin v. California, 95 F.3d 864 (9 th Cir. 1996)
ADA – Fitness for Duty Exams Conroy v. NY Dep’t of Correctional Services, 333 F.3d 88 (2d Cir. 2003): – employer must show more than that the inquiry is “convenient or beneficial to its business” –must show “business necessity” which may include “ensuring that the workplace is safe and secure or cutting down on egregious absenteeism” –inquiry or examination canot be any broader or intrusive than necessary
ADA – Chronic Absenteeism Policies Transport Workers Local 100 v. NYC Transit Authority, 341 F.Supp.2d 432 (S.D.N.Y. 2004) –Citing sick leave abuse, employer requires all employees out sick for two or more days and employees on “sick leave control list” to submit medical certificate from doctor stating the diagnosis/objective finding as well as treatment prognosis –Court sustains policy for those on “control list” and for employees in “safety sensitive positions” (e.g. bus drivers) –But for all other employees, employer may only require employee to submit doctor’s certificate confirming employee was incapable of performing duties, and that the employee is now fit to resume duties, but may not require doctor’s description of the nature of the illness or treatment
ADA – Confidentiality of Medical Records Great protection in theory, not always in practice Doe v US Postal Service, 317 F.3d 339 (D.C.Cir. 2003): report from employee’s physician confirming that employee had HIV (required by employer for employee to qualify for FMLA leave) was an “inquiry” under ADA entitled to confidentiality Medlin v. Rome Strip Steel Co., 294 F.Supp.2d 279 (N.D.N.Y. 2003): contents of functional capacity evaluation (FCE) conducted by physical therapist and required by employer as a condition of returning to work constitute confidential medical information under ADA Yoder v. Ingersoll-Rand Co., 31 F.Supp.2d 565 (N.D. Ohio 1997): employer didn’t violate ADA by inadvertently turning over unopened medical report showing employee had AIDS to employee’s mother, a co-worker, because confidentiality requirement applies only to applicant exams and “on site” medical exams; 6 th Circuit affirmed
ADA – Other Limits on Scope ADA exempts insurers, health maintenance organizations or other benefit plan administrators when they underwrite or classify risks. 42 U.S.C (c) Barnes v. Benham Group, 22 F.Supp.2d 1013 (D.Minn. 1998): employer may require employees to fill out extensive medical histories as required by plan administrators for purpose of risk assessment or waiving coverage eligibility for a new employee health plan
Family and Medical Leave Act (FMLA) Provides for unpaid leave for serious medical conditions Allows employers to obtain medical certification of such conditions; limited to medical facts supporting conclusion that condition qualifies for FMLA leave, onset dates, likely duration, likely treatment and impact on work; DOL approved form: dol.gov/esa/regs/compliance/whd/fmla. Also allows employers to require “simple statement” certifying ability to return to work, and to obtain second opinion, and possibly third, at employer’s expense – 29 C.F.R Medical records must be kept separate and confidential
Non-Discrimination Laws Norman-Bloodsaw v. Lawrence Berkeley Lab., 135 F.3d 1260 (9 th Cir. 1998): employer violated Title VII (sex and race discrimination) by testing blood samples taken as part of general medical exam for pregnancy and sickle cell traits without informing employees Wroblewski v. Lexington Gardens, 448 A.2d 801 (Conn. 1982): employer committed sex discrimination by conducting medical inquiry into female applicant’s “urogenital health” where no such inquiries were made of men
Constitutional Limitations For public sector employees, actions of employers are subject to constitutional limitations (federal and state) Fourth Amendment protects against unreasonable searches, and balances employee’s privacy interest with employer’s interest in obtaining the medical information –Tough argument for public safety employees (see drug testing) –Norman-Bloodsaw v. Lawrence Berkeley Lab., 135 F.3d 1260 (9 th Cir. 1998): employer violated 4 th Amendment and due process clause (privacy) by testing employee blood samples for medical and genetic information related to syphilis, sickle cell and pregnancy without knowledge of the employees; “that one has consented to a general medical examination does not abolish one’s privacy right not to be tested for intimate, personal matters involving one’s health – nor does consenting to giving blood or urine samples, or filling out a questionnaire” –Also found violation of privacy right under California Constitution
State Statutory Protections A “morass” of different statutory and regulatory schemes 36 states impose a general duty on physicians (and in most cases other health care providers) to maintain patient confidentiality Fewer states impose restrictions on employers –Pettus v. Cole, 57 Cal.Rptr.2d 46 (Cal.App. 1996): employer refers stressed employee for psychological evaluation after he seeks disability leave; doctor, retained by employer, discloses to the employer highly personal information revealed by employee; court finds violation of California Confidentiality of Medical Information Act because disclosure exceeded exception in the Act allowing for health care provider to disclose to employer “functional limitations on the patient that may entitle the patient to leave from work for medical reasons or limit the patient’s fitness to perform present employment, provided that no statement of medical cause is included in the information disclosed”
State Common Law Protections Invasion of privacy –Medical information is protected by common law doctrine of privacy, but disclosure may be protected by “qualified privilege” when only shared with those with a “need to know” –Davis v. Monsanto, 627 F.Supp. 418 (S.D.W.Va. 1986): no breach of privacy where psychologist’s report on employee’s suicidal tendencies was shared by company’s manager with the personnel department and union representative; all had a legitimate interest in protecting the plant and its employees from danger –White v. Township of Winthrop, 116 P.3d 1034 (Wash.App. 2005): mayor breached privacy of town marshall by telling press he resigned for “health reasons” related to a “seizure,” insofar as disclosure was “highly offensive” where marshall intended to keep reason private
State Statutory Protections (cont’d) S & A Plumbing v. Kimes, 756 So.2d 1037 (Fla.Dist.Ct. App. 2000): employee does not have state constitutional privacy claim where health care provider gave medical records to employer and insurance carrier in conjunction with worker’s comp claim, despite employee’s lack of express consent –court cites Florida statute that provides for exchange of such information, and employee essentially consented when he presented himself for evaluation of the injury as assessment of whether it is attributable to his employment
State Common Law Protections Defamation: an erroneous medical report might be construed as a false statement of fact harmful to the employee’s reputation; can apply to physician’s publication or subseqent publication by other parties –Physicians typically enjoy a qualified privilege to report, but this can be defeated if it is found that physician harbored a malicious motive; if the information was recklessly disseminated, or involved a reckless disregard for the truth of the information; or if report exceeded scope of the privilege –McDermott v. Hughley, 561 A.2d 1038 (Md. 1989): psychologist exceeded scope of privilege by reporting to employer that employee was “malingerer and a virtual pathological liar” as a result of an altercation he had with the employee; purpose of the report was supposed to be limited to whether the employee could perform a particular job assignment
IAFF Resources IAFF Fire & EMS Operations Department IAFF Health and Safety Department IAFF Legal Department –Your local president can request guidance by a request submitted through your District Vice President