Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy and security Training for EMS Professionals

Similar presentations

Presentation on theme: "Privacy and security Training for EMS Professionals"— Presentation transcript:

1 Privacy and security Training for EMS Professionals
HIPAA TV Privacy and security Training for EMS Professionals

2 What is HIPAA? HIPAA Health Insurance Portability and Accountability Act

3 HIPAA Federal Law Regulates privacy and security of “Protected Health Information” – PHI Fundamental responsibility of all EMS providers and staff Legal and ethical obligation

4 Protected Health Information (PHI)
Any information about a person’s past, present or future health care Identifies or could reasonably identify patient Name Address Identifying Numbers Birth Date

5 Protected Health Information (PHI)
PHI can take the form of: Written Verbal Digital

6 Protected Health Information (PHI)
Examples of PHI: Patient care reports Medical necessity forms Patient bills Claim forms Records from other facilities Photos & video

7 Protected Health Information (PHI)
Cannot use or disclose PHI for any purpose unless permitted under HIPAA Applies to patients that are alive and deceased Completely confidential PHI is property of the organization

8 Permitted Disclosures of PHI
TPO Treatment Payment Operations

9 Use of PHI Treatment: Payment:
Use for any purpose related to providing EMS or health care to a patient Payment: Use to file a claim with Medicare or other insurers

10 Use of PHI Operations: Internal management purposes such as:
Quality Assurance (QA) or Quality Improvement (QI) Licensure Other similar activities

11 Minimum Necessary Rule
Use only minimum amount of PHI absolutely necessary to accomplish purpose of disclosure Example: Remove identifying Information from patient care report before using for QI

12 Notice of Privacy Practices
Tells patients about their rights under HIPAA Contains info about your agency’s privacy policies & procedures Give a copy to all new patients Give a new copy to repeat patients if revisions are made

13 Notice of Privacy Practices
Not sure if they received one? Give patient another copy Always attempt to obtain signature from patient verifying receipt of notice When? At the time of service

14 Notice of Privacy Practices
If patient is under duress, unconscious, incapacitated, or serious emergency: Focus on patient care first!

15 Notice of Privacy Practices
If patient cannot sign? Document reason Attempt to get signature of a legal guardian, power of attorney, family member, or facility representative

16 Patients Rights Patients have the right to: Access own PHI
Ask for amendments if they believe their PHI to be inaccurate Make complaints regarding organization’s use or misuse of their PHI

17 Patient Rights Patients have the right to:
Access PHI in electronic format if your PHI is electronic Request to not use PHI to submit claim to insurer for payment (ONLY if bill first paid in full) Receive “accounting” of all disclosures

18 Personal Representative?
Determined by state law Example: Legal guardian, power of attorney, parent of a minor, executor of decedent’s estate Same rights as patient under HIPAA (access, amendment, etc.) Treat representative just as you would the patient

19 Other Requirements Policies and procedures: make them available to all staff HIPAA Compliance Officer or Privacy Officer required Direct questions to this person Overall responsibility for agency’s HIPAA compliance

20 What Else? Must notify patient if:
Non-encrypted PHI improperly disclosed PHI breached in any other way The organization must also report breaches to US Department of Health and Human Services Example: Stolen laptop, lost patient care report, spreadsheet of accounts sent to wrong person

21 Breach of Unsecured PHI
All personnel who know of or even suspect improper disclosure of PHI: - Must promptly report to Compliance/Privacy Officer IMPORTANT “Code of silence” is NOT acceptable Review policy to understand responsibilities

22 HIPAA Breach Notification
Because of new HIPAA breach notification requirement – must notify patient of breach of PHI There are specific requirements to follow-up with patient (HIPAA Compliance Officer) Review “breach notification” policies regularly and refer to the policies when a breach has occurred

23 HIPAA and Radio Communication
HIPAA permits any disclosure of PHI when necessary for treatment purposes OK to use name over radio to: Find patient Enable hospital to retrieve records

24 HIPAA and Radio Communication
What if someone overhears patient’s name on scanner? Consider an “incidental disclosure” Not a HIPAA violation Same as if a bystander overhears patient info

25 Additional HIPAA Information
NEVER apply HIPAA in a way that delays, impedes, or prevents patient care Radio communications related to patient care – permitted under HIPAA OK to have two patients in the ambulance

26 HIPAA and Law Enforcement
Patients may disclose their own PHI to law enforcement or anyone else they wish HIPAA does not apply to police, only health care providers If police officer speaks directly to patient, HIPAA is not an issue as it is the patient giving their medical information to the police

27 6 Exceptions for PHI Disclosures To Law Enforcement
OK to share info with police when state law requires it Example: OK to notify police of certain injuries such as: - Gunshot wounds, burns, animal bites, etc. when required by state law - *Check with HIPAA Compliance Officer

28 6 Exceptions for PHI Disclosures To Law Enforcement
2. OK to disclose limited PHI to help police identify or locate: - Suspect - Fugitive - Material witness - Missing person

29 6 Exceptions for PHI Disclosures To Law Enforcement
3. OK to disclose about person believed to be a crime victim Simple verbal agreement from patient → Ok to disclose PHI for victim of crime Document verbal permission If patient unconscious → OK if in best interest of patient AND if officer agrees it will not be used against victim

30 6 Exceptions for PHI Disclosures To Law Enforcement
OK to disclose when it appears victim died as a result of criminal activity OK to disclose when a crime occurs on your premises OK to disclose to report crime in emergencies

31 Two More Exceptions Disclosure to other types of agencies:
When it appears individual has escaped police custody - OK to share PHI with police or prison officials B. Where state laws require report of: - Abuse - Neglect - Domestic violence

32 HIPAA and the Media HIPAA strictly prohibits providers
from disclosing any patient information to media Don’t even confirm identity of patient Refer requests to HIPAA Compliance Officer

33 HIPAA and the Media OK only when specifically authorized IN WRITING by patient It’s great to have your 15 minutes of fame on the news – but remember your professionalism – and the law

34 HIPAA and Social Networking, Texting and Photos
Written policies must be in place – know them! Do not disclose PHI via blog, web site, discussion group, social network, or other public place Even when you believe information is “de-identified,” do NOT share it

35 HIPAA and Social Networking, Texting and Photos
Posts on social media sites can give enough info for friends & family to recognize patient Names do not have to be included to be a violation In addition, this is simply unethical as a healthcare provider

36 HIPAA and Social Networking, Texting and Photos
No posting of ANY patient or incident-related information in any manner Remember not to post pictures, videos, or accounts of specific calls that may contain anything identifiable on any company web site

37 Use of Cameras in Field May be appropriate to capture images of accident scene to help determine mechanism of injury Any image, video, or audio recording that could identify the patient is PHI and should be secured in the same manner Only use devices owned & issued by the organization – no personal devices Store images & clips securely Images are property of the agency

38 HIPAA and Family Members
It is OK to disclose PHI to relative, friend, or other person involved in patient’s care if in best interest of patient Can also disclose transport destination & general condition (including death) to family members or others involved in patient’s care Use judgment if not in best interest of patient (e.g., domestic violence situation)

39 HIPAA and Other Operational Issues
Patient refusals: Thoroughly document incident You are still collecting PHI even though no transport was made Obtain patient’s signature or one from legally responsible decisionmaker Offer privacy notice & make good faith effort to get signature acknowledging receipt of privacy notice

40 Working with Others at Scene
First responders & other EMS agencies providing care on scene: OK to discuss PHI for treatment purposes OK to freely share information with other responding agencies when necessary for patient care

41 Transfer of Patient Care
To hospital or other receiving facility: OK to share PHI with: Staff members Patient registration personnel Others who perform treatment or payment-related tasks Can be done in regular place and at regular voice level Take reasonable precautions to minimize “incidental disclosures”

42 Transfer of Patient Care
Interfacility Transports: Ok for EMS personnel to look at patient records for treatment purposes EMS professionals are health care providers who are involved in the treatment of the patient Not just “giving a ride” to the other facility!

43 HIPAA and Billing/Administrative Issues
Applies to anyone who deals with PHI Billing Staff Managers Compliance/Privacy Officer Other Administrative Personnel

44 HIPAA and Billing/Administrative Issues
Requests for records from attorneys Generally must receive a written authorization from patient to release medical records Must be signed by patient or legally responsible decisionmaker Subpoena or other legal document → refer to HIPAA Compliance Officer

45 HIPAA and Billing/Administrative Issues
OK to share information with patients when they request it But verify identity If request is in person, ask for ID

46 HIPAA and Billing/Administrative Issues
If request is by telephone, get more information Birth Date Social Security Number Address Phone Number

47 New Restrictions on Payment Disclosures
Patients can request that their PHI NOT be used to submit claim to insurance company for payment Only have to honor request if patient first pays bill in full

48 Electronic PHI Access Must take security precautions, especially when electronic devices are left unattended Every user should have unique ID and password Devices should have automatic log-off features when unattended for period of time

49 Electronic PHI Organization must have administrative, physical, & technical safeguards to secure electronic PHI Examples: Policies and procedures Computer servers in secure place Devices configured with password security, auto log-off, & back-up capabilities

Do not give lock combinations to an unauthorized person Do not download copies of patient data onto thumb drive or other portable device unless authorized to do so

51 Summary HIPAA laws strictly limit disclosure of PHI
Uphold ethical & legal responsibility to protect confidentiality of PHI

52 Summary PHI may be used for HIPAA Compliance Officer
Treatment or patient care Payment & healthcare operations HIPAA Compliance Officer → oversee policies and procedures and be first point of contact

53 Summary Can disclose PHI to law enforcement in limited,
specific situations Take extra attention when: Communicating with media Using social networking sites No texting, posting, or blogging about any patient information

54 Summary Billers and other admin personnel: Take extra precaution when
releasing, verifying, or confirming patient information Get written authorization from patient or personnel representative when fulfilling requests for PHI from attorneys

55 HIPAA Any Questions? Check with your HIPAA Compliance Officer

56 HIPAA Visit for more information on HIPAA and other EMS Law topics

Download ppt "Privacy and security Training for EMS Professionals"

Similar presentations

Ads by Google