Presentation on theme: "The Health Insurance Portability and Accountability Act (HIPAA) Implications for Operations in the EMS Environment."— Presentation transcript:
The Health Insurance Portability and Accountability Act (HIPAA) Implications for Operations in the EMS Environment
Content to be Covered -What is HIPAA -Penalties for Non-compliance -The Privacy and Security Rules -Obligations (Organizational and Individual) -Policies and Procedures -Common Questions/Concerns -Summary
What is HIPAA Federal legislation first passed in 1996 Part of the Social Security Administration Act that Protects confidentiality and security of health information as it is used, disclosed, and electronically transmitted Creates a standard framework for transmitting electronic protected health information (ePHI)
Penalties for Non-Compliance Legislated: Civil- $ per violation (up to $25,000 per year) for each requirement of rule violated Federal Criminal- Up to $50,000 and 1 year in prison for disclosing protected health information (PHI) & up to 5 years and $100,000 for getting PHI under false pretenses Up to $250,000 and 10 years for obtaining or disclosing PHI for sale, commercial advantage, personal gain, or malice.
Penalties for Non-compliance Liability may fall to the individual Sanctions in Gates County include actions up to and including dismissal May result in Medical Director action against your professional credential
What is PHI? Individually identifiable data Verbal, paper, or electronic Name, DOB, SSN, address, insurance information Past, present, future medical condition/treatment information Map X/Y or latitude/longitude information Phone number(s) Documents for insurance/treatment/ pharmacy records, etc. obtained during your encounter Other individually identifiable data
The Privacy Rule Designed to protect information while allowing it to flow, without impeding care or public health Primarily implemented through policies, procedures, and education These tools should ensure confidentiality and restrict disclosure
The Security Rule Protects the same information when it is stored or transmitted electronically Designed to guard integrity, confidentiality, and availability through: Administrative procedures Physical safeguards Technical security measures Transmission protection standards
Who (that we work with) is covered by HIPAA? EMS Receiving hospitals Patient’s private physicians Billing Company
What are the obligations of Gates County EMS under HIPAA? Name a Privacy Officer Determine who needs access, and their level of access, to PHI Implement, train and update staff on HIPAA policies, and keep records of same Secure required but aged records
What are the obligations of Gates County EMS under HIPAA? Develop and maintain a policy for misuse of PHI data Report violations per policy Identify and seek business associate agreements from those who process PHI for EMS
Complete required training Safeguard records, computers, and oral PHI Give (and ensure patient or guardian understands) our privacy practices. Obtain signatures of receipt and understanding Know how the regulation impacts you Sign a confidentiality agreement Report violations to Privacy Officer What are the obligations of EMS Technicians under HIPAA?
Privacy Actions by EMS Technicians Destroy, using supplied shredders, any handwritten notes containing PHI once they have been entered to your report Destroy any extra printed copies of the patient care report (PCR) using a shredder Be aware of your surroundings during permissible oral disclosures to limit those who may overhear
Patient Requests for Medical Records Provide, on request, a printed copy of the patient care report to the patient if requested during the encounter Refer all after-the-fact requests to the Privacy Officer. These include: Patient/Guardian/Health Care Power of Attorney (HCPOA) requests Law Enforcement/Courts/Insurance companies/Attorney requests
Patient Requests to Restrict Disclosure of Their PHI Refer the patient/guardian/HCPOA to the Privacy Officer. If an immediate restriction, the EMS Chief should be consulted Inform them that they are allowed to make this request Inform them that these requests will ultimately be reviewed by the Privacy Officer
Requests to Amend Medical Records Refer these requests to the Privacy Officer who will review these requests Patient’s request/desired amendments will be included with medical record file The Privacy Officer and EMS Chief will decide if PCR will be directly modified
What Disclosures are Authorized? Information directly to the patient/guardian/HCPOA Required disclosures regarding abuse/neglect of elders, children, the disabled To report a crime, or to avert a serious threat to the health or safety of the public Pre-approved data for research These disclosures are still recorded!
Inadvertent Disclosures Disclosures of PHI or ePHI which should not have occurred Examples: Billing information left on a copier and discovered by someone else Discussion about treatment options for a patient were overheard by someone without a need to know A patient care report faxed to a hospital after the encounter was faxed to the wrong number Report these disclosures to the Privacy Officer
Inadvertent Disclosures (Cont’d) The EMS environment is not controlled as it may be in constructed clinical treatment areas Verbal reports to receiving healthcare providers, and necessary treatment discussions, may be overheard by others in the treatment area We must still exercise reasonable efforts to limit the ability of others to overhear PHI without negatively impacting care Where reasonable effort is used, these disclosures do not have to be logged
Limiting Inadvertent Disclosures Ask spectators to move away Position yourself to obscure view and minimize volume of speech necessary to discuss PHI with patients/providers, unless it impacts care or safety Hold no discussions regarding your patients or your calls with persons who have no legitimate need to know Have necessary discussions in protected areas when possible
Contact the Privacy Officer if you: Receive requests from government agencies, subpoenas, or search warrants Receive a complaint (staff if prohibited from retaliating against anyone who makes a complaint) Receive request to amend PHI Make or know of an inadvertent disclosure of PHI Have any questions about HIPAA issues
Common Disclosures for EMS Field Personnel Disclosure to assisting/receiving healthcare providers is unrestricted, to promote complete and safe care Disclosure to Law Enforcement on scene/at hospital is limited to non-PHI disclosures (such as your unit’s destination), except for “Emergency Disclosures” covered in other slides
Common Disclosures for EMS Field Personnel Family and friends present during the encounter may receive only necessary information to effect proper patient care or information specifically authorized by the patient If conscious and alert, patient must authorize any disclosure If unconscious/altered mental status, or treatment makes the patient inaccessible, disclose only to persons necessary to effect patient’s care. Limit only to necessary PHI elements, and disclose only if you can reasonably infer patient would not object
Common Questions/Concerns Related to HIPAA (Cont’d) First responding crews to a call I was on asked to know the patient’s working diagnosis/outcome. As this was related to care after they left the patient, is this disclosure permitted? This information is being relayed to a treating healthcare provider with whom the patient established a relationship. It is also a quality assurance measure to help inform future treatment and care decisions for similar patient encounters. It IS permissible to disclose this to responders who were on the call in secure surroundings.
Common Questions/Concerns Related to HIPAA I’ve been dispatched to an address that I cannot find, and have the patient’s name in my dispatch information. Because patient name is PHI, am I prohibited from using it? When necessary to effect patient care, it is permissible to disclose necessary PHI It IS permissible to ask a neighbor how to find the Jones residence, or Grace Jones’ house, to prevent delays in care It is not permissible to disclose the complaint, suspected patient status, etc.
Common Questions/Concerns Related to HIPAA (Cont’d) I reported to a relieving crew that I responded to a drowning patient (so that the crew will give extra attention to the truck check off). They asked about the patient’s clinical course, and the events leading up to the drowning. Can I disclose this to them? NO. As the crew was not a provider of care to your patient, and because victim identities often become public (this may allow a crew to associate other PHI to a name), this information cannot be disclosed. Such a case may be recommended for review in a formal peer review session, in which de-identified information may be used to illustrate valuable teaching points.
Physical Security Initiatives Keep station doors locked in accordance with EMS policies Maintain custody of PCR laptops as directed by policy Identify and/or report suspected unauthorized persons on EMS property, incident scenes, or hospital private areas
Physical Security Initiatives (Cont’d) Maintain record storage bins in functional, locked condition per policy Transfer printed records directly to staff at hospitals, and EMS printed copies directly to secure storage per policy Do not attempt to save PHI to other devices
Physical Security Initiatives (cont’d) Medical record storage cabinets will remain locked whenever a record is not actively being removed or replaced Any office in which paper PHI is handled but that does not use specialized, locking storage bins will remain locked when not occupied
Physical/Technical Security Initiatives Gates County EMS encrypts all computers on which PHI is managed These devices should remain locked/logged off when not actively in use
Emergency Disclosures One of our toughest HIPAA issues to manage is communication with Law Enforcement Officers (LEOs) Generally not HIPAA covered entities They often have legal rights to access PHI They often “need to know” PHI to do their job Are trained to extract information from those who have it We have relationships we’d like to maintain
Emergency Disclosures to LEOs Permissible When: LEO request PHI to identify/locate a suspect, fugitive, material witness, or missing person Patient admits to EMS participation in a violent crime that may have caused serious physical harm to others We believe that the patient is escaped from prison or other lawful custody
Emergency Disclosures to LEOs (Cont’d) Limit disclosure to: Name and address Date of birth (place if known) Social Security Number Type if injury Date and time treated Distinguishing Physical Characteristics: Height Weight Eye Color Hair Color Scars/tattoos +/- Facial Hair Patient previous medical history, specific treatments rendered should not be disclosed!
Emergency Disclosures to LEO- Crime Victims Child/Elder/Caregiver/Domestic abuse are covered by other sections Disclose PHI of patient who is a victim only with patient consent Exception: Patient is incapacitated or other emergency exists and LEO states info will not be used against patient and delay for court order would adversely affect investigation or public safety Only if you believe it is in patient’s best interest
LEO Disclosure- Crime Reporting We may disclose PHI when necessary to alert law enforcement to a crime, and communicate: the nature of the crime the location of the crime the location of crime victims (if known) the identity, description, or location of the perpetrator of the crime (if known or reported to us)
Emergency Disclosures To prevent possible immediate threats to individuals or the public, including general public health, an EMERGENCY DISCLOSURE can be made to anyone reasonably able to reduce the threat May be an LEO, 911 operator, the owner of a business against which a patient is making threats, etc.
For LEO/Emergency Disclosures NOT Court Ordered Complete a Gates County EMS Incident Report Include rationale Person and agency PHI disclosed to Nature of PHI disclosed (but not the patient PHI
Emergency Disclosures NOT Court Ordered Limit disclosure to: Name and address Date of birth (place if known) Social Security Number Type if injury Date and time treated Distinguishing Physical Characteristics: Height Weight Eye Color Hair Color Scars/tattoos +/- Facial Hair Patient previous medical history, specific treatments rendered should not be disclosed!
Child/Elder/Caregiver Abuse or Neglect Report to the receiving health care facility Disclose to Gates County Social Services employee charged with protection of children, elders, or the incapacitated This applies when the EMS Technician believes that disclosure is necessary to prevent serious harm to the individual or other potential victims or the victim agrees to the disclosure. Gates County Social Services can be contacted by Gates County Central Communications and having the on call person contact you.
Summary Your practices should allow care, ensure the patient’s privacy and safety, and comply with law Professional discretion is necessary in making limited disclosure to non-treating 3 rd parties necessary to effect patient care Compliance with Gates County EMS's implementation of HIPAA policies is mandatory
Summary (Cont’d) The Privacy Officer is Bubba Pauley Please contact with any HIPAA questions 24-hour cell is (252) is (do not include PHI in questions or disclosure reports) All inadvertent disclosures should be reported as per policy and to Bubba immediately upon recognition
Summary Continued Notify the Privacy Officer immediately in the event of a lost electronic device containing PHI Employees are responsible for complying with required behaviors to help reduce the risk of loss Discretion, technical safeguards, and professional work practices will protect us and the patient
Summary Continued Law enforcement request for PHI are challenging to navigate In general, disclosures to prevent immediate harm to others or prevent immediate collapse of investigations are permitted Permission from the patient should always be obtained where possible