HIPAA• Federal Law• Regulates privacy and security of “Protected
Health Information” – PHI• Fundamental responsibility of all EMS
providers and staff• Legal and ethical obligation
Protected Health Information (PHI)
• Any information about a person’s past, present or future health care
• Identifies or could reasonably identify patient– Name– Address– Identifying Numbers– Birth Date
Protected Health Information (PHI)
• Examples of PHI:– Patient care reports– Medical necessity forms– Patient bills– Claim forms– Records from other facilities– Photos & video
Protected Health Information (PHI)
• Cannot use or disclose PHI for any purpose unless permitted under HIPAA
– Applies to patients that are alive and deceased
– Completely confidential
– PHI is property of the organization
Use of PHITreatment:• Use for any purpose related to providing EMS
or health care to a patient
Payment:• Use to file a claim with Medicare or other
insurers
Use of PHIOperations:• Internal management purposes such as:– Quality Assurance (QA) or Quality Improvement
(QI)– Licensure– Other similar activities
Minimum Necessary Rule
• Use only minimum amount of PHI absolutelynecessary to accomplishpurpose of disclosure
Example: Remove identifyingInformation from patient care report before using for QI
Notice of Privacy Practices
• Tells patients about their rights under HIPAA• Contains info about your agency’s privacy
policies & procedures• Give a copy to all new patients• Give a new copy to repeat patients if revisions
are made
Notice of Privacy Practices
• Not sure if they received one?– Give patient another copy
• Always attempt to obtain signature from patient verifying receipt of notice
When?At the time of service
Notice of Privacy Practices
• If patient is under duress, unconscious, incapacitated, or serious emergency:
Focus on patient care first!
Notice of Privacy Practices
• If patient cannot sign?
– Document reason
– Attempt to get signature of a legal guardian, power of attorney, family member, or facility representative
Patients Rights
Patients have the right to:• Access own PHI
• Ask for amendments if they believe their PHI to be inaccurate
• Make complaints regarding organization’s use or misuse of their PHI
Patient Rights
Patients have the right to:• Access PHI in electronic format if your PHI is
electronic
• Request to not use PHI to submit claim to insurer for payment(ONLY if bill first paid in full)
• Receive “accounting” of all disclosures
Personal Representative?
• Determined by state lawExample: Legal guardian, power of attorney,
parent of a minor, executor of decedent’s estate
• Same rights as patient under HIPAA (access, amendment, etc.)
• Treat representative just as you would the patient
Other Requirements
• Policies and procedures: make them available to all staff
• HIPAA Compliance Officer or Privacy Officer required– Direct questions to this person– Overall responsibility for agency’s HIPAA
compliance
What Else?
• Must notify patient if:– Non-encrypted PHI improperly disclosed– PHI breached in any other way
• The organization must also report breaches to US Department of Health and Human Services
Example: Stolen laptop, lost patient care report, spreadsheet of accounts sent to wrong person
Breach of Unsecured PHI
All personnel who know of or even suspect improper disclosure of PHI:- Must promptly report to Compliance/Privacy Officer
IMPORTANT• “Code of silence” is NOT acceptable• Review policy to understand responsibilities
HIPAA Breach Notification
• Because of new HIPAA breach notification requirement – must notify patient of breach of PHI
• There are specific requirements to follow-up with patient (HIPAA Compliance Officer)
• Review “breach notification” policies regularly and refer to the policies when a breach has occurred
HIPAA and Radio Communication
• HIPAA permits any disclosure of PHI whennecessary for treatment purposes
• OK to use name over radio to:– Find patient– Enable hospital to retrieve records
HIPAA and Radio Communication
What if someone overhears patient’s name on scanner?
• Consider an “incidental disclosure”• Not a HIPAA violation• Same as if a bystander overhears patient info
Additional HIPAA Information
• NEVER apply HIPAA in a way that delays, impedes, or prevents patient care
• Radio communications related to patient care – permitted under HIPAA
• OK to have two patients in the ambulance
HIPAA and Law Enforcement
• Patients may disclose their own PHI to law enforcement or anyone else they wish• HIPAA does not apply to police, only health care providers• If police officer speaks directly to patient, HIPAA is not an issue as it is the patient giving their medical information to the police
6 Exceptions for PHI Disclosures To Law Enforcement
1. OK to share info with police when state law requires itExample:OK to notify police of certain injuries such as:
- Gunshot wounds, burns, animal bites, etc. when required by state law
- *Check with HIPAA Compliance Officer
6 Exceptions for PHI Disclosures To Law Enforcement
2. OK to disclose limited PHI to help police identify or locate:
- Suspect - Fugitive - Material witness - Missing person
6 Exceptions for PHI Disclosures To Law Enforcement
3. OK to disclose about person believed to be a crime victim
Simple verbal agreement frompatient → Ok to disclose PHI forvictim of crime
Document verbal permission
If patient unconscious → OK ifin best interest of patient AND ifofficer agrees it will not be used against victim
6 Exceptions for PHI Disclosures To Law Enforcement
• OK to disclose when it appears victim died as a result of criminal activity
• OK to disclose when a crime occurs on your premises
• OK to disclose to report crime in emergencies
Two More Exceptions
Disclosure to other types of agencies:
A.When it appears individual has escaped police custody- OK to share PHI with police or prison
officialsB. Where state laws require report of:
- Abuse- Neglect- Domestic violence
HIPAA and the Media
• HIPAA strictly prohibits providersfrom disclosing any patient information to media
• Don’t even confirm identity of patient
• Refer requests to HIPAA ComplianceOfficer
HIPAA and the Media
• OK only when specifically authorized IN WRITING by patient
• It’s great to have your 15 minutes of fame on the news – but remember your professionalism – and the law
HIPAA and Social Networking, Texting and Photos
• Written policies must be in place – know them!
• Do not disclose PHI via blog, web site, discussion group, social network, or other public place
• Even when you believe information is “de-identified,” do NOT share it
HIPAA and Social Networking, Texting and Photos
• Posts on social media sites can give enough info for friends & family to recognize patient
• Names do not have to be included to be a violation
• In addition, this is simply unethical as a healthcare provider
HIPAA and Social Networking, Texting and Photos
• No posting of ANY patient or incident-related information in any manner
• Remember not to post pictures, videos, or accounts of specific calls that may contain anything identifiable on any company web site
Use of Cameras in Field
• May be appropriate to capture images of accident scene to help determine mechanism of injury
• Any image, video, or audio recording that could identify the patient is PHI and should be secured in the same manner
• Only use devices owned & issued by the organization – no personal devices
• Store images & clips securely• Images are property of the agency
HIPAA and Family Members
• It is OK to disclose PHI to relative, friend, or other person involved in patient’s care if in best interest of patient
• Can also disclose transport destination & general condition (including death) to family members or others involved in patient’s care
• Use judgment if not in best interest of patient (e.g., domestic violence situation)
HIPAA and Other Operational Issues
• Patient refusals:– Thoroughly document incident– You are still collecting PHI even though no
transport was made– Obtain patient’s signature or one from legally
responsible decisionmaker– Offer privacy notice & make good faith effort to
get signature acknowledging receipt of privacy notice
Working with Others at Scene
• First responders & other EMS agencies providing care on scene:
– OK to discuss PHI for treatment purposes
– OK to freely share information with other responding agencies when necessary for patient care
Transfer of Patient Care
• To hospital or other receiving facility:
– OK to share PHI with:• Staff members• Patient registration personnel• Others who perform treatment or payment-related
tasks• Can be done in regular place and at regular voice level• Take reasonable precautions to minimize “incidental
disclosures”
Transfer of Patient Care
• Interfacility Transports:– Ok for EMS personnel to look at patient records
for treatment purposes
– EMS professionals are health care providers who are involved in the treatment of the patient
– Not just “giving a ride” to the other facility!
HIPAA and Billing/Administrative Issues
• Applies to anyone who deals with PHI
– Billing Staff– Managers– Compliance/Privacy
Officer– Other Administrative
Personnel
HIPAA and Billing/Administrative Issues
• Requests for records from attorneys
– Generally must receive a written authorization from patient to release medical records
– Must be signed by patient or legally responsible decisionmaker
– Subpoena or other legal document → refer to HIPAA Compliance Officer
HIPAA and Billing/Administrative Issues
• OK to share information with patients when they request it
• But verify identity
• If request is in person, ask for ID
HIPAA and Billing/Administrative Issues
• If request is by telephone, get more information
– Birth Date– Social Security Number– Address– Phone Number
New Restrictions on Payment Disclosures
• Patients can request that their PHI NOT be used to submit claim to insurance company for payment
• Only have to honor request if patient first pays bill in full
Electronic PHI Access
• Must take security precautions, especially when electronic devices are left unattended
• Every user should have unique ID and password
• Devices should have automatic log-off features when unattended for period of time
Electronic PHI
• Organization must have administrative, physical, & technical safeguards to secure electronic PHI
Examples:• Policies and procedures• Computer servers in secure place• Devices configured with password security, auto
log-off, & back-up capabilities
Electronic PHI
• DO NOT SHARE PASSWORDS!
• Do not give lock combinations to an unauthorized person
• Do not download copies of patient data onto thumb drive or other portable device unless authorized to do so
Summary
• HIPAA laws strictly limit disclosure of PHI
• Uphold ethical & legalresponsibility to protectconfidentiality of PHI
Summary
• PHI may be used for– Treatment or patient care– Payment & healthcare
operations
• HIPAA Compliance Officer→ oversee policies and procedures and be first point of contact
Summary
• Can disclose PHI to law enforcement in limited, specific situations
• Take extra attention when:– Communicating with media– Using social networking sites– No texting, posting, or blogging
about any patient information
Summary
• Billers and other admin personnel:– Take extra precaution when
releasing, verifying, or confirmingpatient information
– Get written authorization from patient or personnel representative when fulfilling requestsfor PHI from attorneys
HIPAA
Visit www.pwwemslaw.comfor more information on HIPAA
and other EMS Law topics