overview of hipaa regulations privacy policies presence regional ems system 2014 hipaa: health...
TRANSCRIPT
Overview of HIPAA regulationsOverview of HIPAA regulations
Privacy policiesPrivacy policies
Presence Regional EMS SystemPresence Regional EMS System
20142014
HIPAA:HIPAA: Health Insurance Portability Health Insurance Portability and Accountability Actand Accountability Act
1
ObjectivesObjectives
Discuss the components of the HIPAA legislation as it applies to EMS Providers
Outline examples of patient information that falls under the umbrella of HIPAA protection.
Describe the penalties for breaching confidentiality through HIPAA legislation
Using a variety of scenarios, demonstrate good decision making regarding HIPAA guidelines.
2
3
IntroductionIntroduction
HIPAA ( Health Insurance HIPAA ( Health Insurance Portability and Accountability Portability and Accountability Act) was passed in 1996.Act) was passed in 1996.
Department of Health & Department of Health & Human Services (DHHS) Human Services (DHHS) issued the finalissued the final Privacy rule Privacy rule in April 2001.in April 2001.
Regulation required Regulation required compliance by: April 14, 2003compliance by: April 14, 2003
4
Purpose of HIPAAPurpose of HIPAA Protect patients rights by giving them Protect patients rights by giving them
accessaccess to their health information and to their health information and controlcontrol over how it will be used over how it will be used
Improve the quality of care by Improve the quality of care by restoring restoring trusttrust in the health care system in the health care system
Protect the security & privacy of all Protect the security & privacy of all medical records that is medical records that is used or shared used or shared in any formin any form
5
HIPAA HIPAA Privacy vs. Security StandardsPrivacy vs. Security Standards
Privacy Standards - deal with patients Privacy Standards - deal with patients expectations of providers in terms of expectations of providers in terms of the way health information is used.the way health information is used. Example - Limiting who has access to their Example - Limiting who has access to their
recordsrecords
Security Standards - deal with Security Standards - deal with measures that covered entities can measures that covered entities can take to keep their information safetake to keep their information safe Example - Encrypting information before it is Example - Encrypting information before it is
sent over the Internet.sent over the Internet.
6
Why do we need a Privacy Why do we need a Privacy Rule?Rule?
HIPAA came about as the result of HIPAA came about as the result of concerns from patients regarding:concerns from patients regarding: Breeches in Confidentiality Breeches in Confidentiality Particularly regarding electronic records Particularly regarding electronic records
and transport of information and transport of information
Three cases in pointThree cases in point
Accidentally, hospital in Michigan posted Accidentally, hospital in Michigan posted thousands of patient medical records on the thousands of patient medical records on the InternetInternet
Employee from a Florida health department took Employee from a Florida health department took home a disk containing names of 4,000 patients home a disk containing names of 4,000 patients w/ positive HIV tests.w/ positive HIV tests.
Congressional Candidate stated that her Congressional Candidate stated that her campaign was derailed when the media published campaign was derailed when the media published her psychiatric treatment after a suicide attempt.her psychiatric treatment after a suicide attempt.
7
8
Creating a Culture of Creating a Culture of ConfidentialityConfidentiality
Facts:Facts: One out of every five One out of every five
Americans believes their Americans believes their health information is used health information is used inappropriately.inappropriately.
One in six report that they One in six report that they have provided inaccurate have provided inaccurate information to their health information to their health care provider because care provider because they don’t feel it will be they don’t feel it will be kept confidential.kept confidential.
9
What happens if patients What happens if patients don’t trust us?don’t trust us?
Quality care is Quality care is compromised –compromised – Conditions may go Conditions may go
undetected or undetected or untreateduntreated
Health information Health information may not be may not be complete and complete and accurateaccurate
10
Who is Included?Who is Included?
Health Care ProvidersHealth Care Providers PhysiciansPhysicians HospitalsHospitals Social workersSocial workers PharmacistsPharmacists Nursing HomesNursing Homes Licensed health care Licensed health care
ProvidersProviders Outpatient Physical TherapyOutpatient Physical Therapy Certified Nurse-midwife Certified Nurse-midwife
servicesservices Home Health agenciesHome Health agencies
Emergency Medical Emergency Medical Services ProvidersServices Providers
11
Cont…...Cont…...
Anyone!!!!Anyone!!!!
In a healthcare In a healthcare facility who uses or facility who uses or may see may see confidential patient confidential patient information is information is included.included.
12
Insurance ProvidersInsurance Providers
Employees working Employees working for Health Plansfor Health Plans HMO’sHMO’s Insurance Insurance
companiescompanies MedicareMedicare MedicaidMedicaid Employee benefit Employee benefit
plansplans
13
Cont…..Cont…..
Business Business AssociatesAssociates
Persons or entities Persons or entities that that provide services toprovide services to or or on on behalfbehalf a covered entity a covered entity
but but are not members of the are not members of the entity’s workforce such entity’s workforce such
as members of an EMS as members of an EMS SystemSystem
14
What is Protected Health What is Protected Health Information (PHI)?Information (PHI)?
Health information created or received by a covered entity, Health information created or received by a covered entity, regardless of form that could be used directly or indirectly to regardless of form that could be used directly or indirectly to
identify an individualidentify an individual.. NameName Address Address City City CountyCounty Zip Code Zip Code Fingerprints Fingerprints Name of relative or employerName of relative or employer DOB DOB Telephone #Telephone # SS # SS # Fax #Fax # PhotosPhotos Medical Record or Account Medical Record or Account
# # License #License #
15
HIPAA PenaltiesHIPAA Penalties
HIPAA is serious about patient HIPAA is serious about patient privacyprivacy Failure to comply: Each violation is $100, with Failure to comply: Each violation is $100, with
the maximum penalty not to exceed $25,000 the maximum penalty not to exceed $25,000 for each identical violationfor each identical violation
Wrongful disclosure of information: $50,000 Wrongful disclosure of information: $50,000 and / or one year of prison.and / or one year of prison.
Obtaining information under false pretense: Obtaining information under false pretense: $100,000 and / or prison for up to 5 years$100,000 and / or prison for up to 5 years
Intent to sell: $250,000 and / or up to 10 years Intent to sell: $250,000 and / or up to 10 years in jailin jail
16
Patient RightsPatient Rights
Keeping the patient Keeping the patient informedinformed Notice of Privacy PracticesNotice of Privacy Practices AuthorizationAuthorization
Access/control over Access/control over patient’s health patient’s health informationinformation AccessAccess AmendmentAmendment
Culture of Culture of confidentialityconfidentiality RestrictionsRestrictions Minimum necessaryMinimum necessary
17
Patients RightsPatients RightsKeeping the patient informedKeeping the patient informed
Notice of Privacy PracticesNotice of Privacy Practices Patients must have access to a written Patients must have access to a written
explanation of how your facility may use and explanation of how your facility may use and disclose their health information.disclose their health information.
Authorization Authorization Patient must grant permission for the release Patient must grant permission for the release
of medical information for of medical information for non-routinenon-routine disclosures and most disclosures and most non-health carenon-health care purposespurposes..
18
Patient’s RightsPatient’s RightsAccess/control over patients health informationAccess/control over patients health information
Request for AccessRequest for Access Right of access to inspect and obtain a copy o Right of access to inspect and obtain a copy o
his/her medical record.his/her medical record. Request for AmendmentRequest for Amendment
Right to request a change to his/her medical Right to request a change to his/her medical record. record.
RestrictionsRestrictions Provide patients with an opportunity to Provide patients with an opportunity to
request a restriction on the use or disclosure request a restriction on the use or disclosure of his/her health information.of his/her health information.
19
Patients RightsPatients RightsAccurate DocumentationAccurate Documentation
Medical RecordsMedical Records AccurateAccurate CompleteComplete LegibleLegible
20
Patient’s RightsPatient’s RightsCulture of ConfidentialityCulture of Confidentiality
Minimum NecessaryMinimum Necessary Access will be limited to Access will be limited to
the “minimum necessarythe “minimum necessary” ”
tto achieve the intended o achieve the intended purpose of the use or purpose of the use or disclosure.disclosure.
Not all health providers Not all health providers need all the information need all the information on the patient. Only the on the patient. Only the information that is information that is needed to provide care.needed to provide care.
Can Any Healthcare Information be Can Any Healthcare Information be used for other purposes?used for other purposes?
Information can be Information can be used for improving used for improving the delivery of the delivery of care:care: Quality Assurance Quality Assurance
ReviewReview Continuing Continuing
Education /Case Education /Case ReviewReview
Critical Incident Critical Incident Stress DebriefingStress Debriefing
21
If any information is usedIf any information is used
Protected Health Protected Health Information (PHI) Information (PHI) identifiers identifiers removed as much removed as much as possible to as possible to protect the protect the identity of the identity of the patient. patient.
Names are never Names are never used.used.
22
23
HIPAA is the lawHIPAA is the law
As a health care As a health care provider, it is provider, it is your your responsibilityresponsibility to to honor these patient honor these patient rights and to make rights and to make sure that personal sure that personal information is information is protected.protected.
ReviewReview
Consider the following questions as a group.Consider the following questions as a group. IDPH site code: Use site code assigned to your IDPH site code: Use site code assigned to your
agency for 2014.agency for 2014. If doing this CE individually, please e-mail If doing this CE individually, please e-mail
your answers to:your answers to: [email protected] Use “HIPAA 2014 CE” in subject box.Use “HIPAA 2014 CE” in subject box. IDPH site code: 06-7100-E-1214WIDPH site code: 06-7100-E-1214W
You will receive an e-mail confirmation. You will receive an e-mail confirmation. Print this confirmation for your records and Print this confirmation for your records and document in your PREMSS CE record book.document in your PREMSS CE record book.
25
HIPAAScenario One
You and your partner respond for a neighbor who suffers from depression. You discover during your assessment that the patient has had suicidal thoughts. After the call, you are concerned that other First Responders in your community need to know the extent of the patient’s illness so they can watch for warning signs should the depression deepen. Can you share what you have learned with you fellow First Responders?
26
??
HIPAA Scenario Two
There is a call in your town. It involves the treatment of an entrapped farmer who subsequently dies from his injuries. You are concerned that a Critical Incident Stress Debriefing might lead to a violation of HIPAA.
Should you be concerned?
27
HIPAA
Scenario Three
You are in charge of presenting a CE session for the monthly meeting of First Responders. You want to share some of the details of a recent call, but you are concerned you will be in violation of HIPAA because the patient is a resident in your town.
Can you do case review as education? If so, what precautions should you take to protect the patient’
28
HIPAA
Scenario Four
The First Responders in your fire department routinely use a break room in the station to fill out their paperwork. The room is not secure. How can you ensure that confidentiality is not compromised?
Can you work on paperwork while non-FRs are in the room?
29
HIPAA HIPAA Scenario 5Scenario 5
You have just assisted with your first field You have just assisted with your first field delivery of a newborn. You are so excited delivery of a newborn. You are so excited you post it on Facebook with pictures from you post it on Facebook with pictures from your cell phone. Can you do this and still your cell phone. Can you do this and still comply with HIPAA?comply with HIPAA?
30
AnswersAnswers
1.1. No, this is a breech of confidentialityNo, this is a breech of confidentiality
2.2. No, a Critical Incident Stress Debriefing No, a Critical Incident Stress Debriefing is held with only those providers is held with only those providers involved in the call. The rules of CISD is involved in the call. The rules of CISD is that everything said at the debriefing is that everything said at the debriefing is confidential.confidential.
3.3. You can use the details of the call as You can use the details of the call as education as long as you do not give out education as long as you do not give out identifying information such as name, identifying information such as name, address.address.
AnswersAnswers
4.4. If you are working on EMS First If you are working on EMS First Responder paperwork, you need to be Responder paperwork, you need to be sure to put everything away when you sure to put everything away when you are done. Do not leave call reports are done. Do not leave call reports with confidential information on the with confidential information on the table where anyone can pick it up. table where anyone can pick it up. You can work on paperwork with non You can work on paperwork with non EMS personnel in the room, but do not EMS personnel in the room, but do not share the information with them.share the information with them.
31
AnswersAnswers
5.5. No. Putting information about EMS No. Putting information about EMS calls on Facebook is a breech of calls on Facebook is a breech of confidentiality. Even if you use no confidentiality. Even if you use no names it would be very easy in a names it would be very easy in a small community for people to small community for people to figure out who the mother and child figure out who the mother and child are. are.
32
33