Overview of HIPAA regulationsOverview of HIPAA regulations

Privacy policiesPrivacy policies

Presence Regional EMS SystemPresence Regional EMS System

20142014

HIPAA:HIPAA: Health Insurance Portability Health Insurance Portability and Accountability Actand Accountability Act

1

ObjectivesObjectives

Discuss the components of the HIPAA legislation as it applies to EMS Providers

Outline examples of patient information that falls under the umbrella of HIPAA protection.

Describe the penalties for breaching confidentiality through HIPAA legislation

Using a variety of scenarios, demonstrate good decision making regarding HIPAA guidelines.

2

3

IntroductionIntroduction

HIPAA ( Health Insurance HIPAA ( Health Insurance Portability and Accountability Portability and Accountability Act) was passed in 1996.Act) was passed in 1996.

Department of Health & Department of Health & Human Services (DHHS) Human Services (DHHS) issued the finalissued the final Privacy rule Privacy rule in April 2001.in April 2001.

Regulation required Regulation required compliance by: April 14, 2003compliance by: April 14, 2003

4

Purpose of HIPAAPurpose of HIPAA Protect patients rights by giving them Protect patients rights by giving them

accessaccess to their health information and to their health information and controlcontrol over how it will be used over how it will be used

Improve the quality of care by Improve the quality of care by restoring restoring trusttrust in the health care system in the health care system

Protect the security & privacy of all Protect the security & privacy of all medical records that is medical records that is used or shared used or shared in any formin any form

5

HIPAA HIPAA Privacy vs. Security StandardsPrivacy vs. Security Standards

Privacy Standards - deal with patients Privacy Standards - deal with patients expectations of providers in terms of expectations of providers in terms of the way health information is used.the way health information is used. Example - Limiting who has access to their Example - Limiting who has access to their

recordsrecords

Security Standards - deal with Security Standards - deal with measures that covered entities can measures that covered entities can take to keep their information safetake to keep their information safe Example - Encrypting information before it is Example - Encrypting information before it is

sent over the Internet.sent over the Internet.

6

Why do we need a Privacy Why do we need a Privacy Rule?Rule?

HIPAA came about as the result of HIPAA came about as the result of concerns from patients regarding:concerns from patients regarding: Breeches in Confidentiality Breeches in Confidentiality Particularly regarding electronic records Particularly regarding electronic records

and transport of information and transport of information

Three cases in pointThree cases in point

Accidentally, hospital in Michigan posted Accidentally, hospital in Michigan posted thousands of patient medical records on the thousands of patient medical records on the InternetInternet

Employee from a Florida health department took Employee from a Florida health department took home a disk containing names of 4,000 patients home a disk containing names of 4,000 patients w/ positive HIV tests.w/ positive HIV tests.

Congressional Candidate stated that her Congressional Candidate stated that her campaign was derailed when the media published campaign was derailed when the media published her psychiatric treatment after a suicide attempt.her psychiatric treatment after a suicide attempt.

7

8

Creating a Culture of Creating a Culture of ConfidentialityConfidentiality

Facts:Facts: One out of every five One out of every five

Americans believes their Americans believes their health information is used health information is used inappropriately.inappropriately.

One in six report that they One in six report that they have provided inaccurate have provided inaccurate information to their health information to their health care provider because care provider because they don’t feel it will be they don’t feel it will be kept confidential.kept confidential.

9

What happens if patients What happens if patients don’t trust us?don’t trust us?

Quality care is Quality care is compromised –compromised – Conditions may go Conditions may go

undetected or undetected or untreateduntreated

Health information Health information may not be may not be complete and complete and accurateaccurate

10

Who is Included?Who is Included?

Health Care ProvidersHealth Care Providers PhysiciansPhysicians HospitalsHospitals Social workersSocial workers PharmacistsPharmacists Nursing HomesNursing Homes Licensed health care Licensed health care

ProvidersProviders Outpatient Physical TherapyOutpatient Physical Therapy Certified Nurse-midwife Certified Nurse-midwife

servicesservices Home Health agenciesHome Health agencies

Emergency Medical Emergency Medical Services ProvidersServices Providers

11

Cont…...Cont…...

Anyone!!!!Anyone!!!!

In a healthcare In a healthcare facility who uses or facility who uses or may see may see confidential patient confidential patient information is information is included.included.

12

Insurance ProvidersInsurance Providers

Employees working Employees working for Health Plansfor Health Plans HMO’sHMO’s Insurance Insurance

companiescompanies MedicareMedicare MedicaidMedicaid Employee benefit Employee benefit

plansplans

13

Cont…..Cont…..

Business Business AssociatesAssociates

Persons or entities Persons or entities that that provide services toprovide services to or or on on behalfbehalf a covered entity a covered entity

but but are not members of the are not members of the entity’s workforce such entity’s workforce such

as members of an EMS as members of an EMS SystemSystem

14

What is Protected Health What is Protected Health Information (PHI)?Information (PHI)?

Health information created or received by a covered entity, Health information created or received by a covered entity, regardless of form that could be used directly or indirectly to regardless of form that could be used directly or indirectly to

identify an individualidentify an individual.. NameName Address Address City City CountyCounty Zip Code Zip Code Fingerprints Fingerprints Name of relative or employerName of relative or employer DOB DOB Telephone #Telephone # SS # SS # Fax #Fax # PhotosPhotos Medical Record or Account Medical Record or Account

# # License #License #

15

HIPAA PenaltiesHIPAA Penalties

HIPAA is serious about patient HIPAA is serious about patient privacyprivacy Failure to comply: Each violation is $100, with Failure to comply: Each violation is $100, with

the maximum penalty not to exceed $25,000 the maximum penalty not to exceed $25,000 for each identical violationfor each identical violation

Wrongful disclosure of information: $50,000 Wrongful disclosure of information: $50,000 and / or one year of prison.and / or one year of prison.

Obtaining information under false pretense: Obtaining information under false pretense: $100,000 and / or prison for up to 5 years$100,000 and / or prison for up to 5 years

Intent to sell: $250,000 and / or up to 10 years Intent to sell: $250,000 and / or up to 10 years in jailin jail

16

Patient RightsPatient Rights

Keeping the patient Keeping the patient informedinformed Notice of Privacy PracticesNotice of Privacy Practices AuthorizationAuthorization

Access/control over Access/control over patient’s health patient’s health informationinformation AccessAccess AmendmentAmendment

Culture of Culture of confidentialityconfidentiality RestrictionsRestrictions Minimum necessaryMinimum necessary

17

Patients RightsPatients RightsKeeping the patient informedKeeping the patient informed

Notice of Privacy PracticesNotice of Privacy Practices Patients must have access to a written Patients must have access to a written

explanation of how your facility may use and explanation of how your facility may use and disclose their health information.disclose their health information.

Authorization Authorization Patient must grant permission for the release Patient must grant permission for the release

of medical information for of medical information for non-routinenon-routine disclosures and most disclosures and most non-health carenon-health care purposespurposes..

18

Patient’s RightsPatient’s RightsAccess/control over patients health informationAccess/control over patients health information

Request for AccessRequest for Access Right of access to inspect and obtain a copy o Right of access to inspect and obtain a copy o

his/her medical record.his/her medical record. Request for AmendmentRequest for Amendment

Right to request a change to his/her medical Right to request a change to his/her medical record. record.

RestrictionsRestrictions Provide patients with an opportunity to Provide patients with an opportunity to

request a restriction on the use or disclosure request a restriction on the use or disclosure of his/her health information.of his/her health information.

19

Patients RightsPatients RightsAccurate DocumentationAccurate Documentation

Medical RecordsMedical Records AccurateAccurate CompleteComplete LegibleLegible

20

Patient’s RightsPatient’s RightsCulture of ConfidentialityCulture of Confidentiality

Minimum NecessaryMinimum Necessary Access will be limited to Access will be limited to

the “minimum necessarythe “minimum necessary” ”

tto achieve the intended o achieve the intended purpose of the use or purpose of the use or disclosure.disclosure.

Not all health providers Not all health providers need all the information need all the information on the patient. Only the on the patient. Only the information that is information that is needed to provide care.needed to provide care.

Can Any Healthcare Information be Can Any Healthcare Information be used for other purposes?used for other purposes?

Information can be Information can be used for improving used for improving the delivery of the delivery of care:care: Quality Assurance Quality Assurance

ReviewReview Continuing Continuing

Education /Case Education /Case ReviewReview

Critical Incident Critical Incident Stress DebriefingStress Debriefing

21

If any information is usedIf any information is used

Protected Health Protected Health Information (PHI) Information (PHI) identifiers identifiers removed as much removed as much as possible to as possible to protect the protect the identity of the identity of the patient. patient.

Names are never Names are never used.used.

22

23

HIPAA is the lawHIPAA is the law

As a health care As a health care provider, it is provider, it is your your responsibilityresponsibility to to honor these patient honor these patient rights and to make rights and to make sure that personal sure that personal information is information is protected.protected.

ReviewReview

Consider the following questions as a group.Consider the following questions as a group. IDPH site code: Use site code assigned to your IDPH site code: Use site code assigned to your

agency for 2014.agency for 2014. If doing this CE individually, please e-mail If doing this CE individually, please e-mail

your answers to:your answers to: Shelley.Peelman@presencehealth.org Use “HIPAA 2014 CE” in subject box.Use “HIPAA 2014 CE” in subject box. IDPH site code: 06-7100-E-1214WIDPH site code: 06-7100-E-1214W

You will receive an e-mail confirmation. You will receive an e-mail confirmation. Print this confirmation for your records and Print this confirmation for your records and document in your PREMSS CE record book.document in your PREMSS CE record book.

25

HIPAAScenario One

 

You and your partner respond for a neighbor who suffers from depression. You discover during your assessment that the patient has had suicidal thoughts. After the call, you are concerned that other First Responders in your community need to know the extent of the patient’s illness so they can watch for warning signs should the depression deepen.  Can you share what you have learned with you fellow First Responders?

26

??

  HIPAA Scenario Two

There is a call in your town. It involves the treatment of an entrapped farmer who subsequently dies from his injuries. You are concerned that a Critical Incident Stress Debriefing might lead to a violation of HIPAA.

Should you be concerned?

27

HIPAA

Scenario Three

You are in charge of presenting a CE session for the monthly meeting of First Responders. You want to share some of the details of a recent call, but you are concerned you will be in violation of HIPAA because the patient is a resident in your town.

Can you do case review as education? If so, what precautions should you take to protect the patient’

28

HIPAA

Scenario Four

The First Responders in your fire department routinely use a break room in the station to fill out their paperwork. The room is not secure. How can you ensure that confidentiality is not compromised?

Can you work on paperwork while non-FRs are in the room?

29

HIPAA HIPAA Scenario 5Scenario 5

You have just assisted with your first field You have just assisted with your first field delivery of a newborn. You are so excited delivery of a newborn. You are so excited you post it on Facebook with pictures from you post it on Facebook with pictures from your cell phone. Can you do this and still your cell phone. Can you do this and still comply with HIPAA?comply with HIPAA?

30

AnswersAnswers

1.1. No, this is a breech of confidentialityNo, this is a breech of confidentiality

2.2. No, a Critical Incident Stress Debriefing No, a Critical Incident Stress Debriefing is held with only those providers is held with only those providers involved in the call. The rules of CISD is involved in the call. The rules of CISD is that everything said at the debriefing is that everything said at the debriefing is confidential.confidential.

3.3. You can use the details of the call as You can use the details of the call as education as long as you do not give out education as long as you do not give out identifying information such as name, identifying information such as name, address.address.

AnswersAnswers

4.4. If you are working on EMS First If you are working on EMS First Responder paperwork, you need to be Responder paperwork, you need to be sure to put everything away when you sure to put everything away when you are done. Do not leave call reports are done. Do not leave call reports with confidential information on the with confidential information on the table where anyone can pick it up. table where anyone can pick it up. You can work on paperwork with non You can work on paperwork with non EMS personnel in the room, but do not EMS personnel in the room, but do not share the information with them.share the information with them.

31

AnswersAnswers

5.5. No. Putting information about EMS No. Putting information about EMS calls on Facebook is a breech of calls on Facebook is a breech of confidentiality. Even if you use no confidentiality. Even if you use no names it would be very easy in a names it would be very easy in a small community for people to small community for people to figure out who the mother and child figure out who the mother and child are. are.

32

33