• Privacy and security Training for• EMS Professionals

HIPAA TV

What is HIPAA?

HIPAA• Health Insurance Portability and

Accountability Act

HIPAA• Federal Law• Regulates privacy and security of “Protected

Health Information” – PHI• Fundamental responsibility of all EMS

providers and staff• Legal and ethical obligation

Protected Health Information (PHI)

• Any information about a person’s past, present or future health care

• Identifies or could reasonably identify patient– Name– Address– Identifying Numbers– Birth Date

Protected Health Information (PHI)

PHI can take the form of: Written Verbal Digital

Protected Health Information (PHI)

• Examples of PHI:– Patient care reports– Medical necessity forms– Patient bills– Claim forms– Records from other facilities– Photos & video

Protected Health Information (PHI)

• Cannot use or disclose PHI for any purpose unless permitted under HIPAA

– Applies to patients that are alive and deceased

– Completely confidential

– PHI is property of the organization

Permitted Disclosures of PHI

TPO• Treatment• Payment• Operations

Use of PHITreatment:• Use for any purpose related to providing EMS

or health care to a patient

Payment:• Use to file a claim with Medicare or other

insurers

Use of PHIOperations:• Internal management purposes such as:– Quality Assurance (QA) or Quality Improvement

(QI)– Licensure– Other similar activities

Minimum Necessary Rule

• Use only minimum amount of PHI absolutelynecessary to accomplishpurpose of disclosure

Example: Remove identifyingInformation from patient care report before using for QI

Notice of Privacy Practices

• Tells patients about their rights under HIPAA• Contains info about your agency’s privacy

policies & procedures• Give a copy to all new patients• Give a new copy to repeat patients if revisions

are made

Notice of Privacy Practices

• Not sure if they received one?– Give patient another copy

• Always attempt to obtain signature from patient verifying receipt of notice

When?At the time of service

Notice of Privacy Practices

• If patient is under duress, unconscious, incapacitated, or serious emergency:

Focus on patient care first!

Notice of Privacy Practices

• If patient cannot sign?

– Document reason

– Attempt to get signature of a legal guardian, power of attorney, family member, or facility representative

Patients Rights

Patients have the right to:• Access own PHI

• Ask for amendments if they believe their PHI to be inaccurate

• Make complaints regarding organization’s use or misuse of their PHI

Patient Rights

Patients have the right to:• Access PHI in electronic format if your PHI is

electronic

• Request to not use PHI to submit claim to insurer for payment(ONLY if bill first paid in full)

• Receive “accounting” of all disclosures

Personal Representative?

• Determined by state lawExample: Legal guardian, power of attorney,

parent of a minor, executor of decedent’s estate

• Same rights as patient under HIPAA (access, amendment, etc.)

• Treat representative just as you would the patient

Other Requirements

• Policies and procedures: make them available to all staff

• HIPAA Compliance Officer or Privacy Officer required– Direct questions to this person– Overall responsibility for agency’s HIPAA

compliance

What Else?

• Must notify patient if:– Non-encrypted PHI improperly disclosed– PHI breached in any other way

• The organization must also report breaches to US Department of Health and Human Services

Example: Stolen laptop, lost patient care report, spreadsheet of accounts sent to wrong person

Breach of Unsecured PHI

All personnel who know of or even suspect improper disclosure of PHI:- Must promptly report to Compliance/Privacy Officer

IMPORTANT• “Code of silence” is NOT acceptable• Review policy to understand responsibilities

HIPAA Breach Notification

• Because of new HIPAA breach notification requirement – must notify patient of breach of PHI

• There are specific requirements to follow-up with patient (HIPAA Compliance Officer)

• Review “breach notification” policies regularly and refer to the policies when a breach has occurred

HIPAA and Radio Communication

• HIPAA permits any disclosure of PHI whennecessary for treatment purposes

• OK to use name over radio to:– Find patient– Enable hospital to retrieve records

HIPAA and Radio Communication

What if someone overhears patient’s name on scanner?

• Consider an “incidental disclosure”• Not a HIPAA violation• Same as if a bystander overhears patient info

Additional HIPAA Information

• NEVER apply HIPAA in a way that delays, impedes, or prevents patient care

• Radio communications related to patient care – permitted under HIPAA

• OK to have two patients in the ambulance

HIPAA and Law Enforcement

• Patients may disclose their own PHI to law enforcement or anyone else they wish• HIPAA does not apply to police, only health care providers• If police officer speaks directly to patient, HIPAA is not an issue as it is the patient giving their medical information to the police

6 Exceptions for PHI Disclosures To Law Enforcement

1. OK to share info with police when state law requires itExample:OK to notify police of certain injuries such as:

- Gunshot wounds, burns, animal bites, etc. when required by state law

- *Check with HIPAA Compliance Officer

6 Exceptions for PHI Disclosures To Law Enforcement

2. OK to disclose limited PHI to help police identify or locate:

- Suspect - Fugitive - Material witness - Missing person

6 Exceptions for PHI Disclosures To Law Enforcement

3. OK to disclose about person believed to be a crime victim

Simple verbal agreement frompatient → Ok to disclose PHI forvictim of crime

Document verbal permission

If patient unconscious → OK ifin best interest of patient AND ifofficer agrees it will not be used against victim

6 Exceptions for PHI Disclosures To Law Enforcement

• OK to disclose when it appears victim died as a result of criminal activity

• OK to disclose when a crime occurs on your premises

• OK to disclose to report crime in emergencies

Two More Exceptions

Disclosure to other types of agencies:

A.When it appears individual has escaped police custody- OK to share PHI with police or prison

officialsB. Where state laws require report of:

- Abuse- Neglect- Domestic violence

HIPAA and the Media

• HIPAA strictly prohibits providersfrom disclosing any patient information to media

• Don’t even confirm identity of patient

• Refer requests to HIPAA ComplianceOfficer

HIPAA and the Media

• OK only when specifically authorized IN WRITING by patient

• It’s great to have your 15 minutes of fame on the news – but remember your professionalism – and the law

HIPAA and Social Networking, Texting and Photos

• Written policies must be in place – know them!

• Do not disclose PHI via blog, web site, discussion group, social network, or other public place

• Even when you believe information is “de-identified,” do NOT share it

HIPAA and Social Networking, Texting and Photos

• Posts on social media sites can give enough info for friends & family to recognize patient

• Names do not have to be included to be a violation

• In addition, this is simply unethical as a healthcare provider

HIPAA and Social Networking, Texting and Photos

• No posting of ANY patient or incident-related information in any manner

• Remember not to post pictures, videos, or accounts of specific calls that may contain anything identifiable on any company web site

Use of Cameras in Field

• May be appropriate to capture images of accident scene to help determine mechanism of injury

• Any image, video, or audio recording that could identify the patient is PHI and should be secured in the same manner

• Only use devices owned & issued by the organization – no personal devices

• Store images & clips securely• Images are property of the agency

HIPAA and Family Members

• It is OK to disclose PHI to relative, friend, or other person involved in patient’s care if in best interest of patient

• Can also disclose transport destination & general condition (including death) to family members or others involved in patient’s care

• Use judgment if not in best interest of patient (e.g., domestic violence situation)

HIPAA and Other Operational Issues

• Patient refusals:– Thoroughly document incident– You are still collecting PHI even though no

transport was made– Obtain patient’s signature or one from legally

responsible decisionmaker– Offer privacy notice & make good faith effort to

get signature acknowledging receipt of privacy notice

Working with Others at Scene

• First responders & other EMS agencies providing care on scene:

– OK to discuss PHI for treatment purposes

– OK to freely share information with other responding agencies when necessary for patient care

Transfer of Patient Care

• To hospital or other receiving facility:

– OK to share PHI with:• Staff members• Patient registration personnel• Others who perform treatment or payment-related

tasks• Can be done in regular place and at regular voice level• Take reasonable precautions to minimize “incidental

disclosures”

Transfer of Patient Care

• Interfacility Transports:– Ok for EMS personnel to look at patient records

for treatment purposes

– EMS professionals are health care providers who are involved in the treatment of the patient

– Not just “giving a ride” to the other facility!

HIPAA and Billing/Administrative Issues

• Applies to anyone who deals with PHI

– Billing Staff– Managers– Compliance/Privacy

Officer– Other Administrative

Personnel

HIPAA and Billing/Administrative Issues

• Requests for records from attorneys

– Generally must receive a written authorization from patient to release medical records

– Must be signed by patient or legally responsible decisionmaker

– Subpoena or other legal document → refer to HIPAA Compliance Officer

HIPAA and Billing/Administrative Issues

• OK to share information with patients when they request it

• But verify identity

• If request is in person, ask for ID

HIPAA and Billing/Administrative Issues

• If request is by telephone, get more information

– Birth Date– Social Security Number– Address– Phone Number

New Restrictions on Payment Disclosures

• Patients can request that their PHI NOT be used to submit claim to insurance company for payment

• Only have to honor request if patient first pays bill in full

Electronic PHI Access

• Must take security precautions, especially when electronic devices are left unattended

• Every user should have unique ID and password

• Devices should have automatic log-off features when unattended for period of time

Electronic PHI

• Organization must have administrative, physical, & technical safeguards to secure electronic PHI

Examples:• Policies and procedures• Computer servers in secure place• Devices configured with password security, auto

log-off, & back-up capabilities

Electronic PHI

• DO NOT SHARE PASSWORDS!

• Do not give lock combinations to an unauthorized person

• Do not download copies of patient data onto thumb drive or other portable device unless authorized to do so

Summary

• HIPAA laws strictly limit disclosure of PHI

• Uphold ethical & legalresponsibility to protectconfidentiality of PHI

Summary

• PHI may be used for– Treatment or patient care– Payment & healthcare

operations

• HIPAA Compliance Officer→ oversee policies and procedures and be first point of contact

Summary

• Can disclose PHI to law enforcement in limited, specific situations

• Take extra attention when:– Communicating with media– Using social networking sites– No texting, posting, or blogging

about any patient information

Summary

• Billers and other admin personnel:– Take extra precaution when

releasing, verifying, or confirmingpatient information

– Get written authorization from patient or personnel representative when fulfilling requestsfor PHI from attorneys

HIPAAAny Questions?Check with your HIPAACompliance Officer

HIPAA

Visit www.pwwemslaw.comfor more information on HIPAA

and other EMS Law topics