Privacy and security Training for EMS Professionals HIPAA TV Privacy and security Training for EMS Professionals
What is HIPAA? HIPAA Health Insurance Portability and Accountability Act
HIPAA Federal Law Regulates privacy and security of “Protected Health Information” – PHI Fundamental responsibility of all EMS providers and staff Legal and ethical obligation
Protected Health Information (PHI) Any information about a person’s past, present or future health care Identifies or could reasonably identify patient Name Address Identifying Numbers Birth Date
Protected Health Information (PHI) PHI can take the form of: Written Verbal Digital
Protected Health Information (PHI) Examples of PHI: Patient care reports Medical necessity forms Patient bills Claim forms Records from other facilities Photos & video
Protected Health Information (PHI) Cannot use or disclose PHI for any purpose unless permitted under HIPAA Applies to patients that are alive and deceased Completely confidential PHI is property of the organization
Permitted Disclosures of PHI TPO Treatment Payment Operations
Use of PHI Treatment: Payment: Use for any purpose related to providing EMS or health care to a patient Payment: Use to file a claim with Medicare or other insurers
Use of PHI Operations: Internal management purposes such as: Quality Assurance (QA) or Quality Improvement (QI) Licensure Other similar activities
Minimum Necessary Rule Use only minimum amount of PHI absolutely necessary to accomplish purpose of disclosure Example: Remove identifying Information from patient care report before using for QI
Notice of Privacy Practices Tells patients about their rights under HIPAA Contains info about your agency’s privacy policies & procedures Give a copy to all new patients Give a new copy to repeat patients if revisions are made
Notice of Privacy Practices Not sure if they received one? Give patient another copy Always attempt to obtain signature from patient verifying receipt of notice When? At the time of service
Notice of Privacy Practices If patient is under duress, unconscious, incapacitated, or serious emergency: Focus on patient care first!
Notice of Privacy Practices If patient cannot sign? Document reason Attempt to get signature of a legal guardian, power of attorney, family member, or facility representative
Patients Rights Patients have the right to: Access own PHI Ask for amendments if they believe their PHI to be inaccurate Make complaints regarding organization’s use or misuse of their PHI
Patient Rights Patients have the right to: Access PHI in electronic format if your PHI is electronic Request to not use PHI to submit claim to insurer for payment (ONLY if bill first paid in full) Receive “accounting” of all disclosures
Personal Representative? Determined by state law Example: Legal guardian, power of attorney, parent of a minor, executor of decedent’s estate Same rights as patient under HIPAA (access, amendment, etc.) Treat representative just as you would the patient
Other Requirements Policies and procedures: make them available to all staff HIPAA Compliance Officer or Privacy Officer required Direct questions to this person Overall responsibility for agency’s HIPAA compliance
What Else? Must notify patient if: Non-encrypted PHI improperly disclosed PHI breached in any other way The organization must also report breaches to US Department of Health and Human Services Example: Stolen laptop, lost patient care report, spreadsheet of accounts sent to wrong person
Breach of Unsecured PHI All personnel who know of or even suspect improper disclosure of PHI: - Must promptly report to Compliance/Privacy Officer IMPORTANT “Code of silence” is NOT acceptable Review policy to understand responsibilities
HIPAA Breach Notification Because of new HIPAA breach notification requirement – must notify patient of breach of PHI There are specific requirements to follow-up with patient (HIPAA Compliance Officer) Review “breach notification” policies regularly and refer to the policies when a breach has occurred
HIPAA and Radio Communication HIPAA permits any disclosure of PHI when necessary for treatment purposes OK to use name over radio to: Find patient Enable hospital to retrieve records
HIPAA and Radio Communication What if someone overhears patient’s name on scanner? Consider an “incidental disclosure” Not a HIPAA violation Same as if a bystander overhears patient info
Additional HIPAA Information NEVER apply HIPAA in a way that delays, impedes, or prevents patient care Radio communications related to patient care – permitted under HIPAA OK to have two patients in the ambulance
HIPAA and Law Enforcement Patients may disclose their own PHI to law enforcement or anyone else they wish HIPAA does not apply to police, only health care providers If police officer speaks directly to patient, HIPAA is not an issue as it is the patient giving their medical information to the police
6 Exceptions for PHI Disclosures To Law Enforcement OK to share info with police when state law requires it Example: OK to notify police of certain injuries such as: - Gunshot wounds, burns, animal bites, etc. when required by state law - *Check with HIPAA Compliance Officer
6 Exceptions for PHI Disclosures To Law Enforcement 2. OK to disclose limited PHI to help police identify or locate: - Suspect - Fugitive - Material witness - Missing person
6 Exceptions for PHI Disclosures To Law Enforcement 3. OK to disclose about person believed to be a crime victim Simple verbal agreement from patient → Ok to disclose PHI for victim of crime Document verbal permission If patient unconscious → OK if in best interest of patient AND if officer agrees it will not be used against victim
6 Exceptions for PHI Disclosures To Law Enforcement OK to disclose when it appears victim died as a result of criminal activity OK to disclose when a crime occurs on your premises OK to disclose to report crime in emergencies
Two More Exceptions Disclosure to other types of agencies: When it appears individual has escaped police custody - OK to share PHI with police or prison officials B. Where state laws require report of: - Abuse - Neglect - Domestic violence
HIPAA and the Media HIPAA strictly prohibits providers from disclosing any patient information to media Don’t even confirm identity of patient Refer requests to HIPAA Compliance Officer
HIPAA and the Media OK only when specifically authorized IN WRITING by patient It’s great to have your 15 minutes of fame on the news – but remember your professionalism – and the law
HIPAA and Social Networking, Texting and Photos Written policies must be in place – know them! Do not disclose PHI via blog, web site, discussion group, social network, or other public place Even when you believe information is “de-identified,” do NOT share it
HIPAA and Social Networking, Texting and Photos Posts on social media sites can give enough info for friends & family to recognize patient Names do not have to be included to be a violation In addition, this is simply unethical as a healthcare provider
HIPAA and Social Networking, Texting and Photos No posting of ANY patient or incident-related information in any manner Remember not to post pictures, videos, or accounts of specific calls that may contain anything identifiable on any company web site
Use of Cameras in Field May be appropriate to capture images of accident scene to help determine mechanism of injury Any image, video, or audio recording that could identify the patient is PHI and should be secured in the same manner Only use devices owned & issued by the organization – no personal devices Store images & clips securely Images are property of the agency
HIPAA and Family Members It is OK to disclose PHI to relative, friend, or other person involved in patient’s care if in best interest of patient Can also disclose transport destination & general condition (including death) to family members or others involved in patient’s care Use judgment if not in best interest of patient (e.g., domestic violence situation)
HIPAA and Other Operational Issues Patient refusals: Thoroughly document incident You are still collecting PHI even though no transport was made Obtain patient’s signature or one from legally responsible decisionmaker Offer privacy notice & make good faith effort to get signature acknowledging receipt of privacy notice
Working with Others at Scene First responders & other EMS agencies providing care on scene: OK to discuss PHI for treatment purposes OK to freely share information with other responding agencies when necessary for patient care
Transfer of Patient Care To hospital or other receiving facility: OK to share PHI with: Staff members Patient registration personnel Others who perform treatment or payment-related tasks Can be done in regular place and at regular voice level Take reasonable precautions to minimize “incidental disclosures”
Transfer of Patient Care Interfacility Transports: Ok for EMS personnel to look at patient records for treatment purposes EMS professionals are health care providers who are involved in the treatment of the patient Not just “giving a ride” to the other facility!
HIPAA and Billing/Administrative Issues Applies to anyone who deals with PHI Billing Staff Managers Compliance/Privacy Officer Other Administrative Personnel
HIPAA and Billing/Administrative Issues Requests for records from attorneys Generally must receive a written authorization from patient to release medical records Must be signed by patient or legally responsible decisionmaker Subpoena or other legal document → refer to HIPAA Compliance Officer
HIPAA and Billing/Administrative Issues OK to share information with patients when they request it But verify identity If request is in person, ask for ID
HIPAA and Billing/Administrative Issues If request is by telephone, get more information Birth Date Social Security Number Address Phone Number
New Restrictions on Payment Disclosures Patients can request that their PHI NOT be used to submit claim to insurance company for payment Only have to honor request if patient first pays bill in full
Electronic PHI Access Must take security precautions, especially when electronic devices are left unattended Every user should have unique ID and password Devices should have automatic log-off features when unattended for period of time
Electronic PHI Organization must have administrative, physical, & technical safeguards to secure electronic PHI Examples: Policies and procedures Computer servers in secure place Devices configured with password security, auto log-off, & back-up capabilities
Electronic PHI DO NOT SHARE PASSWORDS! Do not give lock combinations to an unauthorized person Do not download copies of patient data onto thumb drive or other portable device unless authorized to do so
Summary HIPAA laws strictly limit disclosure of PHI Uphold ethical & legal responsibility to protect confidentiality of PHI
Summary PHI may be used for HIPAA Compliance Officer Treatment or patient care Payment & healthcare operations HIPAA Compliance Officer → oversee policies and procedures and be first point of contact
Summary Can disclose PHI to law enforcement in limited, specific situations Take extra attention when: Communicating with media Using social networking sites No texting, posting, or blogging about any patient information
Summary Billers and other admin personnel: Take extra precaution when releasing, verifying, or confirming patient information Get written authorization from patient or personnel representative when fulfilling requests for PHI from attorneys
HIPAA Any Questions? Check with your HIPAA Compliance Officer
HIPAA Visit www.pwwemslaw.com for more information on HIPAA and other EMS Law topics