HIPAA and Confidentiality Presence Regional EMS System October 2015 CE

Objectives Describe the federal Health Insurance Portability and Accountability Act (HIPAA) Outline ways that health information can be shared verbally, written and via the internet Describe the consequences of breaching confidentiality through HIPAA legislation Using a variety of scenarios, demonstrate how confidentiality can be maintained Review the PREMSS Confidentiality policy

HIPAA Health Insurance Portability and Accountability Act Overview of HIPAA regulations Privacy policies

Introduction HIPAA ( Health Insurance Portability and Accountability Act) was passed in Department of Health & Human Services (DHHS) issued the final Privacy rule in April Regulation required compliance by: April 14, 2003

Privacy Objectives Protect patients rights by giving them access to their health information and control over how it will be used Improve the quality of care by restoring trust in the health care system Protect the security & privacy of all medical records that are used or shared in any form

HIPAA Privacy vs. Security Standards Privacy Standards - deal with patients expectations of providers in terms of the way health information is used. Example - Limiting who has access to their records Security Standards - deal with measures that covered entities can take to keep their information safe Example - Encrypting information before it is sent over the Internet.

Why do we need a Privacy Rule? HIPAA came about as the result of concerns from patients regarding: Breaches in Confidentiality Three cases in point: Accidentally, a hospital in Michigan posted thousands of patient medical records on the Internet Employee from a Florida health department took home a disk containing names of 4,000 patients w/ positive HIV tests. Congressional candidate stated that her campaign was derailed when the media published her psychiatric treatment after a suicide attempt.

Creating a Culture of Confidentiality Facts: One out of every five Americans believe their health information is used inappropriately. One in six report that they have provided inaccurate information to their health care provider because they don’t feel it will be kept confidential.

What happens if patients don’t trust us? Quality care is compromised – Conditions may go undetected or untreated Health information may not be complete and accurate

Who is Included? Health Care Providers Physicians Hospitals Social workers Pharmacists Nursing Homes Licensed health care Providers Outpatient Physical Therapy Certified Nurse-midwife services Home Health agencies Home dialysis supplies and equipment

Who is Included? Health Plans HMO’s Insurance companies Medicare Medicaid Employee benefit plans

Who is Included? Business Associates Persons or entities that provide services to or on behalf of a covered entity but are not members of the entity’s workforce

Who is Included? All EMS providers: All levels of licensure Transport Non-transport

Who is Included? Anyone!!!! In a healthcare facility who uses or may see confidential patient information is included.

What is Protected Health Information (PHI)? Health information created or received by a covered entity, regardless of form, that could be used directly or indirectly to identify an individual. Name Address (city, county, zip code) Fingerprints Name of relative or employer DOB Telephone number SS number Photos Medical Record or Account number License number

HIPAA Penalties HIPAA is serious about patient privacy Failure to comply: Each violation is $100, with the maximum penalty not to exceed $25,000 for each identical violation Wrongful disclosure of information: $50,000 and / or one year of prison. Obtaining information under false pretense: $100,000 and / or prison for up to 5 years Intent to sell: $250,000 and / or up to 10 years in jail

Patient Rights Keeping the patient informed Notice of Privacy Practices Authorization Access/control over patient’s health information Access Amendment Culture of confidentiality Restrictions Minimum necessary

Patients Rights Keeping the patient informed Notice of Privacy Practices Patients must have access to a written explanation of how your facility may use and disclose their health information. Authorization Patient must grant permission for the release of medical information for non-routine disclosures and most non- health care purposes.

Patient’s Rights Access/control over patients health information Request for Access Right of access to inspect and obtain a copy o his/her medical record. Request for Amendment Right to request a change to his/her medical record. Restrictions Provide patients with an opportunity to request a restriction on the use or disclosure of his/her health information.

Patients Rights Accurate Documentation Medical Records Accurate Complete Legible

Patient’s Rights Culture of Confidentiality Minimum Necessary Access will be limited to the “minimum necessary ” t o achieve the intended purpose of the use or disclosure.

HIPAA is the law As a health care provider, it is your responsibility to honor these patient rights and to make sure that personal information is protected.

PREMSS Policies Confidentiality Internet Communications and Social Networking Sites

Confidentiality Written Information Confidentiality regarding written patient care documentation is governed by the "Need to Know" concept. Only Presence Regional EMS providers and hospital staff directly involved in a patient's care or the monitoring of the quality of care are allowed access to a patient's medical records and reports. Prehospital Patient Care records are kept in secure areas of Emergency Departments, EMS Agencies and Presence Regional EMS System Offices following written procedures.

Confidentiality Request for release of all patient care related information should be directed to the Medical Records Department of the receiving hospital or the transporting agency. In cases of Triple Zero or refusals, patient care reports may be provided by the EMS agency to the requesting agency. The request for documentation must be in the form of a subpoena or a release of information obtained from the patient or patient’s family.

Confidentiality Verbal Information Confidential information should be discussed with other EMS providers only when it is necessary to do so in the provision of EMS care. EMS providers are not to discuss patients in public areas. Conversations regarding specific patient problems and/or care are inappropriate.

Confidentiality Radio/Telephone Communication No patient name will be mentioned in the process of prehospital radio transmissions using the MERCI frequency or MED channels. When necessary to refer to a patient, references such as, "we have a diabetic patient on North Seventh that we brought in last week" could be used. Patients may be identified by their initials. Inappropriate patient information regarding diagnosis or prognosis should not be discussed during radio/telephone transmissions.

Confidentiality Scene Security Every effort should be made to maintain the patient's auditory and visual privacy during the treatment at the scene and enroute. EMS providers should limit bystanders at the scene of an emergency. Law enforcement may be called upon to assist in maintaining reasonable distance.

Confidentiality Media Communication Any release of information regarding the patient's illness/injury and/or condition must occur through the receiving facility. EMS providers may not release patient information to the news media. Any questions from the media are forwarded by EMS providers to the receiving facility.

Internet Communications and Social Networking Sites Everyone should be aware that others, including peers and other agencies both inside and outside the Presence Regional EMS System may actively be reading what is posted in online forums. In choosing words and content, it is a good practice for everyone to consider that their supervisor, family members of patients and the general public may read their posts.

Everyone needs to exercise good judgment before posting material on internet sites or . Using a blog or social network site to make negative statements about and/or embarrass Presence Regional EMS System, any Presence Health facility, agency or person associated with the Presence Regional EMS System is inconsistent with our Mission, Values, and standards of conduct.

The following activities are Specifically Prohibited under this policy: Sharing Protected Health Information (PHI). PHI includes, but is not limited to patient’s name, address, age, race, extent or nature of illness or injury, hospital destination, crew member names and date, time and location of care. Posting photos, videos, or images of any kind which could potentially identify patients, addresses, or any other PHI. Sharing confidential or proprietary information about Presence Regional EMS System or our agencies.

The following activities are Specifically Prohibited under this policy: Postings or other online activities which are inconsistent with or would negatively impact the reputation of Presence Regional EMS System or its agencies. Engaging in vulgar or abusive language, personal attacks, or offensive terms targeting groups or individuals within the Presence Regional EMS System. Posting statements which may be perceived as derogatory, inflammatory, or disrespectful

Review Review the following scenarios as a group. If doing this CE individually, please your answers to: Use “October 2015 CE” in subject box. You will receive an confirmation. Print this confirmation for your records, and document the CE in your PREMSS CE record book. IDPH site code: E1215

HIPAA Scenario 1 You and your partner respond for a co-worker who suffers from depression. You discover during your assessment that the patient has had suicidal thoughts. After the call, you are concerned that other EMS providers in your company need to know the extent of the patient’s illness so they can watch for warning signs should the depression deepen. Can you share what you have learned with your fellow EMS providers?

HIPAA Scenario 2 You respond to a motor vehicle collision. While on the scene, you use your cell phone to take a picture of the damage to the vehicle. Later the picture is posted on Facebook and the license plate number of the vehicle is visible. The family finds the picture and has contacted an attorney. Is this a HIPAA violation? Why or why not?

HIPAA Scenario 3 You are in charge of presenting a CE session for the monthly meeting of EMS providers. You want to share some of the details of a recent call, but you are concerned you will be in violation of HIPAA. Can you do case review as education? If so, what precautions should you take to protect the patient?

HIPAA Scenario 4 You and your partner responded to a motor vehicle collision earlier in the week where aeromedical support was called to the scene and transported a patient to the trauma center. You have received a call from the local media requesting information on the patient’s injuries and current condition. How will you handle this situation?

Review List 4 things that are specifically prohibited under the PREMSS policy on “Internet Communications and Social Networking Sites”.

Renewing Your EMS License Presence Regional EMS System

EMS providers of all levels are issued a license to practice by the Illinois Department of Public Health. The license is good for 4 years. At the end of that time is has to be renewed. The renewal process is not difficult as long as each provider follows some simple steps.

Mary at the PREMSS office spends a lot of hours dealing with licensing issues so there is some SHOUTING on the next few slides.

It is your responsibility as an EMS professional to know when your license is due to expire and get it renewed in a timely manner.

It is not the responsibility of the EMS office, your agency director or your MOM!!

To make everyone happy, please act on renewing your license as soon as you get the renewal notice. DON’T LET TIME GET AWAY FROM YOU!!!!

Ninety days before your license is due to expire, IDPH will mail to your house a renewal notice. It will be an envelope from the Illinois Department of Public Health. IT IS NOT JUNK MAIL. In addition, 60 days before your license is due to expire, the PREMSS office will notify your agency coordinator to remind you that your license is due to expire

Correct Information If you have changed your address since your license was issued, you will not get a renewal notice because the US Mail will not forward the renewal notice. If you need to have your address changed, contact Mary or Shelley at the EMS office and they can change your address on the IDPH database.

Contact Information cont. If you have changed your name since your license was issued, you will not get a renewal notice because the US Mail will not forward the renewal notice. Name changes must be done by the individual and must be accompanied by legal paperwork reflecting the change in name. (marriage certificate, divorce papers etc.)

Renewal Notice The renewal notice you get from IDPH will have a PIN number in the upper left hand corner. This is the identifier you will use to renew your license.

On-Line Renewal The easiest way to renew your license is to do it on line. Go to the IDPH website On the left hand side of the homepage click on EMS Licensing On the next page on the right hand side click on EMS Licensing On-line Payment

On-Line Renewal cont. On the next screen click on Pay Renewal Fee and Renew My License You will be asked for your IDPH EMS license number, the PIN number from the renewal notice and the last 4 digits of your Social Security Number Once you are in the site you can change your address or any other data that is not correct.

On-Line Renewal cont. You will be asked: If you have been convicted of a felony If you owe child support Please answer these questions You move to a screen where you can pay your fee on line using a credit card.

On-Line Renewal cont. Once you are done on the IDPH site you must contact the EMS office to submit the required continuing education hours. Once the PREMSS office has your required CE hours, you will be checked off as valid on the IDPH site by someone in the office. Your new license will be printed the next working day and mailed to the address listed in the database.

Paper Renewal You have the option of renewing your license via a traditional route. To do this: Make sure all the data on the form is correct (name, address, etc.) Complete the questions on the license renewal form mailed to you. Send that back to IDPH with a certified check or money order for the renewal fee. This can take up to 60 days to be processed. You still need to send your continuing education hours to the EMS office for validation on the IDPH website.

Renewal With Waiver of Renewal Fee If you are a volunteer EMS provider and do not provide EMS services for pay at any agency, you are eligible to apply for a waiver of the renewal fee. To get a waiver of the renewal fee: Contact the EMS office for a waiver form or Print a waiver form from the IDPH website

Renewal With Waiver of Renewal Fee Complete the Waiver form Send it along with your continuing education to the Presence Regional EMS System office. Shelley Peelman, the EMS System Coordinator has to sign this form. Your continuing education will be validated on the IDPH website by the EMS office and your waiver ed to IDPH.

Renewal With Waiver of Renewal Fee Because of the amount of time it takes to process a waiver of the renewal fee, this process must be done no later than 30 days before the license is due to expire!!!

Renewal With Waiver of Renewal Fee No waiver of license fee forms will be processed if the license is due to expire in less than 30 days!!!

It is worth your time and energy to get the waiver of the fee for renewal to the EMS Office ASAP!!!!

How much Continuing Education Do You Need? Region 6 has specific numbers of Required Continuing Education

Required CE is based on the level of the EMS Provider (hours required in 4 years): Emergency Medical Dispatcher = 48 hours First Responder/Defib (Emergency Medical Responder) = 24 hours (.5 hours a month) EMT Basic = 120 hours (3 hours a month) EMT Intermediate = 120 hours (3 hours a month) Must include annual skills ITLS, PEPP (or PALS) and ACLS

EMT Paramedic = 120 hours (3 hours a month) Must include annual skills ITLS, PEPP (or PALS) and ACLS PHRN = 120 hours (3 hours a month) Must include annual skills ITLS, PEPP (or PALS) and ACLS ECRN = 32 hours (8 hours a year) PALS and ACLS EMS Lead Instructor = 10 hours of teaching and a letter from the Medical Director

What Counts As Continuing Education? Hour for hour classroom education Monthly CE at agency Sitting in on Initial Education (First Responder Class, Basic Class) Fire Education related to EMS HAZMAT NIMS and Scene management/disaster management (4 hours each session) Extrication Fire Fighter Rehab Use of air packs Patient case reviews Protocol or policy updates Skills review

On–line EMS Education PREMSS on line CE Other on line CE – with certificate for validation Seminars or Symposia Teaching EMS classes (20 hours per topic) College classes related to EMS Must be approved by PREMSS Education Coordinator 2 hours CE for every 1 credit hour Any other education approved by the PREMSS office

What Do You Do If You Don’t Have Enough Hours Of Continuing Education? If you are short the number of CE hours that you need to renew you can request a 90 day extension of your license. This is done through the PREMSS office and is granted or denied by IDPH. There is only one 90 day extension granted. If you had a 90 day extension the last time you renewed, IDPH will not grant you another one the next time you are due to renew.

IF YOU NEED 60+ HOURS OF CE TO RENEW A 90 DAY EXTENSION IS NOT GOING TO HELP MUCH!! DON’T GET BEHIND IN CE HOURS!!

How Should You Keep Track Of Your CE? The PREMSS office provides “little white books” for documentation of CE The maintenance of the “little white book” is your responsibility. If you leave an agency be sure you have your continuing education record to go with you The PREMSS office will also take CE hours on a computer spread sheet.

Please do not send original certificates for completed programs to the PREMSS office. You may not get them back.

Keeping Track of CE For CE to be counted the following information is needed (if you make your own spreadsheet): Date of the CE Topic of the CE Instructor Name IDPH Site Code (authorized approval of CE if it is an on-line class or from another state) Number of hours of the CE

What Happens If Your License Expires? Technically on the day your license expires it is “lapsed”. You have 60 days to reinstate the license by paying a $50 late fee. If you get the CE done and pay the late fee within the 60 day grace period, you will keep your license and move on. While you are lapsed you are not allowed to provide any EMS care.

What If You Miss The 60-Day Grace Period? If you go beyond the 60-day grace period without renewing your license and/or paying the late fee your license is expired. To get your license back you have to retake initial education classes and take the required exams to be an EMS provider in Illinois. (If you are an EMT Paramedic and your license expires, you have to start all over with an EMT Basic class)

The Moral of the Story Know when your license is due to expire Look for the IDPH renewal notice in the mail. Act on the renewal notice as soon as you get it. Keep up with continuing education hours. If you need an extension, contact the PREMSS office immediately

Moral Cont. Take care of paying for your license using a credit card on-line. IF YOU ARE A VOLUNTEER AND YOU ACT ON THE RENEWAL IN A TIMELY WAY – IT DOESN’T COST YOU ANYTHING!!!

IF YOU ARE A VOLUNTEER AND YOU DON’T ACT ON THE RENEWAL IN A TIMELY WAY – IT CAN COST YOU $70.