1. Copyright 2003 Page, Wolfberg, & Wirth, LLC. All Rights Reserved.

3.  HIPAA stands for the “Health Insurance Portability and Accountability Act”  HIPAA is a Federal law passed in 1996  Applied to EMS in April, 2004

4.  Specifies what is required to protect the security and privacy of personally identifiable health care information  Applies to most health care providers, including ambulance services

6.  Protecting patient privacy  Safeguarding patient information

9.  Protected Health Information (PHI) ◦ Individually identifiable information ◦ Dealing with past, present or future physical or mental health care or payment

10.  Protected Health Information (PHI) ◦ Created by or received by a health care provider ◦ Oral, written, photographic, electronic, digital, etc.

11.  Patient Care Reports

12.  Dispatch/Call Intake Records

13.  Billing Information

14.  Incident Reports with Patient Information

15.  Verbal Communications Between Health Care Providers

16.  Patient Records from Nursing Homes/Hospitals

17.  Physician Certification Statements

18.  The Golden Rule of HIPAA: ◦ Respect the privacy of patient information as you would your own

19.  Do not share PHI with others not involved in the patient’s care, except when permitted or required

20.  Generally speaking, keep disclosures to the “minimum amount necessary” to get the job done

21. 1. Treatment 2. Payment 3. Health Care Operations

22.  You may freely share PHI with other health care providers who also treat the patient

23.  Facilities may give PHI to the ambulance service and vice versa (e.g., transfers)  EMATALA requires the ambulance crew to have access to patient records

24.  The “minimum necessary” rule does not apply to treatment- related disclosures

25.  Your ambulance service may use PHI to file claims with payers and send bills to patients without patient consent or authorization

26.  Includes Quality Assurance or Continuous Quality Improvement, Training and certain management functions

27.  The “minimum necessary rule” applies ◦ Disclose the minimum amount needed to perform the function

29.  Can the dispatch center transmit PHI over the radio? ◦ YES! How else would you know where to respond?!

30.  Can you share PHI over the radio with other responding agencies?

31. ◦ YES! HIPAA does not prevent oral communications for treatment purposes!

32.  However, remember that the dispatch information you receive is still PHI!

33.  Be sure to document the nature of the dispatch! ◦ Example: “dispatched by 911 for a patient with chest pain...”

34.  Can you discuss the patient’s condition with first responders or other on-scene providers?

35.  Can you discuss PHI with family members?

36.  What about talking to the media or to bystanders?

37.  You may engage in discussions necessary to treat the patient

38.  Take care to minimize “incidental disclosures”

39.  Use common sense approaches!

40.  You are permitted to transmit PHI to the receiving facility

41.  May apprise the hospital of patient condition

42.  Take care to minimize incidental disclosures

43.  Use most secure transmission option

44.  You may give your PCR to the hospital ◦ The “minimum necessary” rule doesn’t apply

45.  You may give a verbal report to the hospital staff ◦ Take care to minimize incidental disclosures ◦ Sound-proof room not required!

46.  You may obtain a face sheet or billing information from the facility

47.  Discussions in the station?

48.  Quality improvement activities?

49.  CISD?

50.  HIPAA greatly limits the disclosures that EMS personnel can make!

51.  EMS personnel are patient care advocates, not law enforcement tools

52.  Permissible law enforcement disclosures are limited to specific situations

53.  After an accident call, a police officer stops by the station and asks for a copy of your PCR for the patient you transported to the hospital

54.  A police officer asks you if the patient at an accident scene appears to have been drinking

55.  A police officer who is a medically-trained First Responder is assisting you and asks for the patient’s blood pressure and pulse to record on the first responder scene report

56.  PHI can be verbally disclosed for treatment, but…  Must take reasonable steps to minimize incidental disclosures

57.  Examples ◦ Give report to ER nurse away from the crowd ◦ Use softer volume when speaking ◦ Use most secure type of transmission available

58.  “Notice of Privacy Practices” (NPP) ◦ Written document

59.  Two obligations ◦ Furnish to patient ◦ Obtain signed acknowledgment in non-emergency ◦ NuCare sends the NPP with billing statement

60.  These still involve PHI

61.  Furnish notice and obtain signed acknowledgment when possible

62.  Document reason why if not possible

63.  Can include acknowledgment directly on the refusal form

64.  You are permitted to disclose PHI to a public or private entity involved in disaster relief efforts ◦ Example: American Red Cross

65.  Purposes ◦ Notify a family member or other personal representative ◦ Of location, condition or death of patient

66.  Patients have the right to inspect and copy their medical records

67.  Requests should be directed through management (Privacy Officer) of your ambulance service

68.  Patients have a right to request amendment of their PHI

69.  Requests must go through the ambulance service ◦ 1 st : Director of Operations ◦ 2 nd : Director, Business Dev.

70.  Not required to amend if information is complete and accurate

71.  Changes should be made by the original author

72. Policies for protection

73.  PCRs should not be left unattended in the open  Do not leave PCRs and notes in your clipboard, lock them up

74.  PCRs should be maintained in a locked cabinet with limited, role-based access ◦ Keyed banker’s bag ◦ Padlocked white box

75.  Must also safeguard written notes, call intake records, physician certifications, etc. that contain PHI

76.  Trip sheets and other PHI should not be posted or used as “examples” unless identifying information is removed ◦ Training Officer is the only employee with role based access for this purpose

78.  Implement password protection to computers or networks where PHI is maintained

79.  Include confidentiality statements on e-mails and fax cover sheets

80.  Keep fax machines which receive PHI in a secure location and ensure others to whom you fax PHI do the same

81.  Use encryption technology for the electronic transmission of PHI

82.  Generally no: ◦ The recently enacted (October, 2010) HITECH ACT makes it a HIPAA violation to enter, review or QA patient records from any device that does not contain encryption software. ◦ If your device contains company approved encryption software, you may perform the above duties from personal items. ◦ FTOs, Supervisors, Managers and Directors are not exempt from this ruling.

83.  Use most secure method available to communicate with dispatch, hospital, etc. ◦ Example: cell phone vs. VHF radio

84.  Conduct conversations about PHI with other treatment providers in most secure location available

85.  Use appropriate voice volume

87.  No inappropriate banter about specific patients

90. www.pwwemslaw.com