1. Privacy and security Training for EMS Professionals
HIPAA TV
Privacy and security Training for
EMS Professionals

2. What is HIPAA?
HIPAA
Health Insurance Portability and Accountability Act

3. HIPAA
Federal Law
Regulates privacy and security of “Protected Health Information” – PHI
Fundamental responsibility of all EMS providers and staff
Legal and ethical obligation

4. Protected Health Information (PHI)
Any information about a person’s past, present or future health care
Identifies or could reasonably identify patient
Name
Address
Identifying Numbers
Birth Date

5. Protected Health Information (PHI)
PHI can take the form of: Written Verbal Digital

6. Protected Health Information (PHI)
Examples of PHI:
Patient care reports
Medical necessity forms
Patient bills
Claim forms
Records from other facilities
Photos & video

7. Protected Health Information (PHI)
Cannot use or disclose PHI for any purpose unless permitted under HIPAA
Applies to patients that are alive and deceased
Completely confidential
PHI is property of the organization

8. Permitted Disclosures of PHI
TPO
Treatment
Payment
Operations

9. Use of PHI Treatment: Payment:
Use for any purpose related to providing EMS or health care to a patient
Payment:
Use to file a claim with Medicare or other insurers

10. Use of PHI Operations: Internal management purposes such as:
Quality Assurance (QA) or Quality Improvement (QI)
Licensure
Other similar activities

11. Minimum Necessary Rule
Use only minimum
amount of PHI absolutely
necessary to accomplish
purpose of disclosure
Example: Remove identifying
Information from patient care
report before using for QI

12. Notice of Privacy Practices
Tells patients about their rights under HIPAA
Contains info about your agency’s privacy policies & procedures
Give a copy to all new patients
Give a new copy to repeat patients if revisions are made

13. Notice of Privacy Practices
Not sure if they received one?
Give patient another copy
Always attempt to obtain signature
from patient verifying receipt of notice
When?
At the time of service

14. Notice of Privacy Practices
If patient is under duress, unconscious, incapacitated, or serious emergency:
Focus on patient care first!

15. Notice of Privacy Practices
If patient cannot sign?
Document reason
Attempt to get signature of a
legal guardian, power of attorney,
family member, or facility representative

16. Patients Rights Patients have the right to: Access own PHI
Ask for amendments if they believe their PHI to be inaccurate
Make complaints regarding organization’s use or misuse of their PHI

17. Patient Rights Patients have the right to:
Access PHI in electronic format if your PHI is electronic
Request to not use PHI to submit claim to insurer for payment
(ONLY if bill first paid in full)
Receive “accounting” of all disclosures

18. Personal Representative?
Determined by state law
Example: Legal guardian, power of attorney, parent of a minor, executor of decedent’s estate
Same rights as patient under HIPAA (access, amendment, etc.)
Treat representative just as you would the patient

19. Other Requirements
Policies and procedures: make them available to all staff
HIPAA Compliance Officer or Privacy Officer required
Direct questions to this person
Overall responsibility for agency’s HIPAA compliance

20. What Else? Must notify patient if:
Non-encrypted PHI improperly disclosed
PHI breached in any other way
The organization must also report breaches to US Department of Health and Human Services
Example: Stolen laptop, lost patient care
report, spreadsheet of accounts sent to
wrong person

21. Breach of Unsecured PHI
All personnel who know of or even suspect improper disclosure of PHI:
- Must promptly report to Compliance/Privacy
Officer
IMPORTANT
“Code of silence” is NOT acceptable
Review policy to understand responsibilities

22. HIPAA Breach Notification
Because of new HIPAA breach notification requirement – must notify patient of breach of PHI
There are specific requirements to follow-up with patient (HIPAA Compliance Officer)
Review “breach notification” policies regularly and refer to the policies when a breach has occurred

23. HIPAA and Radio Communication
HIPAA permits any
disclosure of PHI when
necessary for treatment
purposes
OK to use name over radio to:
Find patient
Enable hospital to retrieve records

24. HIPAA and Radio Communication
What if someone overhears
patient’s name on scanner?
Consider an
“incidental disclosure”
Not a HIPAA violation
Same as if a bystander
overhears patient info

25. Additional HIPAA Information
NEVER apply HIPAA in a way
that delays, impedes, or prevents
patient care
Radio communications related to
patient care – permitted under
HIPAA
OK to have two patients in the
ambulance

26. HIPAA and Law Enforcement
Patients may disclose their
own PHI to law enforcement
or anyone else they wish
HIPAA does not apply to police,
only health care providers
If police officer speaks directly
to patient, HIPAA is not an issue
as it is the patient giving their
medical information to the police

27. 6 Exceptions for PHI Disclosures To Law Enforcement
OK to share info with police when state law requires it
Example:
OK to notify police of certain injuries such as:
- Gunshot wounds, burns, animal bites,
etc. when required by state law
- *Check with HIPAA Compliance Officer

28. 6 Exceptions for PHI Disclosures To Law Enforcement
2. OK to disclose limited PHI to help police identify or locate: - Suspect - Fugitive - Material witness - Missing person

29. 6 Exceptions for PHI Disclosures To Law Enforcement
3. OK to disclose about person believed to be a crime victim Simple verbal agreement from patient → Ok to disclose PHI for victim of crime Document verbal permission If patient unconscious → OK if in best interest of patient AND if officer agrees it will not be used against victim

30. 6 Exceptions for PHI Disclosures To Law Enforcement
OK to disclose when it appears victim died as a result of criminal activity
OK to disclose when a crime occurs on your premises
OK to disclose to report crime in
emergencies

31. Two More Exceptions Disclosure to other types of agencies:
When it appears individual has escaped police custody
- OK to share PHI with police or prison
officials
B. Where state laws require report of:
- Abuse
- Neglect
- Domestic violence

32. HIPAA and the Media HIPAA strictly prohibits providers
from disclosing any patient
information to media
Don’t even confirm identity
of patient
Refer requests to HIPAA Compliance
Officer

33. HIPAA and the Media
OK only when specifically authorized IN WRITING by patient
It’s great to have your 15 minutes of fame on the news – but remember your professionalism – and the law

34. HIPAA and Social Networking, Texting and Photos
Written policies must be in place – know them!
Do not disclose PHI via blog, web site, discussion group, social network, or other public place
Even when you believe information is “de-identified,” do NOT share it

35. HIPAA and Social Networking, Texting and Photos
Posts on social media sites can give enough info for friends & family to recognize patient
Names do not have to be included to be a violation
In addition, this is simply unethical as a healthcare provider

36. HIPAA and Social Networking, Texting and Photos
No posting of ANY patient or incident-related information in any manner
Remember not to post pictures, videos, or accounts of specific calls that may contain anything identifiable on any company web site

37. Use of Cameras in Field
May be appropriate to capture images of accident scene to help determine mechanism of injury
Any image, video, or audio recording that could identify the patient is PHI and should be secured in the same manner
Only use devices owned & issued
by the organization – no personal
devices
Store images & clips securely
Images are property of the agency

38. HIPAA and Family Members
It is OK to disclose PHI to relative, friend, or other person involved in patient’s care if in best interest of patient
Can also disclose transport destination & general condition (including death) to family members or others involved in patient’s care
Use judgment if not in best interest of patient (e.g., domestic violence situation)

39. HIPAA and Other Operational Issues
Patient refusals:
Thoroughly document incident
You are still collecting PHI even though no transport was made
Obtain patient’s signature or one from legally responsible decisionmaker
Offer privacy notice & make good faith effort to get signature acknowledging receipt of privacy notice

40. Working with Others at Scene
First responders & other EMS agencies providing care on scene:
OK to discuss PHI for treatment purposes
OK to freely share information with other responding agencies when necessary for patient care

41. Transfer of Patient Care
To hospital or other receiving facility:
OK to share PHI with:
Staff members
Patient registration personnel
Others who perform treatment or payment-related tasks
Can be done in regular place and at regular voice level
Take reasonable precautions to minimize “incidental disclosures”

42. Transfer of Patient Care
Interfacility Transports:
Ok for EMS personnel to look at patient records for treatment purposes
EMS professionals are health care providers who are involved in the treatment of the patient
Not just “giving a ride” to the other
facility!

43. HIPAA and Billing/Administrative Issues
Applies to anyone who deals with PHI
Billing Staff
Managers
Compliance/Privacy Officer
Other Administrative Personnel

44. HIPAA and Billing/Administrative Issues
Requests for records from attorneys
Generally must receive a written authorization from patient to release medical records
Must be signed by patient or legally responsible decisionmaker
Subpoena or other legal document → refer to HIPAA Compliance Officer

45. HIPAA and Billing/Administrative Issues
OK to share information with patients when they request it
But verify identity
If request is in person, ask for ID

46. HIPAA and Billing/Administrative Issues
If request is by telephone, get more information
Birth Date
Social Security Number
Address
Phone Number

47. New Restrictions on Payment Disclosures
Patients can request that their PHI NOT be used to submit claim to insurance company for payment
Only have to honor request if patient first pays bill in full

48. Electronic PHI Access
Must take security precautions, especially when electronic devices are left unattended
Every user should have unique ID and password
Devices should have automatic log-off features when unattended for period of time

49. Electronic PHI
Organization must have administrative, physical, & technical safeguards to secure electronic PHI
Examples:
Policies and procedures
Computer servers in secure place
Devices configured with password security, auto log-off, & back-up capabilities

50. Electronic PHI DO NOT SHARE PASSWORDS!
Do not give lock combinations to an unauthorized person
Do not download copies of patient data onto thumb drive or other portable device unless authorized to do so

51. Summary HIPAA laws strictly limit disclosure of PHI
Uphold ethical & legal
responsibility to protect
confidentiality of PHI

52. Summary PHI may be used for HIPAA Compliance Officer
Treatment or patient care
Payment & healthcare
operations
HIPAA Compliance Officer
→ oversee policies and
procedures and be first
point of contact

53. Summary Can disclose PHI to law enforcement in limited,
specific situations
Take extra attention when:
Communicating with media
Using social networking sites
No texting, posting, or blogging
about any patient information

54. Summary Billers and other admin personnel: Take extra precaution when
releasing, verifying, or confirming
patient information
Get written authorization from
patient or personnel
representative when fulfilling requests
for PHI from attorneys

55. HIPAA
Any Questions?
Check with your HIPAA
Compliance Officer

56. HIPAA
Visit for more information on HIPAA and other EMS Law topics