The Health Insurance Portability and Accountability Act (HIPAA) Implications for Operations in the...
-
Upload
payton-voice -
Category
Documents
-
view
226 -
download
1
Transcript of The Health Insurance Portability and Accountability Act (HIPAA) Implications for Operations in the...
The Health Insurance Portability and
Accountability Act(HIPAA)
Implications for Operations in the EMS Environment
Content to be Covered
-What is HIPAA-Penalties for Non-compliance-The Privacy and Security Rules-Obligations (Organizational and
Individual)-Policies and Procedures-Common Questions/Concerns-Summary
What is HIPAA
Federal legislation first passed in 1996
Part of the Social Security Administration Act that
Protects confidentiality and security of health information as it is used, disclosed, and electronically transmitted
Creates a standard framework for transmitting electronic protected health information (ePHI)
Penalties for Non-ComplianceLegislated:
Civil- $1000.00 per violation (up to $25,000 per year) for each requirement of rule violatedFederal Criminal- Up to $50,000 and 1 year in prison for disclosing protected health information (PHI) & up to 5 years and $100,000 for getting PHI under false pretensesUp to $250,000 and 10 years for obtaining or disclosing PHI for sale, commercial advantage, personal gain, or malice.
Penalties for Non-compliance
Liability may fall to the individual
Sanctions in Gates County include actions up to and including dismissal
May result in Medical Director action against your professional credential
What is PHI?
Individually identifiable data
Verbal, paper, or electronic
Name, DOB, SSN, address, insurance information
Past, present, future medical condition/treatment information
Map X/Y or latitude/longitude information
Phone number(s)
Documents for insurance/treatment/ pharmacy records, etc. obtained during your encounter
Other individually identifiable data
The Privacy Rule
Designed to protect information while allowing it to flow, without impeding care or public health
Primarily implemented through policies, procedures, and education
These tools should ensure confidentiality and restrict disclosure
The Security Rule
Protects the same information when it is stored or transmitted electronically
Designed to guard integrity, confidentiality, and availability through:
Administrative procedures
Physical safeguards
Technical security measures
Transmission protection standards
Who (that we work with) is covered by HIPAA?
EMS
Receiving hospitals
Patient’s private physicians
Billing Company
What are the obligations of Gates County EMS under HIPAA?
Name a Privacy OfficerDetermine who needs access, and their level of access, to PHIImplement, train and update staff on HIPAA policies, and keep records of sameSecure required but aged records
What are the obligations of Gates County EMS under HIPAA?
Develop and maintain a policy for misuse of PHI data
Report violations per policy
Identify and seek business associate agreements from those who process PHI for EMS
Complete required training
Safeguard records, computers, and oral PHI
Give (and ensure patient or guardian understands) our privacy practices. Obtain signatures of receipt and understanding
Know how the regulation impacts you
Sign a confidentiality agreement
Report violations to Privacy Officer
What are the obligations of EMS Technicians under HIPAA?
Privacy Actions by EMS Technicians
Destroy, using supplied shredders, any handwritten notes containing PHI once they have been entered to your reportDestroy any extra printed copies of the patient care report (PCR) using a shredderBe aware of your surroundings during permissible oral disclosures to limit those who may overhear
Privacy Actions by EMS Technicians (Cont’d)
Understand and comply with the requirements of the privacy policyReport any inadvertent disclosures to the Privacy OfficerRecommend actions to improve privacy practices
Patient Requests for Medical Records
Provide, on request, a printed copy of the patient care report to the patient if requested during the encounter
Refer all after-the-fact requests to the Privacy Officer. These include:
Patient/Guardian/Health Care Power of Attorney (HCPOA) requests
Law Enforcement/Courts/Insurance companies/Attorney requests
Patient Requests to Restrict Disclosure of Their PHI
Refer the patient/guardian/HCPOA to the Privacy Officer. If an immediate restriction, the EMS Chief should be consulted
Inform them that they are allowed to make this request
Inform them that these requests will ultimately be reviewed by the Privacy Officer
Requests to Amend Medical Records
Refer these requests to the Privacy Officer who will review these requestsPatient’s request/desired amendments will be included with medical record fileThe Privacy Officer and EMS Chief will decide if PCR will be directly modified
What Disclosures are Authorized?
Information directly to the patient/guardian/HCPOARequired disclosures regarding abuse/neglect of elders, children, the disabledTo report a crime, or to avert a serious threat to the health or safety of the publicPre-approved data for researchThese disclosures are still recorded!
Inadvertent Disclosures
Disclosures of PHI or ePHI which should not have occurredExamples:
Billing information left on a copier and discovered by someone elseDiscussion about treatment options for a patient were overheard by someone without a need to knowA patient care report faxed to a hospital after the encounter was faxed to the wrong number
Report these disclosures to the Privacy Officer
Inadvertent Disclosures (Cont’d)
The EMS environment is not controlled as it may be in constructed clinical treatment areas Verbal reports to receiving healthcare providers, and necessary treatment discussions, may be overheard by others in the treatment areaWe must still exercise reasonable efforts to limit the ability of others to overhear PHI without negatively impacting careWhere reasonable effort is used, these disclosures do not have to be logged
Limiting Inadvertent Disclosures
Ask spectators to move awayPosition yourself to obscure view and minimize volume of speech necessary to discuss PHI with patients/providers, unless it impacts care or safetyHold no discussions regarding your patients or your calls with persons who have no legitimate need to knowHave necessary discussions in protected areas when possible
Contact the Privacy Officer if you:
Receive requests from government agencies, subpoenas, or search warrants
Receive a complaint (staff if prohibited from retaliating against anyone who makes a complaint)
Receive request to amend PHI
Make or know of an inadvertent disclosure of PHI
Have any questions about HIPAA issues
Common Disclosures for EMS Field Personnel
Disclosure to assisting/receiving healthcare providers is unrestricted, to promote complete and safe care
Disclosure to Law Enforcement on scene/at hospital is limited to non-PHI disclosures (such as your unit’s destination), except for “Emergency Disclosures” covered in other slides
Common Disclosures for EMS Field Personnel
Family and friends present during the encounter may receive only necessary information to effect proper patient care or information specifically authorized by the patient
If conscious and alert, patient must authorize any disclosureIf unconscious/altered mental status, or treatment makes the patient inaccessible, disclose only to persons necessary to effect patient’s care. Limit only to necessary PHI elements, and disclose only if you can reasonably infer patient would not object
Common Questions/Concerns Related to HIPAA (Cont’d)
First responding crews to a call I was on asked to know the patient’s working diagnosis/outcome. As this was related to care after they left the patient, is this disclosure permitted?
This information is being relayed to a treating healthcare provider with whom the patient established a relationship. It is also a quality assurance measure to help inform future treatment and care decisions for similar patient encounters. It IS permissible to disclose this to responders who were on the call in secure surroundings.
Common Questions/Concerns Related to HIPAA
I’ve been dispatched to an address that I cannot find, and have the patient’s name in my dispatch information. Because patient name is PHI, am I prohibited from using it?
When necessary to effect patient care, it is permissible to disclose necessary PHIIt IS permissible to ask a neighbor how to find the Jones residence, or Grace Jones’ house, to prevent delays in careIt is not permissible to disclose the complaint, suspected patient status, etc.
Common Questions/Concerns Related to HIPAA (Cont’d)
I reported to a relieving crew that I responded to a drowning patient (so that the crew will give extra attention to the truck check off). They asked about the patient’s clinical course, and the events leading up to the drowning. Can I disclose this to them?
NO. As the crew was not a provider of care to your patient, and because victim identities often become public (this may allow a crew to associate other PHI to a name), this information cannot be disclosed. Such a case may be recommended for review in a formal peer review session, in which de-identified information may be used to illustrate valuable teaching points.
Physical Security Initiatives
Keep station doors locked in accordance with EMS policies
Maintain custody of PCR laptops as directed by policy
Identify and/or report suspected unauthorized persons on EMS property, incident scenes, or hospital private areas
Physical Security Initiatives (Cont’d)
Maintain record storage bins in functional, locked condition per policyTransfer printed records directly to staff at hospitals, and EMS printed copies directly to secure storage per policyDo not attempt to save PHI to other devices
Physical Security Initiatives (cont’d)
Medical record storage cabinets will remain locked whenever a record is not actively being removed or replacedAny office in which paper PHI is handled but that does not use specialized, locking storage bins will remain locked when not occupied
Physical/Technical Security Initiatives
Gates County EMS encrypts all computers on which PHI is managed
These devices should remain locked/logged off when not actively in use
Emergency Disclosures
One of our toughest HIPAA issues to manage is communication with Law Enforcement Officers (LEOs)
Generally not HIPAA covered entities They often have legal rights to access PHIThey often “need to know” PHI to do their jobAre trained to extract information from those who have itWe have relationships we’d like to maintain
Emergency Disclosures to LEOs
Permissible When:LEO request PHI to identify/locate a suspect, fugitive, material witness, or missing person
Patient admits to EMS participation in a violent crime that may have caused serious physical harm to others
We believe that the patient is escaped from prison or other lawful custody
Emergency Disclosures to LEOs (Cont’d)
Limit disclosure to: Name and addressDate of birth (place if known) Social Security NumberType if injury Date and time treated
Distinguishing Physical Characteristics:
Height
Weight
Eye Color
Hair Color
Scars/tattoos
+/- Facial Hair
Patient previous medical history, specific treatments rendered should not be disclosed!
Emergency Disclosures to LEO- Crime Victims
Child/Elder/Caregiver/Domestic abuse are covered by other sectionsDisclose PHI of patient who is a victim only with patient consent
Exception: Patient is incapacitated or other emergency exists and
LEO states info will not be used against patient and delay for court order would adversely affect investigation or public safetyOnly if you believe it is in patient’s best interest
LEO Disclosure- Crime Reporting
We may disclose PHI when necessary to alert law enforcement to a crime, and communicate:
the nature of the crime
the location of the crime
the location of crime victims (if known)
the identity, description, or location of the perpetrator of the crime (if known or reported to us)
Emergency Disclosures
To prevent possible immediate threats to individuals or the public, including general public health, an EMERGENCY DISCLOSURE can be made to anyone reasonably able to reduce the threat
May be an LEO, 911 operator, the owner of a business against which a patient is making threats, etc.
For LEO/Emergency Disclosures NOT Court Ordered
Complete a Gates County EMS Incident Report
Include rationale
Person and agency PHI disclosed to
Nature of PHI disclosed (but not the patient PHI
Emergency Disclosures NOT Court Ordered
Limit disclosure to: Name and addressDate of birth (place if known) Social Security NumberType if injury Date and time treated
Distinguishing Physical Characteristics:
Height
Weight
Eye Color
Hair Color
Scars/tattoos
+/- Facial Hair
Patient previous medical history, specific treatments rendered should not be disclosed!
Child/Elder/Caregiver Abuse or Neglect
Report to the receiving health care facilityDisclose to Gates County Social Services employee charged with protection of children, elders, or the incapacitatedThis applies when the EMS Technician believes that disclosure is necessary to prevent serious harm to the individual or other potential victims or the victim agrees to the disclosure.Gates County Social Services can be contacted by Gates County Central Communications and having the on call person contact you.
Summary
Your practices should allow care, ensure the patient’s privacy and safety, and comply with law
Professional discretion is necessary in making limited disclosure to non-treating 3rd parties necessary to effect patient care
Compliance with Gates County EMS's implementation of HIPAA policies is mandatory
Summary (Cont’d)
The Privacy Officer is Bubba PauleyPlease contact with any HIPAA questions
24-hour cell is (252)339-7429
E-mail is [email protected] (do not include PHI in email questions or disclosure reports)
All inadvertent disclosures should be reported as per policy and to Bubba immediately upon recognition
Summary Continued
Notify the Privacy Officer immediately in the event of a lost electronic device containing PHIEmployees are responsible for complying with required behaviors to help reduce the risk of lossDiscretion, technical safeguards, and professional work practices will protect us and the patient
Summary Continued
Law enforcement request for PHI are challenging to navigate
In general, disclosures to prevent immediate harm to others or prevent immediate collapse of investigations are permittedPermission from the patient should always be obtained where possible