The Health Insurance Portability and

Accountability Act(HIPAA)

Implications for Operations in the EMS Environment

Content to be Covered

-What is HIPAA-Penalties for Non-compliance-The Privacy and Security Rules-Obligations (Organizational and

Individual)-Policies and Procedures-Common Questions/Concerns-Summary

What is HIPAA

Federal legislation first passed in 1996

Part of the Social Security Administration Act that

Protects confidentiality and security of health information as it is used, disclosed, and electronically transmitted

Creates a standard framework for transmitting electronic protected health information (ePHI)

Penalties for Non-ComplianceLegislated:

Civil- $1000.00 per violation (up to $25,000 per year) for each requirement of rule violatedFederal Criminal- Up to $50,000 and 1 year in prison for disclosing protected health information (PHI) & up to 5 years and $100,000 for getting PHI under false pretensesUp to $250,000 and 10 years for obtaining or disclosing PHI for sale, commercial advantage, personal gain, or malice.

Penalties for Non-compliance

Liability may fall to the individual

Sanctions in Gates County include actions up to and including dismissal

May result in Medical Director action against your professional credential

What is PHI?

Individually identifiable data

Verbal, paper, or electronic

Name, DOB, SSN, address, insurance information

Past, present, future medical condition/treatment information

Map X/Y or latitude/longitude information

Phone number(s)

Documents for insurance/treatment/ pharmacy records, etc. obtained during your encounter

Other individually identifiable data

The Privacy Rule

Designed to protect information while allowing it to flow, without impeding care or public health

Primarily implemented through policies, procedures, and education

These tools should ensure confidentiality and restrict disclosure

The Security Rule

Protects the same information when it is stored or transmitted electronically

Designed to guard integrity, confidentiality, and availability through:

Administrative procedures

Physical safeguards

Technical security measures

Transmission protection standards

Who (that we work with) is covered by HIPAA?

EMS

Receiving hospitals

Patient’s private physicians

Billing Company

What are the obligations of Gates County EMS under HIPAA?

Name a Privacy OfficerDetermine who needs access, and their level of access, to PHIImplement, train and update staff on HIPAA policies, and keep records of sameSecure required but aged records

What are the obligations of Gates County EMS under HIPAA?

Develop and maintain a policy for misuse of PHI data

Report violations per policy

Identify and seek business associate agreements from those who process PHI for EMS

Complete required training

Safeguard records, computers, and oral PHI

Give (and ensure patient or guardian understands) our privacy practices. Obtain signatures of receipt and understanding

Know how the regulation impacts you

Sign a confidentiality agreement

Report violations to Privacy Officer

What are the obligations of EMS Technicians under HIPAA?

Privacy Actions by EMS Technicians

Destroy, using supplied shredders, any handwritten notes containing PHI once they have been entered to your reportDestroy any extra printed copies of the patient care report (PCR) using a shredderBe aware of your surroundings during permissible oral disclosures to limit those who may overhear

Privacy Actions by EMS Technicians (Cont’d)

Understand and comply with the requirements of the privacy policyReport any inadvertent disclosures to the Privacy OfficerRecommend actions to improve privacy practices

Patient Requests for Medical Records

Provide, on request, a printed copy of the patient care report to the patient if requested during the encounter

Refer all after-the-fact requests to the Privacy Officer. These include:

Patient/Guardian/Health Care Power of Attorney (HCPOA) requests

Law Enforcement/Courts/Insurance companies/Attorney requests

Patient Requests to Restrict Disclosure of Their PHI

Refer the patient/guardian/HCPOA to the Privacy Officer. If an immediate restriction, the EMS Chief should be consulted

Inform them that they are allowed to make this request

Inform them that these requests will ultimately be reviewed by the Privacy Officer

Requests to Amend Medical Records

Refer these requests to the Privacy Officer who will review these requestsPatient’s request/desired amendments will be included with medical record fileThe Privacy Officer and EMS Chief will decide if PCR will be directly modified

What Disclosures are Authorized?

Information directly to the patient/guardian/HCPOARequired disclosures regarding abuse/neglect of elders, children, the disabledTo report a crime, or to avert a serious threat to the health or safety of the publicPre-approved data for researchThese disclosures are still recorded!

Inadvertent Disclosures

Disclosures of PHI or ePHI which should not have occurredExamples:

Billing information left on a copier and discovered by someone elseDiscussion about treatment options for a patient were overheard by someone without a need to knowA patient care report faxed to a hospital after the encounter was faxed to the wrong number

Report these disclosures to the Privacy Officer

Inadvertent Disclosures (Cont’d)

The EMS environment is not controlled as it may be in constructed clinical treatment areas Verbal reports to receiving healthcare providers, and necessary treatment discussions, may be overheard by others in the treatment areaWe must still exercise reasonable efforts to limit the ability of others to overhear PHI without negatively impacting careWhere reasonable effort is used, these disclosures do not have to be logged

Limiting Inadvertent Disclosures

Ask spectators to move awayPosition yourself to obscure view and minimize volume of speech necessary to discuss PHI with patients/providers, unless it impacts care or safetyHold no discussions regarding your patients or your calls with persons who have no legitimate need to knowHave necessary discussions in protected areas when possible

Contact the Privacy Officer if you:

Receive requests from government agencies, subpoenas, or search warrants

Receive a complaint (staff if prohibited from retaliating against anyone who makes a complaint)

Receive request to amend PHI

Make or know of an inadvertent disclosure of PHI

Have any questions about HIPAA issues

Common Disclosures for EMS Field Personnel

Disclosure to assisting/receiving healthcare providers is unrestricted, to promote complete and safe care

Disclosure to Law Enforcement on scene/at hospital is limited to non-PHI disclosures (such as your unit’s destination), except for “Emergency Disclosures” covered in other slides

Common Disclosures for EMS Field Personnel

Family and friends present during the encounter may receive only necessary information to effect proper patient care or information specifically authorized by the patient

If conscious and alert, patient must authorize any disclosureIf unconscious/altered mental status, or treatment makes the patient inaccessible, disclose only to persons necessary to effect patient’s care. Limit only to necessary PHI elements, and disclose only if you can reasonably infer patient would not object

Common Questions/Concerns Related to HIPAA (Cont’d)

First responding crews to a call I was on asked to know the patient’s working diagnosis/outcome. As this was related to care after they left the patient, is this disclosure permitted?

This information is being relayed to a treating healthcare provider with whom the patient established a relationship. It is also a quality assurance measure to help inform future treatment and care decisions for similar patient encounters. It IS permissible to disclose this to responders who were on the call in secure surroundings.

Common Questions/Concerns Related to HIPAA

I’ve been dispatched to an address that I cannot find, and have the patient’s name in my dispatch information. Because patient name is PHI, am I prohibited from using it?

When necessary to effect patient care, it is permissible to disclose necessary PHIIt IS permissible to ask a neighbor how to find the Jones residence, or Grace Jones’ house, to prevent delays in careIt is not permissible to disclose the complaint, suspected patient status, etc.

Common Questions/Concerns Related to HIPAA (Cont’d)

I reported to a relieving crew that I responded to a drowning patient (so that the crew will give extra attention to the truck check off). They asked about the patient’s clinical course, and the events leading up to the drowning. Can I disclose this to them?

NO. As the crew was not a provider of care to your patient, and because victim identities often become public (this may allow a crew to associate other PHI to a name), this information cannot be disclosed. Such a case may be recommended for review in a formal peer review session, in which de-identified information may be used to illustrate valuable teaching points.

Physical Security Initiatives

Keep station doors locked in accordance with EMS policies

Maintain custody of PCR laptops as directed by policy

Identify and/or report suspected unauthorized persons on EMS property, incident scenes, or hospital private areas

Physical Security Initiatives (Cont’d)

Maintain record storage bins in functional, locked condition per policyTransfer printed records directly to staff at hospitals, and EMS printed copies directly to secure storage per policyDo not attempt to save PHI to other devices

Physical Security Initiatives (cont’d)

Medical record storage cabinets will remain locked whenever a record is not actively being removed or replacedAny office in which paper PHI is handled but that does not use specialized, locking storage bins will remain locked when not occupied

Physical/Technical Security Initiatives

Gates County EMS encrypts all computers on which PHI is managed

These devices should remain locked/logged off when not actively in use

Emergency Disclosures

One of our toughest HIPAA issues to manage is communication with Law Enforcement Officers (LEOs)

Generally not HIPAA covered entities They often have legal rights to access PHIThey often “need to know” PHI to do their jobAre trained to extract information from those who have itWe have relationships we’d like to maintain

Emergency Disclosures to LEOs

Permissible When:LEO request PHI to identify/locate a suspect, fugitive, material witness, or missing person

Patient admits to EMS participation in a violent crime that may have caused serious physical harm to others

We believe that the patient is escaped from prison or other lawful custody

Emergency Disclosures to LEOs (Cont’d)

Limit disclosure to: Name and addressDate of birth (place if known) Social Security NumberType if injury Date and time treated

Distinguishing Physical Characteristics:

Height

Weight

Eye Color

Hair Color

Scars/tattoos

+/- Facial Hair

Patient previous medical history, specific treatments rendered should not be disclosed!

Emergency Disclosures to LEO- Crime Victims

Child/Elder/Caregiver/Domestic abuse are covered by other sectionsDisclose PHI of patient who is a victim only with patient consent

Exception: Patient is incapacitated or other emergency exists and

LEO states info will not be used against patient and delay for court order would adversely affect investigation or public safetyOnly if you believe it is in patient’s best interest

LEO Disclosure- Crime Reporting

We may disclose PHI when necessary to alert law enforcement to a crime, and communicate:

the nature of the crime

the location of the crime

the location of crime victims (if known)

the identity, description, or location of the perpetrator of the crime (if known or reported to us)

Emergency Disclosures

To prevent possible immediate threats to individuals or the public, including general public health, an EMERGENCY DISCLOSURE can be made to anyone reasonably able to reduce the threat

May be an LEO, 911 operator, the owner of a business against which a patient is making threats, etc.

For LEO/Emergency Disclosures NOT Court Ordered

Complete a Gates County EMS Incident Report

Include rationale

Person and agency PHI disclosed to

Nature of PHI disclosed (but not the patient PHI

Emergency Disclosures NOT Court Ordered

Limit disclosure to: Name and addressDate of birth (place if known) Social Security NumberType if injury Date and time treated

Distinguishing Physical Characteristics:

Height

Weight

Eye Color

Hair Color

Scars/tattoos

+/- Facial Hair

Patient previous medical history, specific treatments rendered should not be disclosed!

Child/Elder/Caregiver Abuse or Neglect

Report to the receiving health care facilityDisclose to Gates County Social Services employee charged with protection of children, elders, or the incapacitatedThis applies when the EMS Technician believes that disclosure is necessary to prevent serious harm to the individual or other potential victims or the victim agrees to the disclosure.Gates County Social Services can be contacted by Gates County Central Communications and having the on call person contact you.

Summary

Your practices should allow care, ensure the patient’s privacy and safety, and comply with law

Professional discretion is necessary in making limited disclosure to non-treating 3rd parties necessary to effect patient care

Compliance with Gates County EMS's implementation of HIPAA policies is mandatory

Summary (Cont’d)

The Privacy Officer is Bubba PauleyPlease contact with any HIPAA questions

24-hour cell is (252)339-7429

E-mail is bubba.pauley@gatesrescue.org (do not include PHI in email questions or disclosure reports)

All inadvertent disclosures should be reported as per policy and to Bubba immediately upon recognition

Summary Continued

Notify the Privacy Officer immediately in the event of a lost electronic device containing PHIEmployees are responsible for complying with required behaviors to help reduce the risk of lossDiscretion, technical safeguards, and professional work practices will protect us and the patient

Summary Continued

Law enforcement request for PHI are challenging to navigate

In general, disclosures to prevent immediate harm to others or prevent immediate collapse of investigations are permittedPermission from the patient should always be obtained where possible