2017 HIPAA UpdateEMERGENCY SERVICE SUPPORT

WWW.ESS911.COM

What is HIPAA?

Health Insurance Portability and Accountability Act. It is Federal law and regulates

privacy and security of “Protected Health Information” – PHI. It is the fundamental

responsibility of all EMS providers and staff. As health care providers it is our legal

and ethical obligation.

Protected Health Information – PHIPHI is any information about a person’s past, present or future health care. It

identifies or could reasonably identify patient by name, address, identifying

numbers or birth date. PHI can be in the form of written, verbal or digital.

Examples of PHI:

Patient care reports

Medical necessity forms

Patient bills

Claim forms

Records from other facilities

Photos & video

Disclosure of PHI

YOU CANNOT USE OR DISCLOSE PHI FOR ANY PURPOSE UNLESS PERMITTED UNDER

HIPAA.

It applies to patients that are alive and deceased. It is completely confidential

and is property of the organization.

Permitted disclosures of PHI include:

Treatment - Use for any purpose related to providing EMS or health care to a

patient.

Payment - Use to file claims with Medicare or other insurers.

Operations -Internal management purposes such as Quality Assurance (QA) or

Quality Improvement (QI), Licensure and other similar activities.

Patient Rights

• Access own PHI

• Ask for amendments if they believe their PHI to be inaccurate

• Make complaints regarding organization’s use or misuse of their PHI

• Access PHI in electronic format if your PHI is electronic

• Request to not use PHI to submit claim to insurer for payment (ONLY if bill first paid in full)

Receive “accounting” of all disclosures

The patient’s authorized representative (Legal guardian, power of attorney, parent of a

minor, executor of decedent’s estate) has the same rights as patient under HIPAA (access,

amendment, etc.). You would treat the representative just as you would the patient.

All patient access requests are to be forwarded to your agency’s

Privacy Officer.

Notice of Privacy Practices

• Tells patients about their rights under HIPAA

• Contains info about your agency’s privacy policies & procedures.

• Give a copy to all new patients.

• Give a new copy to repeat patients if revisions are made.

• Because the provider may not know whether or not a patient has received a copy or a revised copy, the policy is to give all patients a copy each time they are transported.

• Give a copy to all Patient Refusals. You are still collecting PHI even though no transport

was made. Offer privacy notice & make good faith effort to get signature acknowledging

receipt of privacy notice.

•Always attempt to obtain signature from patient verifying receipt of notice.

WHEN?

At the time of service

Notice of Privacy Practices (con’t)

• If patient under duress, unconscious, incapacitated, or serious emergency:

Focus on patient care first!

• If patient cannot sign?

Document reason

Attempt to get signature of a legal guardian, power of attorney, family member, or

facility representative

HIPAA and Radio Communications

HIPAA permits any disclosure of PHI when necessary for treatment purposes. It is OK to use

name over radio to find patient (with dispatch) and enable hospital to retrieve records

(patient report to ED).

What if someone overhears patient’s name on scanner? This is considered an “incidental

disclosure” and is not a HIPAA violation. It is the same as if a bystander overhears patient info.

• NEVER apply HIPAA in a way that delays, impedes, or prevents patient care

• Radio communications related to patient care – permitted under HIPAA

• OK to have two patients in the ambulance

HIPAA and Law Enforcement

Patients may disclose their own PHI to law enforcement or anyone else they wish. HIPAA

does not apply to police, only health care providers. If police officer speaks directly to

patient, HIPAA is not an issue as it is the patient giving their medical information to the police.

Six Exceptions for PHI Disclosures To Law Enforcement

1. OK to share info with police when state law requires it

2. OK to disclose limited PHI to help police identify or locate a suspect, fugitive, material

witness, or missing person

3. OK to disclose about person believed to be a crime victim. Simple verbal agreement from patient OK to disclose PHI for victim of crime. Document verbal permission. If

patient unconscious OK if in best interest of patient AND if officer agrees it will not

be used against victim.

4. OK to disclose when it appears victim died as a result of criminal activity.

5. OK to disclose when a crime occurs on your premises.

6. OK to disclose to report crime in emergencies.

HIPAA and the Media

• HIPAA strictly prohibits providers disclosing any patient information to media

• Don’t even confirm identity of patient

• Refer requests to HIPAA Compliance Officer

• OK only when specifically authorized IN WRITING by patient

HIPAA and Social Networking, Texting

and Photos

Do not disclose PHI via blog, web site, discussion group, social network, or other

public place. Even when you believe information is “de-identified,” do NOT share it.

Posts on social media sites can give enough info for friends & family to recognize

patient. Names do not have to be included to be a violation. This is simply unethical

as a healthcare professional and is prohibited.

There is to be NO posting of ANY patient or incident-related information in any

manner. This includes pictures, videos, or accounts of specific calls that may

contain anything identifiable on company web site.

The use of cameras in the field may be appropriate to capture images of accident

scene to help determine mechanism of injury. Any image, video, or audio

recording that could identify the patient is PHI and should be secured in same manner. Only use devices owned & issued by the organization – no personal

devices. All images and clips are stored securely. Images are property of the

organization.

Other PHI Disclosures

HIPAA and Family Members

It is OK to disclose PHI to relative, friend, or other person involved in patient’s care if

in best interest of the patient. You can also disclose transport destination & general

condition (including death) to family members or others involved in patient’s care.

Use judgment if not in best interest of patient (e.g., domestic violence situation).

First responders & other EMS agencies

It is OK to disclose PHI for treatment purposes. It is OK to freely share information with

other responding agencies when necessary for patient care.

Transfer of Patient Care

It is OK to share PHI with staff members, patient registration personnel and others

who perform treatment or payment-related tasks. It can be done in regular place and at regular voice level. Take reasonable precautions to minimize “incidental

disclosures.”

Electronic PHI

The organization has administrative, physical, & technical safeguards to secure

electronic PHI. These include:

• Every user should have unique ID and password

• Devices have automatic log-off features when unattended for period of time

• Must take security precautions, especially when electronic devices are left unattended

• Computer servers are secured

• DO NOT SHARE PASSWORDS!

• Do not give lock combinations to an unauthorized person.

• Do not download copies of patient data onto thumb drive or other portable

device unless authorized to do so.

PHI Breach Notification

Because of new HIPAA breach notification requirement the patient must be notified

of breach of PHI.

Must notify patient if:

• Non-encrypted PHI improperly disclosed• PHI breached in any other way

The organization must also report breaches to US Department of Health and Human Services. (Example: Stolen laptop, lost patient care report, spreadsheet of accounts

sent to wrong person.)

All personnel who know of or even suspect improper disclosure of PHI MUST promptly

report to Compliance/Privacy Officer. “Code of silence” is NOT acceptable. You must review policy to understand responsibilities.

HIPAA and Billing/Administrative IssuesApplies to anyone who deals with PHI

• Billing Staff

• Managers

• Compliance/Privacy Officer

• Other Admin Personnel

It is ok to share information with patients when they request it, but verify identity

• If request is in person, ask for ID• If request is by telephone, get more information

Birth Date

Social Security Number

Address

Phone number

The policy for providers is to refer all requests for information to the Privacy Officer.

Management Action Items

Make policies and procedures available to all staff

Do a Risk Assessment

Prepare a list of business associates and check off BAAs

Have a contingency plan for malware attacks

Audit your patient access process

Deal with cell phone use

Consider Cyber insurance

Staff Action Items

Complete Annual HIPAA training

Follow HIPAA Disclosure Policy

Do not share PHI with coworkers not involved in patient care

Do not share PHI via text, social networking

Always give the patient a copy of the NPP.

Recent Health Breaches

The following data breaches were reported within the past six weeks on Becker's Hospital Review. Breaches are listed here in reverse chronological order from when they were reported.

1. Mental health officials from Kern County in California notified patients of a potential data breach after a report containing protected health information was left behind during the agency's move to new offices.

2. More than 2,800 patients at University of New Mexico Hospital in Albuquerque received notification of a data breach after a technical issue with hospital billing systems caused medical information to be mailed to incorrect addresses.

3. Seven employees at Toledo, Ohio-based ProMedica accessed 3,472 patients' medical records at two hospitals in Michigan. Three employees were fired for accessing the records, which were unrelated to their job responsibilities.

4. Stamford (Conn.) Podiatry Group notified more than 40,000 patients of an incidence of unauthorized access in its computer systems, which may have compromised personal information.

5. The protected health information of more than 1,000 patients who visited Carondelet St. Mary's and Carondelet St. Joseph's emergency rooms, both in Tucson, Ariz., was compromised after a logbook was stolen from a physician's car.

6. A chiropractic clinic in Ann Arbor, Mich., reported a data breach after learning a server containing patient treatment and billing information was infected with malware. Approximately 4,000 patients' information was compromised.

7. After hackers locked files at Kansas Heart Hospital in a ransomware attack, the Wichita-based hospital paid the ransom. But hackers didn't fully unlock the computer files, and they demanded more money to do so.

Office of Civil Rights (OCR)OCR enforces the Privacy and

Security Rules in several ways:

• by investigating complaints

filed with it,

• conducting compliance

reviews to determine if covered

entities are in compliance, and

• performing education and

outreach to foster compliance

with the Rules' requirements.

• OCR also works in conjunction

with the Department of Justice

(DOJ) to refer possible criminal

violations of HIPAA.

Enforcement Results - Compliance

HIPAA SettlementsWhile largescale breaches of PHI may warrant financial penalties and will have an

impact on the final settlement amount, OCR has resorted to financial penalties

when relatively few individuals have been impacted by healthcare data

breaches.

This year has seen two settlements with organizations for breaches that have

impacted fewer than 500 individuals – New York Presbyterian Hospital and Catholic

Health Care Services of the Archdiocese of Philadelphia – and one civil monetary

penalty – Lincare Inc.

A summary of 2016 HIPAA settlements with the Office for Civil Rights is detailed in

the table on the next page.

HIPAA Settlements