2017 hipaa update - emergency service support › ... › 2017 › 11 › 2017-hipaa-update.pdf ·...
TRANSCRIPT
2017 HIPAA UpdateEMERGENCY SERVICE SUPPORT
WWW.ESS911.COM
What is HIPAA?
Health Insurance Portability and Accountability Act. It is Federal law and regulates
privacy and security of “Protected Health Information” – PHI. It is the fundamental
responsibility of all EMS providers and staff. As health care providers it is our legal
and ethical obligation.
Protected Health Information – PHIPHI is any information about a person’s past, present or future health care. It
identifies or could reasonably identify patient by name, address, identifying
numbers or birth date. PHI can be in the form of written, verbal or digital.
Examples of PHI:
Patient care reports
Medical necessity forms
Patient bills
Claim forms
Records from other facilities
Photos & video
Disclosure of PHI
YOU CANNOT USE OR DISCLOSE PHI FOR ANY PURPOSE UNLESS PERMITTED UNDER
HIPAA.
It applies to patients that are alive and deceased. It is completely confidential
and is property of the organization.
Permitted disclosures of PHI include:
Treatment - Use for any purpose related to providing EMS or health care to a
patient.
Payment - Use to file claims with Medicare or other insurers.
Operations -Internal management purposes such as Quality Assurance (QA) or
Quality Improvement (QI), Licensure and other similar activities.
Patient Rights
• Access own PHI
• Ask for amendments if they believe their PHI to be inaccurate
• Make complaints regarding organization’s use or misuse of their PHI
• Access PHI in electronic format if your PHI is electronic
• Request to not use PHI to submit claim to insurer for payment (ONLY if bill first paid in full)
Receive “accounting” of all disclosures
The patient’s authorized representative (Legal guardian, power of attorney, parent of a
minor, executor of decedent’s estate) has the same rights as patient under HIPAA (access,
amendment, etc.). You would treat the representative just as you would the patient.
All patient access requests are to be forwarded to your agency’s
Privacy Officer.
Notice of Privacy Practices
• Tells patients about their rights under HIPAA
• Contains info about your agency’s privacy policies & procedures.
• Give a copy to all new patients.
• Give a new copy to repeat patients if revisions are made.
• Because the provider may not know whether or not a patient has received a copy or a revised copy, the policy is to give all patients a copy each time they are transported.
• Give a copy to all Patient Refusals. You are still collecting PHI even though no transport
was made. Offer privacy notice & make good faith effort to get signature acknowledging
receipt of privacy notice.
•Always attempt to obtain signature from patient verifying receipt of notice.
WHEN?
At the time of service
Notice of Privacy Practices (con’t)
• If patient under duress, unconscious, incapacitated, or serious emergency:
Focus on patient care first!
• If patient cannot sign?
Document reason
Attempt to get signature of a legal guardian, power of attorney, family member, or
facility representative
HIPAA and Radio Communications
HIPAA permits any disclosure of PHI when necessary for treatment purposes. It is OK to use
name over radio to find patient (with dispatch) and enable hospital to retrieve records
(patient report to ED).
What if someone overhears patient’s name on scanner? This is considered an “incidental
disclosure” and is not a HIPAA violation. It is the same as if a bystander overhears patient info.
• NEVER apply HIPAA in a way that delays, impedes, or prevents patient care
• Radio communications related to patient care – permitted under HIPAA
• OK to have two patients in the ambulance
HIPAA and Law Enforcement
Patients may disclose their own PHI to law enforcement or anyone else they wish. HIPAA
does not apply to police, only health care providers. If police officer speaks directly to
patient, HIPAA is not an issue as it is the patient giving their medical information to the police.
Six Exceptions for PHI Disclosures To Law Enforcement
1. OK to share info with police when state law requires it
2. OK to disclose limited PHI to help police identify or locate a suspect, fugitive, material
witness, or missing person
3. OK to disclose about person believed to be a crime victim. Simple verbal agreement from patient OK to disclose PHI for victim of crime. Document verbal permission. If
patient unconscious OK if in best interest of patient AND if officer agrees it will not
be used against victim.
4. OK to disclose when it appears victim died as a result of criminal activity.
5. OK to disclose when a crime occurs on your premises.
6. OK to disclose to report crime in emergencies.
HIPAA and the Media
• HIPAA strictly prohibits providers disclosing any patient information to media
• Don’t even confirm identity of patient
• Refer requests to HIPAA Compliance Officer
• OK only when specifically authorized IN WRITING by patient
HIPAA and Social Networking, Texting
and Photos
Do not disclose PHI via blog, web site, discussion group, social network, or other
public place. Even when you believe information is “de-identified,” do NOT share it.
Posts on social media sites can give enough info for friends & family to recognize
patient. Names do not have to be included to be a violation. This is simply unethical
as a healthcare professional and is prohibited.
There is to be NO posting of ANY patient or incident-related information in any
manner. This includes pictures, videos, or accounts of specific calls that may
contain anything identifiable on company web site.
The use of cameras in the field may be appropriate to capture images of accident
scene to help determine mechanism of injury. Any image, video, or audio
recording that could identify the patient is PHI and should be secured in same manner. Only use devices owned & issued by the organization – no personal
devices. All images and clips are stored securely. Images are property of the
organization.
Other PHI Disclosures
HIPAA and Family Members
It is OK to disclose PHI to relative, friend, or other person involved in patient’s care if
in best interest of the patient. You can also disclose transport destination & general
condition (including death) to family members or others involved in patient’s care.
Use judgment if not in best interest of patient (e.g., domestic violence situation).
First responders & other EMS agencies
It is OK to disclose PHI for treatment purposes. It is OK to freely share information with
other responding agencies when necessary for patient care.
Transfer of Patient Care
It is OK to share PHI with staff members, patient registration personnel and others
who perform treatment or payment-related tasks. It can be done in regular place and at regular voice level. Take reasonable precautions to minimize “incidental
disclosures.”
Electronic PHI
The organization has administrative, physical, & technical safeguards to secure
electronic PHI. These include:
• Every user should have unique ID and password
• Devices have automatic log-off features when unattended for period of time
• Must take security precautions, especially when electronic devices are left unattended
• Computer servers are secured
• DO NOT SHARE PASSWORDS!
• Do not give lock combinations to an unauthorized person.
• Do not download copies of patient data onto thumb drive or other portable
device unless authorized to do so.
PHI Breach Notification
Because of new HIPAA breach notification requirement the patient must be notified
of breach of PHI.
Must notify patient if:
• Non-encrypted PHI improperly disclosed• PHI breached in any other way
The organization must also report breaches to US Department of Health and Human Services. (Example: Stolen laptop, lost patient care report, spreadsheet of accounts
sent to wrong person.)
All personnel who know of or even suspect improper disclosure of PHI MUST promptly
report to Compliance/Privacy Officer. “Code of silence” is NOT acceptable. You must review policy to understand responsibilities.
HIPAA and Billing/Administrative IssuesApplies to anyone who deals with PHI
• Billing Staff
• Managers
• Compliance/Privacy Officer
• Other Admin Personnel
It is ok to share information with patients when they request it, but verify identity
• If request is in person, ask for ID• If request is by telephone, get more information
Birth Date
Social Security Number
Address
Phone number
The policy for providers is to refer all requests for information to the Privacy Officer.
Management Action Items
Make policies and procedures available to all staff
Do a Risk Assessment
Prepare a list of business associates and check off BAAs
Have a contingency plan for malware attacks
Audit your patient access process
Deal with cell phone use
Consider Cyber insurance
Staff Action Items
Complete Annual HIPAA training
Follow HIPAA Disclosure Policy
Do not share PHI with coworkers not involved in patient care
Do not share PHI via text, social networking
Always give the patient a copy of the NPP.
Recent Health Breaches
The following data breaches were reported within the past six weeks on Becker's Hospital Review. Breaches are listed here in reverse chronological order from when they were reported.
1. Mental health officials from Kern County in California notified patients of a potential data breach after a report containing protected health information was left behind during the agency's move to new offices.
2. More than 2,800 patients at University of New Mexico Hospital in Albuquerque received notification of a data breach after a technical issue with hospital billing systems caused medical information to be mailed to incorrect addresses.
3. Seven employees at Toledo, Ohio-based ProMedica accessed 3,472 patients' medical records at two hospitals in Michigan. Three employees were fired for accessing the records, which were unrelated to their job responsibilities.
4. Stamford (Conn.) Podiatry Group notified more than 40,000 patients of an incidence of unauthorized access in its computer systems, which may have compromised personal information.
5. The protected health information of more than 1,000 patients who visited Carondelet St. Mary's and Carondelet St. Joseph's emergency rooms, both in Tucson, Ariz., was compromised after a logbook was stolen from a physician's car.
6. A chiropractic clinic in Ann Arbor, Mich., reported a data breach after learning a server containing patient treatment and billing information was infected with malware. Approximately 4,000 patients' information was compromised.
7. After hackers locked files at Kansas Heart Hospital in a ransomware attack, the Wichita-based hospital paid the ransom. But hackers didn't fully unlock the computer files, and they demanded more money to do so.
Office of Civil Rights (OCR)OCR enforces the Privacy and
Security Rules in several ways:
• by investigating complaints
filed with it,
• conducting compliance
reviews to determine if covered
entities are in compliance, and
• performing education and
outreach to foster compliance
with the Rules' requirements.
• OCR also works in conjunction
with the Department of Justice
(DOJ) to refer possible criminal
violations of HIPAA.
Enforcement Results - Compliance
HIPAA SettlementsWhile largescale breaches of PHI may warrant financial penalties and will have an
impact on the final settlement amount, OCR has resorted to financial penalties
when relatively few individuals have been impacted by healthcare data
breaches.
This year has seen two settlements with organizations for breaches that have
impacted fewer than 500 individuals – New York Presbyterian Hospital and Catholic
Health Care Services of the Archdiocese of Philadelphia – and one civil monetary
penalty – Lincare Inc.
A summary of 2016 HIPAA settlements with the Office for Civil Rights is detailed in
the table on the next page.
HIPAA Settlements