by michael sommerkamp legal counsel for indiana state emergency management agency...
TRANSCRIPT
![Page 1: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/1.jpg)
By Michael Sommerkamp
Legal Counsel for
Indiana State Emergency
Management [email protected]
HIPAA and YOU:Compliance Doesn’t Have to Hurt
![Page 2: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/2.jpg)
About This Presentation
This presentation is not intended as legal advice and all EMS providers are strongly encouraged to consult with their attorneys and medical directors when drafting and implementing policies regarding HIPAA compliance, disclosures of PHI, and disclosure of PHI to law enforcement officers.
This PowerPoint presentation, FAQs, and a hypertext version of its content are available at: http://www.in.gov/sema/ems/hipaa_present.html
![Page 3: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/3.jpg)
So What is HIPAA And What Does it Do?Background and Vocabulary [Slide 1 of 3]
The Office of Health and Human Services (“HHS”) created the Health Insurance Portability and Accountability Act (“HIPAA”), which affects the handling of Private Health Information (“PHI”) by Covered Entities (“CE”)
HIPAA has 4 primary components, but this presentation will only address the Privacy Rule, which became enforceable on April 14, 2003
The Privacy Rule creates a national floor for privacy standards and supercedes less stringent state laws
![Page 4: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/4.jpg)
So What is HIPAA And What Does it Do?Background and Vocabulary [Slide 2 of 3]
HHS’ Office of Civil Rights (“OCR”) is in charge of enforcement actions
The intent of the Privacy Rule is to give The intent of the Privacy Rule is to give individuals basic rights regarding the use of PHI, individuals basic rights regarding the use of PHI, which should NEVER compromise patient carewhich should NEVER compromise patient care
![Page 5: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/5.jpg)
So What is HIPAA And What Does it Do?Background and Vocabulary [Slide 3 of 3]
Penalties for violations of HIPAA include:– Civil Penalty: $100 per violation, maximum per year of
$25,000– Criminal Penalties:
Wrongful Disclosure: Fine of not more than $50,000 and not more than 1 year imprisonment
Disclosure under False Pretenses: Fine of not more than $100,000 and not more than 5 years imprisonment
Commercial Advantage, Personal Gain, or Malicious Harm: fine of not more than $250,000 and 10 years imprisonment
![Page 6: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/6.jpg)
The Privacy Rule’s Golden RuleFor EMS Providers
HIPAA should NEVERNEVER adversely affect the quality of patient care rendered or impede the ability of a health care provider to care for a patient
![Page 7: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/7.jpg)
But Why Me?!? (Or am I a Covered Entity) 45 CFR § 160.103
A covered entity is a health plan, a health clearinghouse, or a health care provider;
Who electronically transmits health information; For a transaction covered under HIPAA. Common transactions include: eligibility inquiries, health
claims and other billing matters done by you or for your benefit (Use of a 3rd party billing company does NOT exempt you from HIPPA)
Sending data to SEMA or NFIRS is NOT a covered transaction
![Page 8: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/8.jpg)
Hybrid Entities45 CFR 164.504
Hybrid entities are usually governmental entities or large corporations whose primary business is NOT providing health care
These entities segregate their components that perform health care functions from the components not related to performing health care functions.
By doing this, only those components that perform health care functions must comply with HIPAA.
![Page 9: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/9.jpg)
And If I’m Not a Covered Entity?Don’t Start to Celebrate Yet...
Medicare will NOT pay claims that are NOT submitted electronically after October 16, 2003 (unless a 1 year waiver is sought and granted)
OCR is currently offering an educational “grace period”
HIPAA privacy standards have become the popular standard of care--Maybe expected by YOUR potential jury pool in a State Law privacy case...
![Page 10: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/10.jpg)
But We Can Barely Afford Band-Aids(Or Scalability of Requirements)
HHS expects that small providers will develop less expensive and less complex privacy measures than larger providers
Limitations on small providers are to be considered when reviewing safeguards
Small providers “will not be required to change their business practices dramatically” [Is this a sample of HIPAA Humor?!?]
![Page 11: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/11.jpg)
Well, If I Gotta’ Do This
Implementation Strategies
![Page 12: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/12.jpg)
Requirements of Covered Entities(Slide 1 of 3)
The Privacy Rule requires CEs to “Protect PHI, which includes all individually identifiable health information regardless of whether it is in electronic form, paper, or oral communications.”
Designate a Privacy Official Look for Leaks in your Privacy Policy Conduct and document privacy training for your ENTIRE
workforce Develop an Authorization Form for the release of PHI Develop a Notice of Privacy Practices Understand the interaction of HIPAA and State Laws
![Page 13: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/13.jpg)
Requirements of Covered Entities(Slide 2 of 3)
Understand Patient Rights and associated requirements– Notice of Privacy Practices (45 CFR 164.520)– Access to Records (45 CFR 164.524)– Right to ASK to Amend Records (45 CFR 164.526)– Restrictions on Use or Disclosure (45 CFR 164.522)– Alternative Communications (45 CFR 164.522)– Accounting of Disclosures (45 CFR 164.528)– How to File a Complaint (45 CFR 164.530)
When disclosure is allowed, ALWAYS disclose the MINIMUM NECESSARY PHI
![Page 14: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/14.jpg)
Requirements of Covered Entities(Slide 3 of 3)
Update employee policies & procedures Identify Business Associates and adopt a form contract Put in place reasonable administrative, technical, and
physical safeguards
![Page 15: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/15.jpg)
The Standard for Protecting PHI 42 USC § 1320d-2(d) [Slide 1 of 4]
• Covered entities shall maintain reasonable & appropriate administrative, technical, and physical safeguards:
• To ensure the integrity and confidentiality of the information (electronic, written, or spoken)
• To protect against any reasonably anticipated:• Threats or hazards to the security or integrity of the
information; and• Unauthorized uses or disclosures of the information;
and• Otherwise to ensure compliance by officers &
employees.
![Page 16: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/16.jpg)
The Standard for Safeguarding PHI 42 USC § 1320d-2(d) [Slide 2 of 4]
• HHS has stated that the use of encoded radio or electronic transmissions is NOT REQUIRED
• Prudence dictates that you:• Maintain run sheets in a secured area and limit access• Add passwords to computers and networks that contain
PHI• Adding confidentiality statements on e-mails and faxes
that contain PHI• Maintain fax that receives PHI in secure location and
limit access
![Page 17: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/17.jpg)
The Standard for Safeguarding PHI 42 USC § 1320d-2(d) [Slide 3 of 4]
Incidental Disclosures can be made for treatment, but the care provider must use discretion and most secure manner available
– If a patient name must be used when contacting the hospital, then use a cell phone if possible and available
– If others not involved in treatment are near, then whisper– common sense and a team approach towards compliance
can go a long way
![Page 18: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/18.jpg)
The Standard for Safeguarding PHI 42 USC § 1320d-2(d) [Slide 4 of 4]
Beware any use or discussion of PHI NOT specifically permitted, such as:
– discussing a run as you walk from ER to ambulance – discussing a run at the station/ Pizza Hut/ gym/ bar/ or
anyplace other than audit & review– discussing “interesting” runs, famous patients, or even
relatives or neighbors. – Interesting run: if discussing the run could embarrass
someone (think foreign object and orifice…) These standards cover medics and billing agents,
and anyone else with access to PHI
![Page 19: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/19.jpg)
When Unsure Whether You Can Discuss A Run...
Ask yourself if Judge Hang’em High would agree that the disclosure was for the benefit of the patient AND that it was done with the utmost discretion...
![Page 20: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/20.jpg)
Designate a Privacy Official
All CEs must appoint a Privacy Officer The Privacy Officer should develop a Privacy
Program and procedures with the assistance of both the medical director and the attorney who would defend the provider in a HIPAA action
The Privacy Officer can have other duties, but should have the time and resources needed to fulfill required HIPAA duties (and just maybe a large stick to assist in enforcing Privacy Standards…)
![Page 21: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/21.jpg)
Duties of a Privacy Officer
Policies must comply with HIPAA and State Law Privacy Policies must be documented, disseminated
to, and followed by all employees through a privacy training program
All employees MUST complete this program and sign a statement that they have completed the program and will comply with the policies
![Page 22: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/22.jpg)
Who Is An Employee
For the purpose of the the Privacy Rule employees are volunteers, students, trainees, independent contractors, and anyone else under your control.
![Page 23: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/23.jpg)
Look for Leaks in YourPrivacy Policy
What “Leaks” can PHI seep through? Find and patch them NOW
Guarding PHI HAS to be an ongoing task for everyone: Students, EMTs, Billing Agents, the Privacy Officer, and Management
Only those who need access to PHI should have access; and then only the minimum necessary
Remember, HIPAA covers electronic, written and oral disclosures of PHI
![Page 24: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/24.jpg)
Develop An Authorization Form for the Release of PHI 45 CFR 164.508
Most EMS disclosures fall under the Treatment, Payment, and Health Care Operations (TPO) exemption
Authorization is required for disclosures NOT otherwise authorized under the Privacy Rule
Authorization is required for marketing NOT conducted by the Covered Entity
![Page 25: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/25.jpg)
Notice of Privacy Practices (NPP) 45 CFR 164.520 [Slide 1 of 2]
You must develop a compliant NPP The NPP must be in plain language, which might require
a Spanish NPP if you serve a Spanish-speaking community
You must make a Good Faith attempt to give a NPP to each Pt or Pt’s representative AND to get a signed Acknowledgement of Receipt in non-emergency situations by each Pt or a Pt’s representative
In Emergency Treatment Situations, the NPP must be given as soon as practical--maybe leave a copy at hospital, mail w/ the bill…
![Page 26: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/26.jpg)
Notice of Privacy Practices (NPP) 45 CFR 164.520 [Slide 2 of 2]
If a patient refuses a run she should still be given a NPP, and her Acknowledgement of Receipt could be added to the refusal form
Services who maintain a web site MUST post their NPP on the site (**Look for these FREE examples**)
The NPP has many technical requirements: check the requirements in the Rule as you look at examples
![Page 27: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/27.jpg)
NPPS & Unemancipated Minors[Slide 1 of 2]
The Privacy Rule does NOT address consent to treatment, so Indiana law regarding the ability of minors to consent (or sign) is unchanged
Just as a minor in Indiana is not deemed competent to refuse treatment, a minor is likely not deemed competent to accept a NPP or to sign for its acceptance
![Page 28: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/28.jpg)
NPPS & Unemancipated Minors[Slide 2 of 2]
In descending order the following may give consent for medical treatment for an unemancipated minor (or are able to accept or to sign to accept a NPP):– A court-appointed guardian; (if unavailable) then– A parent or person acting in loco parentis [acting as a
parent]; (if unavailable) then– An adult sibling; (if unavailable) then– A law enforcement officer who believes the minor’s
condition is “seriously impaired or endangered”
![Page 29: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/29.jpg)
Patient Rights[Slide 1 0f 2]
Patient Rights requirements are detailed and MUST be precisely followed: See slide #18 for citations
Most patient rights MUST be listed on the NPP If patient is not legally competent, then patient
representative can exercise patient’s rights Patients must be allowed to access & copy their PHI
within 30 days of their request to access & copy
![Page 30: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/30.jpg)
Patient Rights[Slide 2 0f 2]
Patient must be given a NPP as soon as practical and a good faith effort must be made to get a Signature of Receipt
Patient has the right to REQUEST to amend records Patients can request an accounting of unauthorized
and non-routine disclosures of their PHI for up to 6 yrs, but only for dates after April 14, 2003
Patients must be told how to file a complaint
![Page 31: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/31.jpg)
Business Associates45 CFR § 160.103
Entities who perform services on your behalf AND have access to your PHI are Business Associates
Your employees & other care providers are NOT BAs Some potential BAs: 3rd party billing companies,
outside claims consultants, outside medical directors, software vendors, computer consultants, computer repair personnel
Sample Business Associate contract available at: http://www.hhs.gov/ocr/hipaa/contractprov.html
![Page 32: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/32.jpg)
HIPAA & State Laws(Slide 1 of 2)
HIPAA preempts less stringent state privacy laws In addition to HIPAA requirements, all Indiana EMS
certificate holders, even the few who work for entities NOT covered by HIPAA, risk being subject to fines and suspension or revocation of their Indiana Certification for the “Unauthorized disclosure of medical records or other confidential patient information.” See 836 IAC 1-1-2(a)(8).
![Page 33: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/33.jpg)
HIPAA & State Laws(Slide 2 of 2)
EMS services provided by or under a contract with a public agency must make the following information available:
– The date and time of the request for ambulance services– The reason for the request for assistance– The time and nature of the response– The time of arrival at the scene – The time of departure from the scene– The name of the facility, if any, to which the patient was
delivered See IC 16-31-2-11
![Page 34: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/34.jpg)
Permitted Unauthorized Disclosures(Slide 1 of 2)
Exemptions are found in 45 CFR 45 CFR § 164.512§ 164.512 Privacy Rule ALLOWS the disclosure of PHI for:
– Treatment, Payment, and Operations– When Required by Law– Public Health Activities (sending run report data to
SEMA or NFIRS)– Victims of Abuse, Neglect, or Domestic Violence– Health Oversight Activities (SEMA hearings)
[List continued on next slide]
![Page 35: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/35.jpg)
Permitted Unauthorized Disclosures(Slide 2 of 2)
(Exemptions continued from previous slide)– Judicial & Administrative Proceedings– Law Enforcement– Births and Deaths – Organ and Tissue Donation– Research Purposes– Protect Public Safety– Specialized Government Functions
![Page 36: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/36.jpg)
Your New Best Friend:Treatment, Payment, and Health Care Operations
Treatment, Payment, and Operations (TPO) disclosures are allowed without authorization
Treatment: giving PHI to other providers involved in treating the patient, such as a hospital
Payment: receiving PHI from other providers (such as a hospital) needed for billing for treatment (filing claims, coordinating benefits, eligibility inquiries, collections,…)
Operations: audit & review, quality assessment, medical or legal auditing…
Remember the EMS GOLDEN RULE: When disclosure permitted, disclose the MINIMUM NECESSARY PHI
![Page 37: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/37.jpg)
Disclosures Required by Law[Slide 1 of 2]
The Privacy Rule allows most disclosures of PHI statutorily required by Indiana law.
Only the minimum necessary PHI may be disclosed and only to the recipient specified in the Indiana law (See the following example)
![Page 38: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/38.jpg)
Disclosures Required by Law[Slide 2 of 2]
Example: Indiana Law requires a practitioner* who initially treats an injury from fireworks or pyrotechnics to submit a report to the State Dept. of Health. As HIPAA exempts this and Indiana Law requires it, the State Dept. of Health MUST be given this report. Yet, the unauthorized release of the same information to local law enforcement, which is not required by either HIPAA or Indiana Law, would violate HIPAA. *(A practitioner holds an unlimited, limited, probationary, or temporary license, certificate, or registration.) IC 35-47-7-6
![Page 39: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/39.jpg)
Public Health Activities
Disclosures to public health authorities authorized by State Law to receive that PHI
This SPECIFICALLY ALLOWS sending run report data to SEMA or NFIRS
This also ALLOWS an EMS provider who was exposed to blood or bodily fluids to request notification if the patient has a communicable disease. See IC 16-41-10.
![Page 40: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/40.jpg)
Victims of Abuse, Neglect, & Domestic Violence
HIPAA allows and Indiana Law requires:– A person who believes an “endangered adult” is a
victim of battery, neglect, or exploitation to report this to Adult Protective Services or to law enforcement. IC 12-10-3 & IC 35-46-1-13.
– A person who believes that a child is a victim of abuse or neglect to immediately notify their boss and to immediately notify either local child protective services or local law enforcement. IC 31-33-5.
![Page 41: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/41.jpg)
Health Oversight Activities
This SPECIFICALLY ALLOWS disclosing PHI for SEMA investigations
It also allows disclosures to other supervising health entities:– Audits & Investigations by supervising hospitals and/
or physicians – Medicare audits and investigations
![Page 42: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/42.jpg)
Judicial & Administrative Proceedings
This also SPECIFICALLY ALLOWS disclosing PHI for SEMA investigations
Disclosure must be made when a Judge, an Administrative Law Judge, or a Grand Jury orders the disclosure through a subpoena or a warrant
– But NOT when an attorney or party to the litigation signs a subpoena
![Page 43: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/43.jpg)
Disclosures To Law Enforcement
![Page 44: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/44.jpg)
When Disclosure to Law Enforcement is Allowed
[Slide 1 of 5]
A CE may disclose PHI to Law Enforcement when:– Required by State Law (please see the note titled
“Mandatory Disclosures of PHI Required by Indiana Law,” near the end of your informational packet)
– Ordered by a court (warrant or subpoena signed by Judge, Administrative Law Judge, or Grand Jury--NOT attorney)
– Ordered by Administrative subpoena from authorized agency
![Page 45: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/45.jpg)
When Disclosure to Law Enforcement is Allowed
[Slide 2 of 5]
Needed to identify or locate a suspect, fugitive, missing person, or witness a provider may release:
– name & address– date & place of birth– social security number– blood type– type of injury– date & time of treatment (or death, if applicable)– distinguishing characteristics: height, weight, gender, race,
hair & eye color, scars, tattoos, & presence of facial hair
![Page 46: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/46.jpg)
When Disclosure to Law Enforcement is Allowed
[Slide 3 of 5]
If care recipient is a victim of crime AND:– unable to consent; AND– Officer states PHI needed to determine whether violation of
law occurred by someone other than victim; AND– PHI is NOT intended to be used against the victim; AND– Immediate Law Enforcement activity will be affected by
waiting until victim can give consent; AND– In your professional judgement you deem the disclosure is
in the best interest of the victim.
![Page 47: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/47.jpg)
When Disclosure to Law Enforcement is Allowed
[Slide 4 of 5]
Under IC 9-26-2-2, Indiana law enforcement officers are statutorily required to gather the following information: – Name and address of the owner and operator of each
vehicle involved in the accident– License number and description of each vehicle– Time and place the accident occurred– Name and address of each person injured or killed– Name and address of each witness to the accident.
(Continued on next slide)
![Page 48: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/48.jpg)
When Disclosure to Law Enforcement is Allowed
[Slide 5 of 5]
As State Law requires a law enforcement officer to collect the preceding information, disclosing the minimum necessary information should not violate the Privacy Rule. However, EMS providers are, by their nature, patient advocates and should always encourage law enforcement officers to gather information directly from the patient when possible, as opposed to from the EMS provider.
Develop a policy with the assistance of your attorney, CEO,provider hospital, and local law enforcement.
![Page 49: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/49.jpg)
Specialized Government Function
If any of these arise, consult with your attorney– Military & Veteran Affairs– Department of Defense Activities– Required for national security– Required to Protect the President or other national
dignitaries– Security clearances– Inmates in governmental custody and others
![Page 50: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/50.jpg)
Other Allowed Disclosures
Organ & Tissue Donation For specific research purposes To avert threats to safety: requires good faith
belief that the disclosure will:– prevent or lessen a serious & imminent threat to public
or a person’s health; or– to assist law enforcement AFTER an individual admits
to involvement in a violent crime; or– It appears the individual is a fugitive from the law
![Page 51: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/51.jpg)
HIPAA Resources(Slide 1 of 2)
Your starting points should be OCR’s HIPAA web site : http://www.hhs.gov/ocr/hipaa/ AND
OCRs FAQs (Get this FREE Resource!!): http://www.hhs.gov/ocr/hipaa/guidelines/guidanceallsections.pdf
The full text of the final regulation is available at: http://www.hhs.gov/ocr/hipaa/privrulepd.pdf
Centers for Medicare and Medicaid Services (“CMS”): http://www.cms.hhs.gov/hipaa/
CMS’ Compliance Checklist: http://www.hipaa.org/ SEMA’s HIPPA site: http://www.in.gov/sema/ems/hipaa.html
![Page 52: By Michael Sommerkamp Legal Counsel for Indiana State Emergency Management Agency msommerkamp@sema.state.in.us HIPAA and YOU: Compliance Doesn’t Have to](https://reader036.vdocuments.site/reader036/viewer/2022062518/56649c985503460f94954b80/html5/thumbnails/52.jpg)
HIPAA Resources(Slide 2 of 2)
CMS’ Ambulance Services Web Page: http://www.cms.hhs.gov/suppliers/ambulance/default.asp
Phoenix Health Systems HIPAA page: http://www.hipaadvisory.com NEDARC’s HIPAA Web Site:
http://www.nedarc.org/HIPAA/HIPAA_info.htm