hipaa annual training anne arundel county fire department
TRANSCRIPT
HIPAAHIPAA
Annual Training Annual Training
Anne Arundel County Fire Anne Arundel County Fire DepartmentDepartment
What is HIPAA??What is HIPAA??
HIPAA = Health Insurance Portability HIPAA = Health Insurance Portability and Accountability Actand Accountability Act
Created by – United States Created by – United States Department of Health and Human Department of Health and Human Services (HHS)Services (HHS)
Still not clear??Still not clear??
HIPAA is a common set of standards HIPAA is a common set of standards that protects certain health that protects certain health informationinformation
There are several components – but, There are several components – but, we are most concerned with the we are most concerned with the “Privacy Rule.”“Privacy Rule.”
The Privacy RuleThe Privacy Rule
The intent of the Privacy Rule is to The intent of the Privacy Rule is to provide basic rights regarding the use provide basic rights regarding the use of “Protected Health Information” of “Protected Health Information” (PHI).(PHI).
It protects all “individually identifiable It protects all “individually identifiable health information.”health information.”
Electronic, paper, or oralElectronic, paper, or oral Applies to “covered entities”Applies to “covered entities”
Who is a Covered Entity?Who is a Covered Entity?
Three Categories:Three Categories: Health plansHealth plans Health care clearinghousesHealth care clearinghouses Health care providers who transmit Health care providers who transmit
any health information electronicallyany health information electronically
AACo Fire Department falls under the Health Care Provider category
What’s Required?What’s Required?
The Privacy Rule requires Covered Entities to:The Privacy Rule requires Covered Entities to: Protect PHIProtect PHI Designate a Privacy OfficerDesignate a Privacy Officer Look for “leaks” in the policyLook for “leaks” in the policy Conduct/document training for the ENTIRE Conduct/document training for the ENTIRE
departmentdepartment Develop an Authorization Form for release Develop an Authorization Form for release
of PHIof PHI
More RequirementsMore Requirements
Develop a Notice of Privacy PracticesDevelop a Notice of Privacy Practices When permitted, When permitted, alwaysalways disclose disclose
only the only the minimum necessaryminimum necessary PHI PHI Update policies and proceduresUpdate policies and procedures Identify Business Associates and Identify Business Associates and
create contractscreate contracts Apply reasonable administrative, Apply reasonable administrative,
technical, and physical safeguardstechnical, and physical safeguards
Privacy OfficerPrivacy Officer
An individual within the organization that is An individual within the organization that is responsible for developing and implementing responsible for developing and implementing policies and procedures required by HIPAApolicies and procedures required by HIPAA
Anne Arundel County Fire Department’s Anne Arundel County Fire Department’s Privacy Officer is Battalion Chief Matthew Privacy Officer is Battalion Chief Matthew TobiaTobia
Protected Health Protected Health InformationInformation
PHI is any information created or PHI is any information created or received by a health care provider received by a health care provider which relates to:which relates to:
Past, present, or future physical or Past, present, or future physical or mental conditionsmental conditions
Provision of health careProvision of health care Past, present, or future payment for Past, present, or future payment for
carecare
Examples of PHIExamples of PHI
NameName Address Address Date of Birth/AgeDate of Birth/Age Social Security NumberSocial Security Number Medical condition/Past medical Medical condition/Past medical
historyhistory Full face photosFull face photos
HIPAA should NEVER negatively impact the HIPAA should NEVER negatively impact the quality of patient care or impede the ability to quality of patient care or impede the ability to provide care!!provide care!!
The appropriate communication of PHI with The appropriate communication of PHI with other health care providers directly involved other health care providers directly involved in providing patient care does in providing patient care does notnot constitute a constitute a violation of HIPAA.violation of HIPAA.
Safeguarding PHISafeguarding PHI
PCR’s should be kept in a secure PCR’s should be kept in a secure locationlocation
Networks containing PCR’s should be Networks containing PCR’s should be password-protectedpassword-protected
Include confidentiality statements on Include confidentiality statements on e-mails and faxes that contain PHI e-mails and faxes that contain PHI
Use Caution…Use Caution…
Beware of discussion of PHI, such as:Beware of discussion of PHI, such as:
Talking about current or prior incident while re-Talking about current or prior incident while re-stocking ambo or writing reportstocking ambo or writing report
Discussing a call Discussing a call anywhereanywhere other than an official other than an official audit or reviewaudit or review
Discussing “interesting” calls, famous patients, or Discussing “interesting” calls, famous patients, or neighborsneighbors
Sharing co-workers or fellow responders PHI
Unsure About Discussing an Unsure About Discussing an Incident??Incident??
Ask yourself…Ask yourself…
Would a Judge agree that the disclosure Would a Judge agree that the disclosure
benefited patient care AND was performed benefited patient care AND was performed with the utmost discretion???with the utmost discretion???
If you were the patient, would you want an If you were the patient, would you want an “embarrassing” injury or illness to be “embarrassing” injury or illness to be discussed?discussed?
Notice of Privacy PracticesNotice of Privacy Practices(NPP)(NPP)
The department must make a Good The department must make a Good Faith attempt to provide a NPP to Faith attempt to provide a NPP to each patienteach patient
The department must also make an The department must also make an effort to get a signed effort to get a signed “Acknowledgement of Receipt”“Acknowledgement of Receipt”
Anne Arundel County Fire Anne Arundel County Fire Department’s NPPDepartment’s NPP
The department sends our NPP with the request The department sends our NPP with the request for insurance information, including a signature for insurance information, including a signature form which acknowledges receipt and permission form which acknowledges receipt and permission to bill insurance on the patient’s behalf.to bill insurance on the patient’s behalf.
The NPP is also available on the internet at The NPP is also available on the internet at www.aacounty.org/firewww.aacounty.org/fire. Every uniformed and . Every uniformed and civilian member of the Department civilian member of the Department must review must review and be familiarand be familiar with this material. with this material.
A copy can be viewed on the next two slides.A copy can be viewed on the next two slides.
NPP in Emergency SettingsNPP in Emergency Settings
During the emergency treatment of a patient, the During the emergency treatment of a patient, the NPP must be given as soon as practical.NPP must be given as soon as practical.
The Anne Arundel County Fire Department The Anne Arundel County Fire Department provides the NPP and Acknowledgement through provides the NPP and Acknowledgement through the mail.the mail.
This ensures that the provision of this information This ensures that the provision of this information does not interfere with patient care or become does not interfere with patient care or become lost during the emergent phase of treatment.lost during the emergent phase of treatment.
Permitted DisclosuresPermitted Disclosures
Disclosure of PHI Disclosure of PHI is acceptable in is acceptable in the following the following circumstances:circumstances:
TreatmentTreatment PaymentPayment OperationsOperations Public Health Public Health
RegulationsRegulations Victims of AbuseVictims of Abuse Judicial proceedingsJudicial proceedings Law EnforcementLaw Enforcement Births and DeathsBirths and Deaths ResearchResearch Protection of Public Protection of Public
SafetySafety
Treatment, Payment, and Treatment, Payment, and OperationsOperations
Treatment – giving PHI to other Treatment – giving PHI to other providers involved in patient care, providers involved in patient care, such as the hospitalsuch as the hospital
Payment – receiving PHI from other Payment – receiving PHI from other providers, as necessary for billingproviders, as necessary for billing
Operations – audits, quality Operations – audits, quality assurance assessmentsassurance assessments
Public Health ActivitiesPublic Health Activities
Disclosures to public health Disclosures to public health authorities, as authorized by State authorities, as authorized by State LawLaw
Also allows for notification of Also allows for notification of communicable diseases to EMS communicable diseases to EMS providers involved in an exposureproviders involved in an exposure
Victims of Abuse, Neglect, and Victims of Abuse, Neglect, and Domestic ViolenceDomestic Violence
The law requires (and HIPAA allows):The law requires (and HIPAA allows): reporting an “endangered adult” believed to reporting an “endangered adult” believed to
be a victim of battery, neglect, or exploitation be a victim of battery, neglect, or exploitation to Adult Protective Services or law to Adult Protective Services or law enforcementenforcement
Reporting a child that is believed to be a victim Reporting a child that is believed to be a victim of abuse or neglect to the immediate of abuse or neglect to the immediate supervisor, Child Protective Services, or law supervisor, Child Protective Services, or law enforcementenforcement
Judicial ProceedingsJudicial Proceedings
Disclosure must only be made when a Judge Disclosure must only be made when a Judge or Grand Jury orders disclosure through a or Grand Jury orders disclosure through a
subpoena or warrant.subpoena or warrant.
**A private attorney does not have the **A private attorney does not have the authority to order a Fire Department authority to order a Fire Department
provider to discuss a case. If contacted by provider to discuss a case. If contacted by an attorney, always contact the county’s an attorney, always contact the county’s law office for advice before proceeding.**law office for advice before proceeding.**
Law EnforcementLaw Enforcement
Disclosure of PHI to Disclosure of PHI to Law Enforcement is Law Enforcement is permitted when:permitted when:
Required by lawRequired by law
Ordered by a courtOrdered by a court
Ordered by Ordered by Administrative Administrative subpoenasubpoena
Law EnforcementLaw Enforcement
When assisting the When assisting the police to identify or police to identify or locate a suspect, locate a suspect, missing person, or missing person, or witness, the provider witness, the provider may release:may release:
Name/addressName/address
Date/Place of birthDate/Place of birth
Social Security #Social Security #
Blood TypeBlood Type
Date/time of treatmentDate/time of treatment
Distinguishing Distinguishing characteristics – height, characteristics – height, weight, tattoos, scars, weight, tattoos, scars, etc…etc…
Law EnforcementLaw Enforcement
As patient care advocates, EMS As patient care advocates, EMS providers providers
should encourage law enforcement to should encourage law enforcement to gain gain
information directly from the source, information directly from the source, when when
possible.possible.
Civil PenaltiesCivil Penalties
The U.S. Dept of Health and Human The U.S. Dept of Health and Human Services may impose civil penalties Services may impose civil penalties
on a covered entity of $100 per on a covered entity of $100 per failure to comply with a Privacy Rule failure to comply with a Privacy Rule
requirement.requirement.
Criminal PenaltiesCriminal Penalties
A person who knowingly obtains or A person who knowingly obtains or discloses individually identifiable discloses individually identifiable health information in violation of health information in violation of HIPAA faces a fine of $50,000 and up HIPAA faces a fine of $50,000 and up to one year imprisonment. to one year imprisonment.
Criminal sanctions are enforced by Criminal sanctions are enforced by the Department of Justice.the Department of Justice.
ResourcesResources
http://www.hhs.gov/ocr/privacy/hipaahttp://www.hhs.gov/ocr/privacy/hipaa//
http://www.dhmh.state.md.us/hipaahttp://www.dhmh.state.md.us/hipaa
http://www.aacounty.org/firehttp://www.aacounty.org/fire
NEXT STEPNEXT STEP
Complete the QuizComplete the Quiz Submit a Training Report – Use Submit a Training Report – Use
Training Course Code- Training Course Code- HIPA11HIPA11