HIPAA Training

Rotterdam Emergency Medical ServicesDouglas Hexel, AEMT-P, NYS CLI

Reasoning

• NYS and REMS require initial training at time of hire as well as annual refresher training on healthcare privacy.

Agenda

• What is HIPPA?• Privacy• Requirements• Protected Health Information (PHI)• Notice of Privacy Practices• Permitted Disclosures

What is HIPAA?

HIPAA = Health Insurance Portability and Accessibility Act

Created by the US Department of Health and Human Services and full-implemented in April of 2005.

What is HIPAA?

• HIPAA is a common set of standards that protects certain health information

• There are several components but, as EMS providers, we are most concerned with the “Privacy Rule.”

“The Privacy Rule”

• The intent of the Privacy Rule is to provide basic rights regarding the use of “Protected Health Information” (PHI).

• It protects all “individually identifiable health information.”

• Electronic, paper, or oral• Applies to “covered entities”

Covered Entities

Three Categories:• Health plans• Health care clearinghouses• Health care providers who transmit any health

information electronically

REMS falls under the “health care providers” category.

Requirements

The Privacy Rule requires Covered Entities to:• Protect PHI• Designate a Privacy Officer• Look for “leaks” in the policy• Conduct/document initial and annual

refresher training for ALL personnel• Develop an Authorization Form for release of

PHI

Other Requirements

• Develop a Notice of Privacy Practices• When permitted, disclose only the minimum

necessary PHI• Update policies and procedures• Identify business associates with access to PHI

and create contracts (i.e. EMScharts)• Apply reasonable administrative, technical,

and physical safeguards.

Protected Health Information

PHI is any information created or received by a health care provider which relates to:• Past, present, or future physical or mental

conditions (medical history)• Provision of health care (treatment)• Past, present, or future payment for care

Protected Health Information

Examples:• Name• Address • Date of Birth/Age• Social Security Number• Medical condition/Past medical history• Full face photos

Transfer of Patient

• HIPAA should never negatively impact the quality of patient care or impede the ability to provide care.

• The appropriate communication of PHI with other health care providers DIRECTLY involved in providing patient care does NOT constitute a violation of HIPAA.

Safeguards

• PCRs should be kept in a secure location (PCR boxes located at both stations)

• Networks containing PCRs should be password-protected (EMScharts)

• Include confidentiality statements on e-mails and faxes that contain PHI (administration-level)

Caution

Beware of discussion of PHI, such as:

• Talking about current or prior incident while re-stocking ambo or writing report

• Discussing a call anywhere other than an official audit or review

• Discussing “interesting” calls, famous patients, or neighbors

• Sharing co-workers or fellow responders PHI (i.e. “My partner is a bad diabetic” or “Yeah, my partner had a heart attack a few years ago too.”)

Still unsure?

Ask yourself:• Would a Judge agree that the disclosure

benefited patient care and was performed with the utmost discretion?

• If you were the patient, would you want an “embarrassing” injury or illness to be discussed?

Notice of Privacy Practices

• REMS must make a Good Faith attempt to provide a Notice of Privacy Practices to each patient

• REMS must also make an effort to get a signed “Acknowledgement of Receipt”

Notice of Privacy Practices

• At REMS, this is achieved with the AOB forms, which include a privacy notice provision.

• If a patient requests a Notice of Privacy Practices, a separate form is located in the clipboard that can be provided to the patient.

Permissible Disclosures

• Treatment• Payment• Operations• Public Health Regulations• Victims of Abuse• Judicial proceedings• Births and Deaths• Research• Protection of Public Safety• Law Enforcement

Permissible Disclosures

Treatment• As previously noted, full disclosure is

permitted (and required) to those DIRECTLY involved in care of the patient.

• This covers destination facility healthcare providers (tech, RN, NP, PA, MD/DO, etc.)

Payment• REMS is authorized to disclose PHI to

insurance companies for billing purposes

Permissible Disclosures

Victims of abuse• EMS providers are mandated reporters for

child abuse but may report any type of abuse without concern of HIPAA violations.

• Definitive proof is not required, only a reasonable suspicion of abuse.

Judicial Proceedings• Under subpoena, disclosure is required in a

court of law.

Permissible Disclosures

Victims of abuse• EMS providers are mandated reporters for

child abuse but may report any type of abuse without concern of HIPAA violations.

• Definitive proof is not required, only a reasonable suspicion of abuse.

Judicial Proceedings• Under subpoena, disclosure is required in a

court of law.

Permissible Disclosures

Births/Deaths• Disclosure to medical examiner/coroner

permittedResearch• Disclosure to entities such as REMO for

research and statistics tracking.

Law Enforcement Disclosures

Law Enforcement• It is important to remember that we are

healthcare providers and not information sources for law enforcement. Permissible disclosures are found under Section 164.512

Law Enforcement Disclosures

1. When required by law or pursuant to process (e.g., gunshot wound reporting)

2. Identification and location purposes (victim or material witness, includes type of injury)

3. Response to request for information about a victim of a crime (can’t be used against the victim, needed to determine violation of law, in the best interests of the individual)

Law Enforcement Disclosures

4. Decedents (if suspected death may be from criminal conduct)

5. Crime on the premises (evidence of criminal conduct)

6. Reporting crime in emergencies (identity, description and location of perpetrator)

Law Enforcement Disclosures

May disclose to identify or locate a:– Suspect– Fugitive– Material witness – Missing person

Victims of crime

• May disclose PHI in response to a law enforcement request, where the individual is a possible crime victim

• If patient agreesOR

• If patients unable to agree because of condition, may release PHI if:– Law enforcement represents that the info is

needed immediately; AND – Won’t be used against the victim

Victims of crime

• May release PHI to alert law enforcement of a patient’s death, IF the death may have resulted from criminal activity

• You are not required to make a “legal conclusion” that the death resulted from a crime

• Only a “suspicion” is required

Reporting a crime

• Healthcare providers may release PHI to law enforcement to alert them to:– Commission and nature of a crime– Location of the crime or of the victim– Identity, description, and location of perpetrator

Remember:

• Permissible disclosures can only be made to appropriate authorities (i.e. you can notify the county health department of a patient with tuberculosis but you MAY NOT alert any media)

Penalty

• A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000 and up to one year imprisonment.

Questions/Comments

Questions? Comments? Concerns?

Please direct them to me at dhexel@gmail.com