hipaa pesentation

HIPAA Privacy TrainingCurrituck County

Fire-EMS

Copyright 2003 Page, Wolfberg, & Wirth, LLC. All Rights Reserved.

With guidance from

EMS SystemLegal Compliance

Programfor

HIPAA Privacy Training

Overview of Confidentiality

Confidentiality

• Health Care Professionals (HCP’s) also have a ethical obligation to protect a patient’s privacy

• There are laws prohibiting the revealing of patient information without the patient’s consent

• HCP’s must follow state/local laws and agency policies

• HIPAA laws apply

Confidentiality

• Improper release of information or the release of inaccurate information can result in liability– Invasion of Privacy…– Defamation (libel and/or slander)…

Confidentiality

• Invasion of Privacy– The release of information, without legal

justification, regarding a patient’s private life that might reasonably expose the person to ridicule, notoriety or embarrassment

Confidentiality

• Defamation– Making untrue statements about someone’s

character or reputation– Libel

• False statements about a person made in writing or through the mass media with malicious intent or reckless disregard for the falsity of the statement

– Slander• Refers to false verbal statements about a person

made with malicious intent or reckless disregard for the falsity of the statement

Overview of HIPAA

What is HIPAA Anyway?

• HIPAA stands for the:“Health Insurance Portability and Accountability Act”

• HIPAA is a Federal law passed by Congress in 1996

What is HIPAA Anyway?

• Focuses on protecting the patient, specifically the protection of health information

• Governs how we access, use and disclose confidential patient information

• Gives the Federal Government Protection and Enforcement authority over patient information which we deal with every day

“Until now, virtually no federal rules existed to protect the privacy of health information and guarantee access to such information. This final rule establishes, for the first time, a set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care.”

---Preamble to December 2002 Privacy Rule

What is HIPAA Anyway?

• You should treat others health information how you would like your health information to be treated

• Applies to most health care providers, ambulance services and us as individuals

• In our agency, HIPAA applies to:– Technicians - Volunteers– Billing Staff - High School Students– Management - Any Fire Fighter that is– Ride-A-Longs - riding on Ambulance– Precepting Students

What is HIPAA Anyway?

• While HIPAA has a simple concept, it has become very complicated.

HIPAA Issues for EMS Providers

• Protecting patient privacy

• Safeguarding patient information

“Hey, did you hear what happened to Teresa in

Currituck last night? We took her to the hospital and she

was really messed up!”

Protecting Patient Privacy

What is PHI?

• Protected Health Information (PHI)– Individually identifiable patient

information• Patient Name• Social Security Number• Medicare Claim Form Number• & Much, Much, More

What is PHI?

• Protected Health Information (PHI)– Information identified with a particular

patient dealing with past, present or future physical or mental health care or payment

– Created by or received by a health care provider

– Oral, written, photographic, electronic, digital, form - etc.

What is PHI?

• Protected Health Information (PHI)– Any information that could identify or

be related back to a patient.– Consider everything as PHI!

Some Sources of PHI

• Patient Care Reports

• Dispatch/Call Intake Records

• Billing Information–Insurance forms–Explanation of

Benefits (EOB’s)

Some Sources of PHI

• Incident Reports with Patient Information

• Verbal Communications Between Health Care Providers

Some Sources of PHI

• Patient Records from Nursing Homes / Hospitals– Medical Records– Billing Information– Physician Orders– Transfer Paperwork– Registration Face

Sheets

What Are Your Main Obligations?

• Respect the privacy of patient information as you would your own–“Guess who I picked up last night”–“Did you hear what happened to

…”

What Are Your Main Obligations?

• Do not share PHI with others not involved in the patient’s care!–(except when permitted or required

by HIPAA)• Keep disclosures to the

“minimum amount necessary” to get the job done

RememberThe “Golden Rule” of

Currituck County Fire-EMS HIPAA:

What You See HereWhat You Hear HereWhat You Do Here

Stays HereWhen You Leave Here!

The Three Basic Permitted Uses of PHI under HIPAA

1. Treatment2. Payment 3. Operations – Health Care

Known as T.P.O. Disclosures

Treatment

• You may freely share any PHI with other health care providers who also treat the patient

• HIPAA was never intended to interfere with or restrict information for patient treatment

• Facilities may give PHI to the ambulance service and vice versa for TPO (e.g., transfers)

• The “minimum necessary” rule does not apply to treatment-related disclosures

Payment

• An ambulance service may use PHI to file claims with payers and send bills to patients without patient consent or authorization to release information

• To a field provider, this is:– Face Sheets– Medical Necessity Forms– Insurance Information– Signature Forms

Health Care Operations

• Includes Quality Management, Training and certain administrative functions

• The “minimum necessary rule” applies –Disclose the minimum amount

needed to perform the function

What Can I Tell?

• Share your educational experiences

• Do not share identifiable information

Incidental Disclosures

• Unavoidable release of PHI• Although PHI can be in verbal form,

the Privacy Rule does recognize that “incidental disclosures” are inevitable

• PHI can be verbally disclosed for treatment, but we must take reasonable steps to minimize incidental disclosures

Incidental Disclosures

• Examples of Reasonable Steps:– Give report to ER nurse away from the crowd– Use softer volume when speaking– Use most secure type of transmission

available when necessary• For all oral communications:

– Take care to minimize ‘incidental disclosures’– Do what you can to reduce who is listening in

Understanding HIPAA Privacy: The Typical Ambulance Call

Dispatch and Response

• Can the dispatch center transmit PHI over the radio? – YES! How else would you know

where to respond?!– Necessary to treat the patient– Considered an ‘Incidental Disclosure’

Dispatch and Response

• Can you share PHI over the radio with other responding agencies?– Yes! HIPAA does not prevent oral

communications for treatment purposes.

– It is necessary for treatment– However, remember that the dispatch

information you receive is still PHI!• Just because scanner-land heard it

doesn’t allow you to freely disclose it to just anyone!

On-Scene

• Can you discuss PHI with family members?– Yes! Ask questions and share

information towards the patient treatment, if the patient doesn’t object

On-Scene

• What about talking to the media or to bystanders?– No. Unless bystanders have

important information about events of the incident

– All Media contact through your Public Information Officer (PIO) according to department policy

Enroute to the Hospital

• Can I transmit a patient condition report to the hospital over the radio?– You are permitted to transmit PHI to

the receiving facility to apprise the hospital of the patients condition

– Necessary to treat the patient

At the Hospital

• Can I give a verbal report to the hospital staff about the patient–Yes, necessary to treat the

patient– Take care to minimize ‘incidental

disclosures’– Sound-proof room not required but

know your surroundings!– Use reasonable precaution

After the Call

• Can we discuss the call at the station?– Only to those who were involved on the

call or supervisor.– Only those who have a need to know.

After the Call

• Can PHI be released for Quality Management activities?– Use only minimum amount of

information needed to complete the activity.

– Remove individually identifiable information.

Law Enforcement Disclosures

• HIPAA greatly limits the disclosures that EMS personnel can make!

• Law enforcement are not a health care provider and typically are not involved in a patient’s treatment

• L.E. must obtain information through the proper channels

Law Enforcement Disclosures

• Under HIPAA, we cannot release PHI for law enforcement purposes

• If we unlawfully release information under HIPAA, law enforcement may find that they can not use it in court because it was obtained without patient consent

Law Enforcement Disclosures

• Permissible law enforcement disclosures are limited to specific situations– In response to a subpoena, warrant

or other legal process;– For national defense and security;– To avert a serious threat to the health

& safety of a person or the public at large…

Examples

• A police officer asks you if the patient at an accident scene appears to have been drinking–No. This is sharing protected

health information (PHI) without the patients consent

Examples• A police officer who is a medically-

trained First Responder assisting you asks for the patient’s blood pressure and pulse to record on the first responder scene report– Yes. The officer is acting in the

capacity as a health care provider and PHI can be shared and exchanged for treatment purposes and documentation

The Patients Rights andthe Technician's Obligation

The Patient’s Rights

• A patient has a right to protect his or her PHI

• We must have policies in place to protect the patients privacy

• We must communicate these policies and the patients right to the patient at or before the time of service

• This is communicated to the patient through our departments “Notice of Privacy Practices” (NPP)

Patient Signature Requirements

• “Notice of Privacy Practices” (NPP) – Written document– Conveys our agencies privacy practices

• How patients gain access to their health information

• How we use and disclose a patient health information

• How a patient requests a restriction to their PHI• How a patient can amend their PHI• How to complain about violations of patient

privacy

Technician Requirements

• Provide a patient with our Notice of Privacy Practices (NPP)

• Obtain their signature of acknowledgement of receipt

Notice of Privacy Practices

• For Non-Emergency calls– Required to give it to the patient at or before

the time of service– Must obtain signed acknowledgment of their

receipt of the Notice• For Emergency calls

– Must provide the Notice to the patient as soon as reasonably practicable after the emergency

– Not required to obtain signed acknowledgment of the Notice must attempt

Safeguarding Patient Information

Safeguarding Written PHI

• PCRs must not be left unattended in the open

• PCRs must be collected in a locked box with limited, role-based access

• PCRs must be maintained in locked storage area

Safeguarding Electronic PHI

• Everything is moving into the electronic world–Electronic Billing–Electronic Claim Submissions–Electronic Medical Records–Electronic Data Collection

Safeguarding Electronic PHI

• Implement password protection to computers or networks where PHI is maintained

• All computers activate screensaver with password protection after 10 minutes

Safeguarding Verbal PHI

• Use most secure communication method available, when necessary– Example: cell phone vs. VHF radio

• Conduct conversations about PHI with other treatment providers in most secure location available

• Use appropriate voice volume• No inappropriate banter about specific

patients

Violation Penalties

• Civil Penalties for Violations–$100 per violation–Up to $25,000 per person per year

for each violation

Violation Penalties• Criminal Penalties for Violations

– Wrongful Disclosure• Inappropriately obtaining or disclosing PHI• $50,000 per offense and 1 year in prison

– False Disclosure• Obtaining information under false pretenses• $100,000 per offense and 5 years in prison

– Intent to Sell• Obtaining info with intent to sell / gain / harm• $250,000 per offense and 10 years in prison

Violation Penalties

• Complaints from patients–Enforceable & Punishable by the

Office of Civil Rights (OCR)–Enforceable & Punishable by

Currituck County

Questions