hipaa & phi 2017

HIPAA & PHI

HIPAA• In 1996 the Health Insurance

Portability and Accountability Act was passed by the federal government.

• It’s aim, among other things, was to force health care providers to protect the privacy of patient health information (PHI).

Covered Entity• An organization or business which is

bound by HIPAA regulations is called a “Covered Entity”

• Big Tree VFC is a “Covered Entity”

What is PHI?“Health information means any information, whether oral or recorded in any form or medium, that-• (A) is created or received by a health care

provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

• (B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

What is PHI? (cont.)“Individually identifiable health information is information that is a subset of health information collected from an individual, and:• (1) Is created or received by a health care provider, health

plan, employer, or health care clearinghouse; and• (2) Relates to the past, present, or future physical or

mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

• (i) That identifies the individual; or• (ii) With respect to which there is a reasonable basis to

believe the information can be used to identify the individual.”

To simplify, PHI is:Any information that can identify or potentially identify a patient and/or pertains to the patients past, present or future health status.

For us this is:Name ,DOB, SS#, history, meds, chief complaint, etc.

Restricted Use and Disclosure of PHI

• Patients can ask that health information not be shared with certain people, groups, or companies.

• In cases like this the EMT in charge of the patient needs to make 9-3 and/or 9 aware of this request as soon as possible without compromising patient care or safety.

• For Example, a patient may ask that there information not be shared or made known to a certain member.

When is it okay to release PHI?

• Generally patients must give a “covered entity” WRITTEN consent to release any PHI

• There are a few ways some PHI may be released without written consent:– A patients name may be used in a radio

transmission if a crew is having difficulty locating said patient. For example – there are no room numbers on an apartment list, but there are resident names. Dispatch can radio the name of the patient to the crew.


– An EMS crew may report the condition of a patient to an immediate family member (spouse, child, grandchild, or health care proxy)

– If the patient is a victim of a crime, EMS may tell law enforcement about the patient’s injuries and condition. If the patient is NOT a victim of a crime but agrees to speak to police about their condition, this is not a PHI violation because the patient is speaking to police, not the EMS crew.


– An EMS crew may report patient injuries to law enforcement if the patient is possibly wanted in relation to a crime.

– When EMS is delivering a report to a hospital or receiving medical facility. This is to preserve the continuity of care, providers NEED to pass on pertinent medical information and history and treatments given. EMS can disclose PHI to a triage nurse or doctor at a receiving facility.

– EMS also has the right to open and review patient records when being transferred from a facility.


–When EMS is reporting suspected abuse that is covered under Mandated Reporting;• Child abuse/ neglect

– 50 years following the date of death of the individual

When is it NOT permissible to disclose PHI?

Posting it on Social Media• EMS providers may not post details

about runs on any electronic medium. This is true even when a patient name is not used. If there is enough information for someone to identify the patient (for example the nature of the injury, the time and location of an incident, etc.) the provider will be in violation.


Discussions with colleagues/friends• Just as with electronic mediums, discussing

patient encounters with colleagues who were not part of the patient care team (face to face, or in writing) is a definite no-no.

• This applies also to conversations outside of work with the provider’s friends or family.KEEP IN MIND: YOU NEVER KNOW WHO

KNOWS WHOM!


Statements to news media• EMS providers may not provide any

information about the nature or severity of a patient’s illness or injuries.

• EMS providers may not verify the identity of a patient being treated EVEN IF the media agency claims to already know the identity of the patient.

• “NO COMMENT” and/or “PLEASE SEE THE PIO/CHIEF” are always rules of thumb!


Sharing patient status or information with neighbors

• EMS providers may not disclose any patient information to a patient’s neighbor, friends, or other persons who are not involved in the treatment of said patient.

• If a concerned neighbor or friend wants to know about the patient, let the patient tell them.

Allowing other people to access your PCR

• PCRs are confidential. • PCRs and other hard copy PHI (med lists, etc.)

should be secured in a receptacle designed to protect against unauthorized access.

• EMS providers may not allow others to see their PCRs, however, there are some exceptions:– When the member in question is on the call with you– When a EMTs number are on that PCR– For training/learning/QA&QI purposes with patient

info redacted.

Why is HIPAA Important?• Individuals and agencies who violate

HIPAA privacy can be fined and individuals can even serve jail time if found guilty of violating these statutes.

• It’s just the right thing to do – we are patient advocates and should be protecting the privacy of our patients.

HIPAA breach notification• In the event that PHI is accidently or

deliberately disclosed in violation of HIPAA regulations, the covered entity is required to report the breach immediately.

• It is unlawful to hide or cover-up any confirmed or potential breach.

• If you feel that a HIPAA breach has occurred, report the situation to any Chief or EMS officer immediately!

Civil HIPAA breach penaltiesHIPAA Violation Minimum Penalty Maximum Penalty

Unknowing

$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)

$50,000 per violation, with an annual maximum of $1.5 million

Reasonable Cause $1,000 per violation, with an annual maximum of $100,000 for repeat violations


Willful neglect but violation is corrected within the required time period

$10,000 per violation, with an annual maximum of $250,000 for repeat violations


Willful neglect and is not corrected within required time period



Criminal HIPAA breach penalties• Criminal violations of HIPAA are handled by the DOJ. As

with the HIPAA civil penalties, there are different levels of severity for criminal violations.

• Covered entities and specified individuals, as explained below, who "knowingly" obtain or disclose individually identifiable health information, in violation of the Administrative Simplification Regulations, face a fine of up to $50,000, as well as imprisonment up to 1 year.

• Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to 5 years in prison.

• Finally, offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment up to 10 years.

The END

hipaa & phi 2017

Recruiting & HR