hipaa pesentation
TRANSCRIPT
HIPAA Privacy TrainingCurrituck County
Fire-EMS
Copyright 2003 Page, Wolfberg, & Wirth, LLC. All Rights Reserved.
With guidance from
EMS SystemLegal Compliance
Programfor
HIPAA Privacy Training
Overview of Confidentiality
Confidentiality
• Health Care Professionals (HCP’s) also have a ethical obligation to protect a patient’s privacy
• There are laws prohibiting the revealing of patient information without the patient’s consent
• HCP’s must follow state/local laws and agency policies
• HIPAA laws apply
Confidentiality
• Improper release of information or the release of inaccurate information can result in liability– Invasion of Privacy…– Defamation (libel and/or slander)…
Confidentiality
• Invasion of Privacy– The release of information, without legal
justification, regarding a patient’s private life that might reasonably expose the person to ridicule, notoriety or embarrassment
Confidentiality
• Defamation– Making untrue statements about someone’s
character or reputation– Libel
• False statements about a person made in writing or through the mass media with malicious intent or reckless disregard for the falsity of the statement
– Slander• Refers to false verbal statements about a person
made with malicious intent or reckless disregard for the falsity of the statement
Overview of HIPAA
What is HIPAA Anyway?
• HIPAA stands for the:“Health Insurance Portability and Accountability Act”
• HIPAA is a Federal law passed by Congress in 1996
What is HIPAA Anyway?
• Focuses on protecting the patient, specifically the protection of health information
• Governs how we access, use and disclose confidential patient information
• Gives the Federal Government Protection and Enforcement authority over patient information which we deal with every day
“Until now, virtually no federal rules existed to protect the privacy of health information and guarantee access to such information. This final rule establishes, for the first time, a set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care.”
---Preamble to December 2002 Privacy Rule
What is HIPAA Anyway?
• You should treat others health information how you would like your health information to be treated
• Applies to most health care providers, ambulance services and us as individuals
• In our agency, HIPAA applies to:– Technicians - Volunteers– Billing Staff - High School Students– Management - Any Fire Fighter that is– Ride-A-Longs - riding on Ambulance– Precepting Students
What is HIPAA Anyway?
• While HIPAA has a simple concept, it has become very complicated.
HIPAA Issues for EMS Providers
• Protecting patient privacy
• Safeguarding patient information
“Hey, did you hear what happened to Teresa in
Currituck last night? We took her to the hospital and she
was really messed up!”
Protecting Patient Privacy
What is PHI?
• Protected Health Information (PHI)– Individually identifiable patient
information• Patient Name• Social Security Number• Medicare Claim Form Number• & Much, Much, More
What is PHI?
• Protected Health Information (PHI)– Information identified with a particular
patient dealing with past, present or future physical or mental health care or payment
– Created by or received by a health care provider
– Oral, written, photographic, electronic, digital, form - etc.
What is PHI?
• Protected Health Information (PHI)– Any information that could identify or
be related back to a patient.– Consider everything as PHI!
Some Sources of PHI
• Patient Care Reports
• Dispatch/Call Intake Records
• Billing Information–Insurance forms–Explanation of
Benefits (EOB’s)
Some Sources of PHI
• Incident Reports with Patient Information
• Verbal Communications Between Health Care Providers
Some Sources of PHI
• Patient Records from Nursing Homes / Hospitals– Medical Records– Billing Information– Physician Orders– Transfer Paperwork– Registration Face
Sheets
What Are Your Main Obligations?
• Respect the privacy of patient information as you would your own–“Guess who I picked up last night”–“Did you hear what happened to
…”
What Are Your Main Obligations?
• Do not share PHI with others not involved in the patient’s care!–(except when permitted or required
by HIPAA)• Keep disclosures to the
“minimum amount necessary” to get the job done
RememberThe “Golden Rule” of
Currituck County Fire-EMS HIPAA:
What You See HereWhat You Hear HereWhat You Do Here
Stays HereWhen You Leave Here!
The Three Basic Permitted Uses of PHI under HIPAA
1. Treatment2. Payment 3. Operations – Health Care
Known as T.P.O. Disclosures
Treatment
• You may freely share any PHI with other health care providers who also treat the patient
• HIPAA was never intended to interfere with or restrict information for patient treatment
• Facilities may give PHI to the ambulance service and vice versa for TPO (e.g., transfers)
• The “minimum necessary” rule does not apply to treatment-related disclosures
Payment
• An ambulance service may use PHI to file claims with payers and send bills to patients without patient consent or authorization to release information
• To a field provider, this is:– Face Sheets– Medical Necessity Forms– Insurance Information– Signature Forms
Health Care Operations
• Includes Quality Management, Training and certain administrative functions
• The “minimum necessary rule” applies –Disclose the minimum amount
needed to perform the function
What Can I Tell?
• Share your educational experiences
• Do not share identifiable information
Incidental Disclosures
• Unavoidable release of PHI• Although PHI can be in verbal form,
the Privacy Rule does recognize that “incidental disclosures” are inevitable
• PHI can be verbally disclosed for treatment, but we must take reasonable steps to minimize incidental disclosures
Incidental Disclosures
• Examples of Reasonable Steps:– Give report to ER nurse away from the crowd– Use softer volume when speaking– Use most secure type of transmission
available when necessary• For all oral communications:
– Take care to minimize ‘incidental disclosures’– Do what you can to reduce who is listening in
Understanding HIPAA Privacy: The Typical Ambulance Call
Dispatch and Response
• Can the dispatch center transmit PHI over the radio? – YES! How else would you know
where to respond?!– Necessary to treat the patient– Considered an ‘Incidental Disclosure’
Dispatch and Response
• Can you share PHI over the radio with other responding agencies?– Yes! HIPAA does not prevent oral
communications for treatment purposes.
– It is necessary for treatment– However, remember that the dispatch
information you receive is still PHI!• Just because scanner-land heard it
doesn’t allow you to freely disclose it to just anyone!
On-Scene
• Can you discuss PHI with family members?– Yes! Ask questions and share
information towards the patient treatment, if the patient doesn’t object
On-Scene
• What about talking to the media or to bystanders?– No. Unless bystanders have
important information about events of the incident
– All Media contact through your Public Information Officer (PIO) according to department policy
Enroute to the Hospital
• Can I transmit a patient condition report to the hospital over the radio?– You are permitted to transmit PHI to
the receiving facility to apprise the hospital of the patients condition
– Necessary to treat the patient
At the Hospital
• Can I give a verbal report to the hospital staff about the patient–Yes, necessary to treat the
patient– Take care to minimize ‘incidental
disclosures’– Sound-proof room not required but
know your surroundings!– Use reasonable precaution
After the Call
• Can we discuss the call at the station?– Only to those who were involved on the
call or supervisor.– Only those who have a need to know.
After the Call
• Can PHI be released for Quality Management activities?– Use only minimum amount of
information needed to complete the activity.
– Remove individually identifiable information.
Law Enforcement Disclosures
• HIPAA greatly limits the disclosures that EMS personnel can make!
• Law enforcement are not a health care provider and typically are not involved in a patient’s treatment
• L.E. must obtain information through the proper channels
Law Enforcement Disclosures
• Under HIPAA, we cannot release PHI for law enforcement purposes
• If we unlawfully release information under HIPAA, law enforcement may find that they can not use it in court because it was obtained without patient consent
Law Enforcement Disclosures
• Permissible law enforcement disclosures are limited to specific situations– In response to a subpoena, warrant
or other legal process;– For national defense and security;– To avert a serious threat to the health
& safety of a person or the public at large…
Examples
• A police officer asks you if the patient at an accident scene appears to have been drinking–No. This is sharing protected
health information (PHI) without the patients consent
Examples• A police officer who is a medically-
trained First Responder assisting you asks for the patient’s blood pressure and pulse to record on the first responder scene report– Yes. The officer is acting in the
capacity as a health care provider and PHI can be shared and exchanged for treatment purposes and documentation
The Patients Rights andthe Technician's Obligation
The Patient’s Rights
• A patient has a right to protect his or her PHI
• We must have policies in place to protect the patients privacy
• We must communicate these policies and the patients right to the patient at or before the time of service
• This is communicated to the patient through our departments “Notice of Privacy Practices” (NPP)
Patient Signature Requirements
• “Notice of Privacy Practices” (NPP) – Written document– Conveys our agencies privacy practices
• How patients gain access to their health information
• How we use and disclose a patient health information
• How a patient requests a restriction to their PHI• How a patient can amend their PHI• How to complain about violations of patient
privacy
Technician Requirements
• Provide a patient with our Notice of Privacy Practices (NPP)
• Obtain their signature of acknowledgement of receipt
Notice of Privacy Practices
• For Non-Emergency calls– Required to give it to the patient at or before
the time of service– Must obtain signed acknowledgment of their
receipt of the Notice• For Emergency calls
– Must provide the Notice to the patient as soon as reasonably practicable after the emergency
– Not required to obtain signed acknowledgment of the Notice must attempt
Safeguarding Patient Information
Safeguarding Written PHI
• PCRs must not be left unattended in the open
• PCRs must be collected in a locked box with limited, role-based access
• PCRs must be maintained in locked storage area
Safeguarding Electronic PHI
• Everything is moving into the electronic world–Electronic Billing–Electronic Claim Submissions–Electronic Medical Records–Electronic Data Collection
Safeguarding Electronic PHI
• Implement password protection to computers or networks where PHI is maintained
• All computers activate screensaver with password protection after 10 minutes
Safeguarding Verbal PHI
• Use most secure communication method available, when necessary– Example: cell phone vs. VHF radio
• Conduct conversations about PHI with other treatment providers in most secure location available
• Use appropriate voice volume• No inappropriate banter about specific
patients
Violation Penalties
• Civil Penalties for Violations–$100 per violation–Up to $25,000 per person per year
for each violation
Violation Penalties• Criminal Penalties for Violations
– Wrongful Disclosure• Inappropriately obtaining or disclosing PHI• $50,000 per offense and 1 year in prison
– False Disclosure• Obtaining information under false pretenses• $100,000 per offense and 5 years in prison
– Intent to Sell• Obtaining info with intent to sell / gain / harm• $250,000 per offense and 10 years in prison
Violation Penalties
• Complaints from patients–Enforceable & Punishable by the
Office of Civil Rights (OCR)–Enforceable & Punishable by
Currituck County
Questions