North Dakota EMS Association Management Conference June, 2016
Health Insurance Portability and Accountability Act HIPAA is a federal law. The Department of Health & Human Services issued HIPAA privacy standards and security standards to protect patient information from inappropriate use or disclosure.
Our patients trust us to protect their privacy and keep their information confidential. HIPAA is old enough that most are aware and expect confidential treatment of information. Services should practice a commitment to preserving that trust and protecting all of our patients privacy. Taking this approach has been reinforced by the HIPAA standards.
1. Inform patients that they have rights, such as the right to obtain copies of most of their health information and the right to request amendments. 2. Inform patients how their health information may be used and disclosed. 3. Verify that those to whom we give patients’ health information (e.g. business associates) also maintain its confidentiality. 4. Meet administrative requirements, such as appointing a Privacy Officer at each site and documenting how we interact with patients about their rights. 5. Ensure that only authorized people have access to patients’ information.
1. Name 2. Address 3. Dates related to the patient (e.g. birth date, appointment dates) 4. Telephone numbers, fax numbers, and e-mail addresses 5. Identifying numbers that are specific to the patient, such as social security number, medical record number. 6. Pictures All patient information and demographic information is protected, whether it is on a computer, in a paper record or verbal.
Figure 1 ◦ Posting of Patient Injuries ◦ X-Rays ◦ ECG Strips Linked to Who Posted Them Instagram for Physicians? ◦ Not just docs posting
Transmission of video ◦ Telemedicine Voice recordings ◦ Telephone ◦ Radio What’s next? ◦ Text to 911 Expect Change
Fines ◦ Up to $250,000.00 ◦ Based on Severity ◦ Based on Intent Employment ◦ Service’s Standard ◦ Risk to Community ◦ Zero Tolerance? Reportable Events ◦ General requirements
Delivered at Time of Call Documentation of Patient Acceptance or Decline Update as Necessary ◦ New verbiage from OIG ◦ Changes in Privacy Officer ◦ Changes in Process to Access Information
Describes When Information is Shared ◦ With Permission from Patient ◦ To Comply with State Law ◦ Without Permission from Patient Child Abuse/Vulnerable Adults Death Investigations Violent Crimes Crimes Against Ambulance Crew Crimes on Ambulance Property Examples Animal bites Other? Gives Process to File Complaint
Patients can receive a copy of their run information if they wish Service should identify a process, authorization form and assure all activity is logged
Requesting changes to address inaccurate information Requesting changes for perceived incorrect information Process to address and confirm or deny changes
Where was information shared? Who received the information? For what purpose was the information shared? State Law may require sharing of certain event information
Patients or family members come into your office ◦ Private discussion ◦ Assure family has permission to discuss Other requests ◦ Language barrier ◦ Large font Service to pre-determine what it can provide
Requests not to share with family Opting to pay in lieu of insurance claim Other?
Direct to Privacy Officer (Hoped for!) Complaints to State EMS Office Complaints to Office of the Inspector General
Treatm tment: t: This includes providing, coordinating or managing healthcare and related services for a patient, which can also involve communications with other providers about patient treatment or referral of a patient to another provider. Paymen ent: t: Activities undertaken to obtain reimbursement for healthcare services. Healthca lthcare re Operati ration ons: s: This includes quality assurance, medical review, legal services, auditing functions, and general administration.
Your role will determine what types of patient information are required to do your job. The “need -to- know” rule is HIPAA’s minimum necessary standard. Not every employee needs access to a patient’s entire medical record. Records are only available to the attending crew member until the record is complete and closed.
Patients whose prominence or extenuating circumstances necessitate additional precaution be taken to ensure the safety and the confidentiality of his/her protected health information. National or international recognition Examples: well-known celebrities, athletes, politicians
Patients with local/temporary prominence or extenuating circumstances that may necessitate additional privacy precautions. Examples: local shooting victim, well-known local community member, deceased coworker
Your crew is called to the scene of a possible shooting. Upon arrival, you find the patient was shot by someone and has sustained a potentially life-threatening gun shot wound. Proper care of the patient is administered and you transport the patient to a local care facility. The story hits the local media immediately and your spouse asks if you know what happened. What do you say?
Your crew is requested for a scene response to a local outdoor concert where the star performer has had a medical emergency. Proper care of the patient is administered and you transport the patient to a local care facility. Some of your friends were at the concert and knew you were working. They ask you via a Facebook post what happened to the performer. How do you respond? What is your procedure in this scenario?
You are approached by a local law enforcement officer who is requesting specific information related to a call you were involved with two hours ago. What information can you provide? Same scenario, but instead you are approached 3 days after the call by local law enforcement. What information can you provide?
Your crew is called to the scene of a medical emergency late one evening. Upon arrival, you find the patient is a coworker with alcohol poisoning. Proper care of the patient is administered and you transport the patient to a local care facility. You are aware that this coworker is scheduled to work or be on call the next morning. What do you do?
Health Information Technology for Economic and Clinical Heath Act (HITECH) In effect since September of 2009 Electronic Security Breach Definition and Reporting Requirements
What is a Breach? Risk Value of Breach? ◦ Covered entity to covered entity? ◦ Public disclosure? ◦ In-Ambulance Example Face Sheet Provider Notes Documentation
Breaches 60 days to investigate, conduct a risk assessment, and notify patients when their PHI has been compromised ◦ Must also notify the Department of Health and Human Services when a patient’s PHI has been compromised Staff are required to report a discovered or suspected breach to the Privacy Officer ◦ Process to identify how this can happen
What Isn’t a Breach? ◦ Inadvertent disclosures Crew member who comes across information from another call they were not on Authorized access, but not needed for specific task No action on information viewed Accidental access
What is a Business Associate? ◦ Billing Agency ◦ Software Company Medical Director ◦ Employee of service? ◦ Contracted service? Other Examples?
3% of Identity Theft – Medical Identity Theft ◦ Red Flag used to call attention to a pattern of this False Names Another Person’s Insurance (with or without permission) Forged Insurance Documents Insider Theft ◦ Employee selling patient information
Required to have security measures in place ◦ Locked doors, files, computers ◦ Screen locks Home Access ◦ Shared computer ◦ Caution!
Secure paper information ◦ Locked files ◦ Screen locks for computers ◦ Face sheets Example! Secure Computer Files ◦ Role-based access ◦ Minimum necessary sharing – regardless of position on the service! ◦ Shared Passwords?
Office of Civil Rights / Office of Information Security ◦ Zero tolerance for unencrypted storage ◦ Thumb drives, Hard drives, etc. Service Responsibility ◦ Record transportation ◦ Proper Access ◦ No Sharing of Passwords
Federal Offices ◦ Added Dollars for Investigation / Enforcement ◦ Increased Activity – All Levels of Providers Requests for Information ◦ Office of Civil Rights Questionnaires ◦ Validation of Providers Practices ◦ Pre-Investigation?
At Office Visits ◦ Credential Check ◦ Required to Meet Can Delay Assure Proper People are Available At Home Visits ◦ After hours Credential Check Do Not Need to Let Them In Time and Place to Agree With Your Schedule
Mailings or Email Notifications ◦ Represented as Official Notifications ◦ Care in Responding Misspelled? ◦ HIPAA vs. HIPPA? Fraudulent Attempts for Information
Recommend
More recommend
