rems hipaa
DESCRIPTION
REMS HIPAATRANSCRIPT
HIPAA Training
Rotterdam Emergency Medical ServicesDouglas Hexel, AEMT-P, NYS CLI
Reasoning
• NYS and REMS require initial training at time of hire as well as annual refresher training on healthcare privacy.
Agenda
• What is HIPPA?• Privacy• Requirements• Protected Health Information (PHI)• Notice of Privacy Practices• Permitted Disclosures
What is HIPAA?
HIPAA = Health Insurance Portability and Accessibility Act
Created by the US Department of Health and Human Services and full-implemented in April of 2005.
What is HIPAA?
• HIPAA is a common set of standards that protects certain health information
• There are several components but, as EMS providers, we are most concerned with the “Privacy Rule.”
“The Privacy Rule”
• The intent of the Privacy Rule is to provide basic rights regarding the use of “Protected Health Information” (PHI).
• It protects all “individually identifiable health information.”
• Electronic, paper, or oral• Applies to “covered entities”
Covered Entities
Three Categories:• Health plans• Health care clearinghouses• Health care providers who transmit any health
information electronically
REMS falls under the “health care providers” category.
Requirements
The Privacy Rule requires Covered Entities to:• Protect PHI• Designate a Privacy Officer• Look for “leaks” in the policy• Conduct/document initial and annual
refresher training for ALL personnel• Develop an Authorization Form for release of
PHI
Other Requirements
• Develop a Notice of Privacy Practices• When permitted, disclose only the minimum
necessary PHI• Update policies and procedures• Identify business associates with access to PHI
and create contracts (i.e. EMScharts)• Apply reasonable administrative, technical,
and physical safeguards.
Protected Health Information
PHI is any information created or received by a health care provider which relates to:• Past, present, or future physical or mental
conditions (medical history)• Provision of health care (treatment)• Past, present, or future payment for care
Protected Health Information
Examples:• Name• Address • Date of Birth/Age• Social Security Number• Medical condition/Past medical history• Full face photos
Transfer of Patient
• HIPAA should never negatively impact the quality of patient care or impede the ability to provide care.
• The appropriate communication of PHI with other health care providers DIRECTLY involved in providing patient care does NOT constitute a violation of HIPAA.
Safeguards
• PCRs should be kept in a secure location (PCR boxes located at both stations)
• Networks containing PCRs should be password-protected (EMScharts)
• Include confidentiality statements on e-mails and faxes that contain PHI (administration-level)
Caution
Beware of discussion of PHI, such as:
• Talking about current or prior incident while re-stocking ambo or writing report
• Discussing a call anywhere other than an official audit or review
• Discussing “interesting” calls, famous patients, or neighbors
• Sharing co-workers or fellow responders PHI (i.e. “My partner is a bad diabetic” or “Yeah, my partner had a heart attack a few years ago too.”)
Still unsure?
Ask yourself:• Would a Judge agree that the disclosure
benefited patient care and was performed with the utmost discretion?
• If you were the patient, would you want an “embarrassing” injury or illness to be discussed?
Notice of Privacy Practices
• REMS must make a Good Faith attempt to provide a Notice of Privacy Practices to each patient
• REMS must also make an effort to get a signed “Acknowledgement of Receipt”
Notice of Privacy Practices
• At REMS, this is achieved with the AOB forms, which include a privacy notice provision.
• If a patient requests a Notice of Privacy Practices, a separate form is located in the clipboard that can be provided to the patient.
Permissible Disclosures
• Treatment• Payment• Operations• Public Health Regulations• Victims of Abuse• Judicial proceedings• Births and Deaths• Research• Protection of Public Safety• Law Enforcement
Permissible Disclosures
Treatment• As previously noted, full disclosure is
permitted (and required) to those DIRECTLY involved in care of the patient.
• This covers destination facility healthcare providers (tech, RN, NP, PA, MD/DO, etc.)
Payment• REMS is authorized to disclose PHI to
insurance companies for billing purposes
Permissible Disclosures
Victims of abuse• EMS providers are mandated reporters for
child abuse but may report any type of abuse without concern of HIPAA violations.
• Definitive proof is not required, only a reasonable suspicion of abuse.
Judicial Proceedings• Under subpoena, disclosure is required in a
court of law.
Permissible Disclosures
Victims of abuse• EMS providers are mandated reporters for
child abuse but may report any type of abuse without concern of HIPAA violations.
• Definitive proof is not required, only a reasonable suspicion of abuse.
Judicial Proceedings• Under subpoena, disclosure is required in a
court of law.
Permissible Disclosures
Births/Deaths• Disclosure to medical examiner/coroner
permittedResearch• Disclosure to entities such as REMO for
research and statistics tracking.
Law Enforcement Disclosures
Law Enforcement• It is important to remember that we are
healthcare providers and not information sources for law enforcement. Permissible disclosures are found under Section 164.512
Law Enforcement Disclosures
1. When required by law or pursuant to process (e.g., gunshot wound reporting)
2. Identification and location purposes (victim or material witness, includes type of injury)
3. Response to request for information about a victim of a crime (can’t be used against the victim, needed to determine violation of law, in the best interests of the individual)
Law Enforcement Disclosures
4. Decedents (if suspected death may be from criminal conduct)
5. Crime on the premises (evidence of criminal conduct)
6. Reporting crime in emergencies (identity, description and location of perpetrator)
Law Enforcement Disclosures
May disclose to identify or locate a:– Suspect– Fugitive– Material witness – Missing person
Victims of crime
• May disclose PHI in response to a law enforcement request, where the individual is a possible crime victim
• If patient agreesOR
• If patients unable to agree because of condition, may release PHI if:– Law enforcement represents that the info is
needed immediately; AND – Won’t be used against the victim
Victims of crime
• May release PHI to alert law enforcement of a patient’s death, IF the death may have resulted from criminal activity
• You are not required to make a “legal conclusion” that the death resulted from a crime
• Only a “suspicion” is required
Reporting a crime
• Healthcare providers may release PHI to law enforcement to alert them to:– Commission and nature of a crime– Location of the crime or of the victim– Identity, description, and location of perpetrator
Remember:
• Permissible disclosures can only be made to appropriate authorities (i.e. you can notify the county health department of a patient with tuberculosis but you MAY NOT alert any media)
Penalty
• A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000 and up to one year imprisonment.