North Dakota EMS Association Management Conference June, 2016 - - PowerPoint PPT Presentation

North Dakota EMS Association Management Conference June, 2016

Health Insurance Portability and Accountability Act

HIPAA is a federal law. The Department of Health & Human Services issued HIPAA privacy standards and security standards to protect patient information from inappropriate use or disclosure.

 Our patients trust us to protect their privacy and

keep their information confidential. HIPAA is old enough that most are aware and expect confidential treatment of information.

 Services should practice a commitment to

preserving that trust and protecting all of our patients privacy.

 Taking this approach has been reinforced by the

HIPAA standards.

• 1. Inform patients that they have rights, such as the right to
• btain copies of most of their health information and the

right to request amendments.

• 2. Inform patients how their health information may be used

and disclosed.

• 3. Verify that those to whom we give patients’ health

information (e.g. business associates) also maintain its confidentiality.

• 4. Meet administrative requirements, such as appointing a

Privacy Officer at each site and documenting how we interact with patients about their rights.

• 5. Ensure that only authorized people have access to patients’

information.

• 1. Name
• 2. Address
• 3. Dates related to the patient (e.g. birth date, appointment

dates)

• 4. Telephone numbers, fax numbers, and e-mail addresses
• 5. Identifying numbers that are specific to the patient, such

as social security number, medical record number.

• 6. Pictures

All patient information and demographic information is protected, whether it is on a computer, in a paper record or verbal.

 Figure 1

• Posting of Patient Injuries
• X-Rays
• ECG Strips

 Linked to Who Posted Them  Instagram for Physicians?

• Not just docs posting

 Transmission of video

• Telemedicine

 Voice recordings

• Telephone
• Radio

 What’s next?

• Text to 911

 Expect Change

 Fines

• Up to $250,000.00
• Based on Severity
• Based on Intent

 Employment

• Service’s Standard
• Risk to Community
• Zero Tolerance?

 Reportable Events

• General requirements

 Delivered at Time of Call  Documentation of Patient Acceptance or

Decline

 Update as Necessary

• New verbiage from OIG
• Changes in Privacy Officer
• Changes in Process to Access Information

 Describes When Information is Shared

• With Permission from Patient
• To Comply with State Law
• Without Permission from Patient

 Child Abuse/Vulnerable Adults  Death Investigations  Violent Crimes  Crimes Against Ambulance Crew  Crimes on Ambulance Property

 Examples

 Animal bites  Other?

 Gives Process to File Complaint

 Patients can receive a copy of their run

information if they wish

 Service should identify a process,

authorization form and assure all activity is logged

 Requesting changes to address inaccurate

information

 Requesting changes for perceived incorrect

information

 Process to address and confirm or deny

changes

 Where was information shared?  Who received the information?  For what purpose was the information

shared?

 State Law may require sharing of certain

event information

 Patients or family members come into your

• ffice
• Private discussion
• Assure family has permission to discuss

 Other requests

• Language barrier
• Large font

 Service to pre-determine what it can provide

 Requests not to share with family  Opting to pay in lieu of insurance claim  Other?

 Direct to Privacy Officer (Hoped for!)  Complaints to State EMS Office  Complaints to Office of the Inspector General

 Treatm

tment: t: This includes providing, coordinating or managing healthcare and related services for a patient, which can also involve communications with other providers about patient treatment or referral of a patient to another provider.

 Paymen

ent: t: Activities undertaken to obtain reimbursement for healthcare services.

 Healthca

lthcare re Operati ration

• ns:

s: This includes quality assurance, medical review, legal services, auditing functions, and general administration.

Your role will determine what types of patient information are required to do your job. The “need-to-know” rule is HIPAA’s minimum necessary standard.

Not every employee needs access to a

patient’s entire medical record.

Records are only available to the attending

crew member until the record is complete and closed.

 Patients whose prominence or extenuating

circumstances necessitate additional precaution be taken to ensure the safety and the confidentiality of his/her protected health information.

 National or international recognition  Examples: well-known celebrities, athletes,

politicians

 Patients with local/temporary prominence or

extenuating circumstances that may necessitate additional privacy precautions.

 Examples: local shooting victim, well-known

local community member, deceased coworker

 Your crew is called to the scene of a possible

• shooting. Upon arrival, you find the patient

was shot by someone and has sustained a potentially life-threatening gun shot wound.

 Proper care of the patient is administered

and you transport the patient to a local care facility.

 The story hits the local media immediately

and your spouse asks if you know what

• happened. What do you say?

 Your crew is requested for a scene response

to a local outdoor concert where the star performer has had a medical emergency.

 Proper care of the patient is administered and

you transport the patient to a local care facility.

 Some of your friends were at the concert and

knew you were working. They ask you via a Facebook post what happened to the

• performer. How do you respond?

 What is your procedure in this scenario?

 You are approached by a local law

enforcement officer who is requesting specific information related to a call you were involved with two hours ago. What information can you provide?

 Same scenario, but instead you are

approached 3 days after the call by local law

• enforcement. What information can you

provide?

 Your crew is called to the scene of a medical

emergency late one evening. Upon arrival, you find the patient is a coworker with alcohol poisoning.

 Proper care of the patient is administered and

you transport the patient to a local care facility.

 You are aware that this coworker is scheduled

to work or be on call the next morning. What do you do?

 Health Information Technology for Economic

and Clinical Heath Act (HITECH)

 In effect since September of 2009  Electronic Security  Breach Definition and Reporting

Requirements

 What is a Breach?  Risk Value of Breach?

• Covered entity to covered entity?
• Public disclosure?
• In-Ambulance Example

 Face Sheet  Provider Notes

 Documentation

 Breaches  60 days to investigate, conduct a risk

assessment, and notify patients when their PHI has been compromised

• Must also notify the Department of Health and

Human Services when a patient’s PHI has been compromised

 Staff are required to report a discovered or

suspected breach to the Privacy Officer

• Process to identify how this can happen

 What Isn’t a Breach?

• Inadvertent disclosures

 Crew member who comes across information from another call they were not on  Authorized access, but not needed for specific task

 No action on information viewed  Accidental access

 What is a Business Associate?

• Billing Agency
• Software Company

 Medical Director

• Employee of service?
• Contracted service?

 Other Examples?

 3% of Identity Theft – Medical Identity Theft

• Red Flag used to call attention to a pattern of this

 False Names  Another Person’s Insurance (with or without

permission)

 Forged Insurance Documents  Insider Theft

• Employee selling patient information

 Required to have security measures in place

• Locked doors, files, computers
• Screen locks

 Home Access

• Shared computer
• Caution!

 Secure paper information

• Locked files
• Screen locks for computers
• Face sheets

 Example!

 Secure Computer Files

• Role-based access
• Minimum necessary sharing – regardless of position
• n the service!
• Shared Passwords?

 Office of Civil Rights / Office of Information

Security

• Zero tolerance for unencrypted storage
• Thumb drives, Hard drives, etc.

 Service Responsibility

• Record transportation
• Proper Access
• No Sharing of Passwords

 Federal Offices

• Added Dollars for Investigation / Enforcement
• Increased Activity – All Levels of Providers

 Requests for Information

• Office of Civil Rights Questionnaires
• Validation of Providers Practices
• Pre-Investigation?

 At Office Visits

• Credential Check
• Required to Meet

 Can Delay  Assure Proper People are Available

 At Home Visits

• After hours

 Credential Check  Do Not Need to Let Them In  Time and Place to Agree With Your Schedule

 Mailings or Email Notifications

• Represented as Official Notifications
• Care in Responding

 Misspelled?

• HIPAA vs. HIPPA?

 Fraudulent Attempts for Information

 Know Your Rights as a Covered Entity  Know Your Patient’s Rights  Promote Privacy

• Crew Members
• Community Members
• Government Officials

 Secure Files – Electronic and Paper  Expect Change

Questions?