H I P A ASandy L. Hunter M.A. Ed, NREMT-P

What?HIPAA stands for the Health Insurance Portability and Accountability ActHIPAA is a Federal law passed in 1996

Covered? The EMC Program is NOT a covered entity.. but

Covered? Our students WILL function within covered entities. So

Covered? We need to cover this information.

HIPAASpecifies what is required to protect the security and privacy of personally identifiable health care information (PHI)Applies to most health care providers, including ambulance services

HIPAAs Major ProvisionsElectronic Transactions and Code Sets (TCS)Security Privacy

Transaction RuleRequires providers to submit electronic claims in standard formats approved by HHSExamples: ICD-9 CodesHCPCS CodesOther designated code sets

Centers for Medicare and Medicaid Services Common Procedure Coding System (HCPCS)

Transaction RuleRequires payors to accept transactions in the standard formats

Security RuleWill require covered entities to protect against unauthorized access and interception of PHIExpected to require use of encryption technology and other safeguards

Security RuleThere must be appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.

Security RuleExamples:Locking up run formsRole based accessComputer passwords

Security RuleExamples:Adding security statements to e-mails and faxesSecuring computers and fax machines

The Privacy Rule

Why is this an issue?

Privacy?Emergency Transportation

Privacy?ACLS.

Privacy?Intubation

Privacy?

W.M.D.

The Privacy Rule

The Requirements Notifying patients about their privacy rightsAdopting and implementing privacy proceduresTraining employees in privacy practices

The Requirements Designating a Privacy OfficerSecuring patient records and limiting access to them

What to ProtectAny information that can identify a patient that relates to their physical or mental health

What to ProtectProtected Patient Health Information (PHI)

What to ProtectIncludes written, verbal, electronic, photographic, etc.

Sources or PHIRun sheetsDispatch logsBilling formsIncident reports

Sources or PHIPersonal notes VideotapesInternet picturesConversations

Sources or PHIHospital recordsTransfer paperworkAmbulance certification lettersAny others???????

There are the three times you can divulge PHI without the patients authorization.

TreatmentPayment Health Care Operations (like QA)

Scenarios.

OK You are the supervisor today.

You are on a call when a first-responder asks you for information to complete their run sheet. Can you give them PHI?

Yes? orNo?

Yes. You absolutely can give them this information. It is permissible because they aided in the TREATMENT.

Actually you can give it to them because the FR aided in providing TREATMENT.

You are at the scene of a car crash when a police officer stops directing traffic to ask if the patient is drunk. Can you give the information?

Yes? orNo?

Well actually there are two problems here. One is that the patients medical condition is confidential. What is the other?

The other is that you cant call the patient drunk without a legal test.

No. Is Correct! The officer was not in on the TREATMENT so (in general) they cant have the information. Plus.

You cant call the patient drunk without a legal test.

You are on a call where you suspect a child has been abused. Can you report that to anyone?

Yes? orNo?

Yes. KRS 620.030 - 620.050 requires you to report it.

No is actually the wrong answer because KRS 620.030 - 620.050 requires you to report it.

You have completed your patient care report (that has NO patient identifiers on it). Do you have to physically secure that form?

Yes? orNo?

Yes. That is the policy of the program and it just makes good sense!

No? Well, yes you do have to secure it. It is the policy of the program and it just makes good sense!

You are at a hospital to pick up a patient for transfer. The staff says they cannot give you ANY information on the pt. because of HIPAA.

They are:Right?orWrong?

The staff may think this is true but actually they can and SHOULD give any pertinent information to you.

This includes face sheets and medical information that may be pertinent (like allergies and medications).

Wrong is the correct answer. The staff can and SHOULD give you any pertinent information.

This includes face sheets and medical information that may be pertinent (like allergies and medications).

You transported a cardiac patient to the ER. Your partner tells you to get the patient to sign the privacy notice . It is required.

Your partner is:Right? orWrong?

If this had been a non-emergency patient it would have been. It is not required for emergency patients. However

You should leave the information with the patients chart or family.

This is the right answer. This was an emergency patient and therefore it is not required.You will need to document the reason it was not signed.

While transporting a patient to the ER, you decide to call in a report. Your partner says Dont give out any patient information!

Are you allowed to give out PHI over the radio or telephone?

Yes? orNo?

Yes You certainly may BUT you should use the most secure method possible.And only give whats needed.

Your partner needs to learn more about HIPAA. You certainly may give out and receive this information over the airwaves.

You are invited to participate in a CISD session. When you arrive none of the participants are willing to talk about the call.

They are all afraid that HIPAA prevents them from talking. ---- Can they talk about it?

Yes? orNo?

Actually, they can talk but they should follow the minimum necessary rule.

You respond to a disaster scene. The local Red Cross representative wants to access PHI to identify victims. Can you divulge it?

Yes? orNo?

Yes, you are expressly allowed in this event to do so.

Actually. you are expressly allowed in this event to do so.

You are a student who has just finished a call. An ER nurse asks you to give him a verbal report of the call. Can you give the report?

Yes? orNo?

Yes, if the nurse is involved in the patients care BUT you should do it in a way that bystanders do not hear the information needlessly.

You may give the report if the nurse is involved in the patients care. BUT you should do it in a way that bystanders do not hear the information needlessly.

You are a student who has just finished a call. An ER ward clerk asks for patient information so they can complete the billing form. Can you give the information?

Yes? orNo?

Yes, you may give it to help the hospital complete its billing BUT you should do it in a way that bystanders do not hear the information needlessly.

You may give the report to help the hospital complete its billing. BUT you should do it in a way that bystanders do not hear the information needlessly.

You are meeting with your preceptor back at the station. She wants to go over the call with you to see if you have any questions. Is this permitted?

Yes? orNo?

Yes, you may. You two were involved in the call and this is for QA, educational purposes. Remember the minimum necessary rule.

You are allowed to do this but remember to follow the minimum necessary rule.

You are on a personal trip when you come across a medical emergency. After stopping to help, you ask EMS for a copy of the run report for your records. Is this OK?

Yes? orNo?

They can give the information that is necessary. However, this is tricky. EMS should get your information in case there is a blood borne pathogen issue.

They should not just give you a copy of the run report as a private citizen.

They may give you minimally necessary information. This is probably not a copy of the entire report.

You decide to ride with a service as a visiting third-rider. During your shift the crew responds to a great car crash. Can you take pictures of the car (not the patient)?

Yes? orNo?

Not if it could identify the patient.

You are at work when a process server delivers a subpoena for you to testify in civil case. Can you divulge privileged information in the case?

Yes? orNo?

Yes. A court may compel you to testify.

Actually a court may compel you to testify.

What ifs?

What if?If you are asked to allow a patient to see their own PHI. What should you do?

What if?You should direct them to the Privacy Officer of the agency.

What if?Do not give out PHI without authorization!

What if?If you are using a computer that contains PHI, how should you protect that information?

What if?Virus protectionPasswordsHide the screen

What if?Sanctions can includeWarningsSuspensionsTermination of relationshipFailing grades

The Golden Rule of HIPAA:

What You See Here What You Hear Here When You Leave Here Let It Stay Here!

2003, Page, Wolfberg & Wirth, LLC.

Any Questions?

Thank you!Sandy.Hunter@eku.edu