H I P A A Sandy L. Hunter M.A. Ed, NREMT-P
What? • HIPAA stands for the “Health Insurance Portability and Accountability Act” • HIPAA is a Federal law passed in 1996
Covered? • The EMC Program is NOT a “covered entity”….. but
Covered? • Our students WILL function within “covered entities”. So…
Covered? We need to cover this information.
HIPAA • Specifies what is required to protect the security and privacy of personally identifiable health care information (PHI) • Applies to most health care providers, including ambulance services
HIPAA’s Major Provisions • Electronic Transactions and Code Sets (TCS) • Security • Privacy
Transaction Rule • Requires providers to submit electronic claims in standard formats approved by HHS • Examples: ICD-9 Codes • HCPCS Codes • Other designated code sets
Transaction Rule • Requires payors to accept transactions in the standard formats
Security Rule • Will require covered entities to protect against unauthorized access and interception of PHI • Expected to require use of encryption technology and other safeguards
Security Rule There must be “appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information”.
Security Rule Examples: • Locking up run forms • Role based access • Computer passwords
Security Rule Examples: • Adding security statements to e-mails and faxes • Securing computers and fax machines
The Privacy Rule Why is this an issue?
Privacy? Emergency Transportation
The Requirements • Notifying patients about their privacy rights • Adopting and implementing privacy procedures • Training employees in privacy practices
The Requirements • Designating a Privacy Officer • Securing patient records and limiting access to them
What to Protect • Any information that can identify a patient that relates to their physical or mental health
What to Protect • Protected Patient Health Information (PHI)
What to Protect • Includes written, verbal, electronic, photographic, etc.
Sources or PHI • Run sheets • Dispatch logs • Billing forms • Incident reports
Sources or PHI • Personal notes • Videotapes • Internet pictures • Conversations
Sources or PHI • Hospital records • Transfer paperwork • Ambulance certification letters • Any others???????
There are the three times you can divulge PHI without the patient’s authorization.
Treatment • Payment • Health Care Operations (like QA)
You are on a call when a first-responder asks you for information to complete their run sheet. Can you give them PHI?
Yes? or No?
Yes……. You absolutely can give them this information. It is permissible because they aided in the TREATMENT.
You are at the scene of a car crash when a police officer stops directing traffic to ask if the patient is “drunk”. Can you give the information?
Yes? or No?
Well actually there are two problems here. One is that the patient’s medical condition is confidential. What is the other?
The other is that you can’t call the patient “drunk” without a legal test.
You are on a call where you suspect a child has been abused. Can you report that to anyone?
Yes? or No?
Yes……. • KRS 620.030 - 620.050 requires you to report it.
You have completed your patient care report (that has NO patient identifiers on it). Do you have to physically secure that form?
Yes? or No?
Yes……. That is the policy of the program and it just makes good sense!
You are at a hospital to pick up a patient for transfer. The staff says they cannot give you ANY information on the pt. because of HIPAA.
They are: Right? or Wrong?
The staff may think this is true but actually they can and SHOULD give any pertinent information to you.
This includes face sheets and medical information that may be pertinent (like allergies and medications).
You transported a cardiac patient to the ER. Your partner tells you to get the patient to “sign” the privacy notice …. It is required.
Your partner is: Right? or Wrong?