1 / 64

HIPAA: Basic to Advanced (What it is and what it isn’t)

HIPAA: Basic to Advanced (What it is and what it isn’t). Jonathan Moore Director, Fire & EMS Operations/ GIS International Association of Fire Fighters. What is HIPAA?. Health Insurance Portability and Accountability Act HIPAA Security Rule Focused on Patient Information Privacy.

min
Download Presentation

HIPAA: Basic to Advanced (What it is and what it isn’t)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HIPAA:Basic to Advanced(What it is and what it isn’t) Jonathan Moore Director, Fire & EMS Operations/ GIS International Association of Fire Fighters

  2. What is HIPAA? • Health Insurance Portability and Accountability Act • HIPAA Security Rule • Focused on Patient Information Privacy

  3. DEPARTMENT OF HEALTH AND HUMAN SERVICES • Office of the Secretary • 45 CFR Parts 160, 162, and 164 • [CMS-0049-F] • RIN 0938-AI57 • Health Insurance Reform: Security Standards • AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS. • ACTION: Final rule. • SUMMARY: This final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers. The use of the security standards will improve the Medicare and Medicaid programs, and other Federal health programs and private health programs, and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for certain electronic health information. This final rule implements some of the requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

  4. Are you covered by HIPAA? • Are you an EMS provider? • Do you bill for your EMS services? • Do you bill Medicare? • Do you transmit Medicare billing information electronically?

  5. Covered Entities • Health Plans • Health Care Clearinghouse • Health Care Provider • Who transmits any health information in electronic form in connection with a “covered transaction” • Claim filing is most common covered transaction, but there are others

  6. Common Covered Electronic Transactions • Claims filing • Remittance advice • Coordination of benefits • Claim status • Health plan enrollment/disenrollment • Eligibility • Referral certification

  7. What is the worry about “transactions”? • Protected Health Information “PHI”

  8. Three Basic Permitted Uses of PHI • Treatment, Payment and Operations • Called the “TPO” Uses • Consent, authorization or other permission is NOT REQUIRED for these uses

  9. “OOPS” • Incidental Disclosures Happen and are “Expected” • Examples? • Radio Communications • ER Arrival “Report” • Protections? • “Reasonable Safeguards” • Does not require that you implement new technologies for privacy purposes

  10. Dispatch Communications • Scanner World… • Internet CAD pages Martin County Emergency Services "FIRE/RESCUE SCANNER“

  11. Dispatch Communications • Most public safety and EMS communications are treatment related • You have to find the patient and SHOULD have an idea what the nature of the problem is • Any radio disclosure of patient information for location or treatment purposes is permitted

  12. And What About Law Enforcement? • ….be careful here…..

  13. Law Enforcement Disclosures • HIPAA limits the disclosures that EMS providers can make • EMS providers are patient care advocates, not law enforcement information sources • Permissible law enforcement disclosures are limited to specific situations.Covered under Section 164.512

  14. Permissible Law Enforcement Disclosures…Overview 1. When required by law or pursuant to process (e.g., gunshot wound reporting) 2. Identification and location purposes (victim or material witness, includes type of injury) 3. Response to request for information about a victim of a crime (can’t be used against the victim, needed to determine violation of law, in the best interests of the individual)

  15. Permissible Law Enforcement Disclosures…Overview 4. Decedents (if suspected death may be from criminal conduct) 5. Crime on the premises (evidence of criminal conduct) 6. Reporting crime in emergencies (identity, description and location of perpetrator)

  16. Required By Law/Pursuant to Process • Health care providers permitted to disclose PHI under HIPAA for injury reporting when required by state law • Examples • Gunshot injuries • Burns • Animal bites • Check state law for specifics

  17. Required By Law/Pursuant to Process • Court orders • Warrant • Grand jury subpoena • Civil investigative demand, administrative subpoena or other authorized, official request • The PHI must be relevant and material to legitimate law enforcement inquiry

  18. Identification and Location • To identify or locate a: • Suspect • Fugitive • Material witness • Missing person

  19. Identification and Location • The covered entity may only furnish: • Name • Address • DOB • SSN • Blood type • Type of injury • Date/time of treatment • Date/time of death* • Description of distinguishing physical characteristics

  20. Crime Victims • May disclose PHI in response to a law enforcement request, where the individual is a possible crime victim • IF patient agrees; OR • If patients unable to agree because of condition, may release PHI if: • Law enforcement represents that the info is needed immediately; AND • Won’t be used against the victim*

  21. Decedents • May release PHI to alert law enforcement of a patient’s death, IF the death may have resulted from criminal activity • You are not required to make a “legal conclusion” that the death resulted from a crime • Only a “suspicion” is required • Note: there is a general exception for releasing PHI to coroners and funeral directors for non crime-related deaths

  22. Crime on Premises • Health care provider can disclose PHI to report a crime at the provider’s premises • Need only have a “good faith belief” that the information may constitute evidence of a crime on the premises • Examples: Child Abuse, Assault

  23. Reporting Crime in Emergencies • Emergency care providers may release PHI to law enforcement to alert them to: • Commission and nature of a crime • Location of the crime or of the victim • Identity, description and location of perpetrator

  24. “Channel 11 News Reports…..” • What can you say to the Media? OR • What can the Media say?

  25. Media Disclosures and HIPAA • There are no express provisions in the Privacy Rule addressing media disclosures • However, EMS organizations are often put in the position of fielding media requests • Is it possible to strike a balance?

  26. Media Disclosures and HIPAA • Disclosures made with patient authorization • Use a HIPAA-compliant authorization form • Must specifically inform the patient of the information to be disclosed and to whom it will be disclosed • Disclosures must be limited to those in the authorization

  27. Media Disclosures and HIPAA • Disclosures of de-identified information • De-identified PHI is information that: • Does not identify an individual; AND • There is no reasonable basis to believe the information could be used to identify an individual

  28. “De-Identification”? • The following information must be removed: • Name • Geographic identifiers smaller than a state • Phone/fax/e-mail address • SSN • Medical records numbers • Photographs • Account numbers • License numbers • Other unique identifiers

  29. Permissible Media Disclosures • General information about the incident, number of victims and hospital destinations • Example: “a total of five patients were transported from the accident scene. Four were taken by ambulance to the City Hospital and one by helicopter to the County Trauma Center.”

  30. Permissible Media Disclosures • General information about the incident location, if it cannot reasonably be used to identify an individual patient • Example: “we responded to an incident at the Downtown Outlet Center and transported one patient to the hospital.” • NOT: “we responded to a residence in the 100 block of Hobart Street and transported a patient from the scene to the local hospital.”

  31. Permissible Media Disclosures • Information about the crew and other responding agencies • Example: “Paramedics Smith and Wesson responded on behalf of Speedy Ambulance Service. The Awesome City Fire Department, County Sheriff’s office, and other agencies also responded.”

  32. Permissible Media Disclosures • General information about patient condition if it cannot reasonably be used to identify a patient • Example: “Last month we transported 300 patients, 80% were transported to emergency room, 20% had alternative destinations.” • Example: “Over ‘Motorcycle Weekend’ we transported 27 victims of motorcycle collisions, only 50% of those patients were wearing helmets.”

  33. How Soon Must You Comply? April 20, 2005!

  34. Comply With What? The Security Rule… • “Security” is a grey area • The regulation incorporates concepts of: • Scalability • Flexibility • Generalization • The Rule itself reads more like a guide – hope your interpretation/implementation meets someone else’s understanding of the “Rule”

  35. Security Rule • Applies only to electronic PHI (“e-PHI”) • e-PHI is any PHI that is in electronic form prior to transmission

  36. What Can We Do About This? • Administrative Safeguards • Physical Safeguards • Technical Safeguards

  37. Administrative Safeguards • Policies and procedures; disciplinary standards, to ensure that your personnel protect your patients’ PHI • Compliance officer • Training

  38. Physical Safeguards • Security of your buildings, offices, cabinets, etc. where e-PHI is stored, as well as your computers, workstations and electronic media

  39. Technical Safeguards • Protections such as passwords, backups and other security features on your computers, networks, PDAs, laptops, etc.

  40. HIPAA “In Your Face” • Not a catch-all for protecting providers or patients • Can make ‘fact finding’ difficult for discipline or grievance processes • Other privacy protections are available

  41. Medical Information Privacy IAFF Dominick F. Barbera EMS in the Fire Service Conference Kurt RumsfeldIAFF Legal Counsel June, 2007

  42. Legal Disclaimer Please note that this presentation is offered solely for informational purposes, and is not intended, nor should it be relied upon, as legal advice. An individual or affiliate in need of legal advice or assistance on any topic covered in this presentation should contact and confer with legal counsel to obtain legal advice appropriate to his or her particular situation.

  43. Dealing with HIPAA as a Union Representative Frank, a member of your union, is disciplined for allegedly failing to follow patient care protocol during an EMS response. Frank says he did everything “by the book” and that the “paperwork will prove it.” During the grievance process, you request the company’s records related to the response, but management refuses your request because the records contain protected health information under HIPAA. How do you respond?

  44. Dealing with HIPAA as a Union Representative • Disclosure of PHI is permitted for “resolution of internal grievances.” 45 C.F.R. 164.501 • Incidental disclosures do not violate the Privacy Rule “if the minimum necessary and reasonable safeguards are met.” 45 C.F.R. 164.502(a)(1)(iii) • Consider redacting information or entering into a confidentiality agreement.

  45. Dealing with HIPAA as a Union Representative Alleging that EMS employees have been taking excessive and unnecessary sick leave, your employer institutes a policy requiring anyone taking sick leave for more than one shift to obtain a certificate from a doctor certifying that such leave was necessary and that the employee can return to work. During negotiations, you demand documentation substantiating the employer’s concerns regarding sick leave abuse. Your employer refuses your demand on grounds that, as an EMS provider, it is a “covered entity” under HIPAA, and therefore cannnot release any records that contain protected health information of its employees.

  46. Dealing with HIPAA as a Union Representative • “Covered entities must comply with [HIPAA’s Privacy Rule] in their health care capacity, not in their capacity as employers. For example, information in hospital personnel files about a nurse’s sick leave is not protected health information under this rule.” 65 Fed. Reg. 82,612 (2000) • “Employment records held by a covered entity in its role as an employer” are excluded from the definition of “protected health information.” 45 C.F.R. 160.613

  47. What laws govern your employer’s decision to require employee medical exams and its handling of employee medical records? Fasten your seat belts.

  48. Limits on Employers’ Use of Employee Medical Information • Americans with Disabilities Act (ADA) • Family and Medical Leave Act (FMLA) • Title VII of the 1964 Civil Rights Act • U.S. and State Constitutions • State Statutory and Common Law Rights • Invasion of privacy • Defamation

  49. Americans with Disabilities Act (ADA) “A covered entity shall not require a medical examination and shall not make inquiries of an employee as to whether such employee is an individual with a disability or as to the nature or severity of the disability, unless such examination or inquiry is shown to be job-related and consistent with business necessity.” 42 U.S.C. 12112(b)(4)(A)

  50. ADA (cont’d) • “A covered entity may make inquiries into the ability of an employee to perform job-related functions.” 42 U.S.C. 12112(b)(4)(B) • Information regarding the medical condition or history of any employee must be collected and maintained on separate forms and in separate medical files and is treated as a confidential medical record. 42 U.S.C. 12112(b)(4)(C) • Supervisors and managers may be informed regarding necessary restrictions on the work or duties of employees, and first aid and safety personnel may be informed, when appropriate, if the disability might require emergency treatment. 42 U.S.C. 12112(b)(3)

More Related