HIPAA 1
HIPAA On August 21 1996 the federal government passed the Health Information Portability and Accountability Act of 1996 Has been update throughout; with the newest update (Final Rule) going into effect on September 23, 2013 2
What is HIPAA? (1 of 2) Sets privacy standards Limits the use and release of individually identifiable health information Gives patients the right to access their medical records Restricts most disclosure of health information to the minimum needed for the intended purpose 3
What is HIPAA? (2 of 2) Improper uses or disclosures under the rule are subject to criminal and civil sanctions prescribed in HIPAA. 4
Who is covered? It s a federal law and it covers all patients and all health care providers, including administrative and accounting personnel in all 50 states. It pre-empts state law. All employees, associates, volunteers, anyone who comes in contact with patient records must be trained in HIPAA 5
What Does HIPAA Do? It holds violators accountable, with civil and criminal penalties for violations Enables patients to find out how their information may be used Limits release of information to the minimum reasonably needed for the purpose of the disclosure 6
What does it require? The law can be summarized as follows: Sharing of patient health information is on a need to know basis. Reasonable precautions must be taken to prevent the casual disclosure of the patient information in your custody. 7
HIPAA and State Laws If State rules are more stringent, the State rules must be followed HIPAA sets the minimum standards Texas Medical Records Privacy Act is the Texas law TDSHS may enforce this rule against EMS providers and individuals 8
Updates and Revisions Final Omnibus Rule Compliance date of September 23, 2013 Includes the HITECH (Health Information Technology for Economic and Clinical Health) Act Interim rule adopted in 2009 Compliance Date of September 23, 2013 9
Omnibus Rule (1 of 2) Creates 4 categories of violations that reflect culpability with 4 tiers of penalty amounts for each violation Sets a maximum penalty amount of $1.5 million for all violations of an identical provision 10
Omnibus Rule (2 of 2) Increased civil monetary penalties ($100-$50K per violation) based on the category of violation (intent) Allows enforcement by state Attorneys General Requires breach notification by service or business associates to affected patients, HHS, and the media 11
Increased Federal Civil Penalties (Categories of Culpability) Violations after reasonable precautions Minimum of $100, maximum of $25,000 Violations resulted from reasonable cause Minimum of $1,000, maximum of $100,000 Willful Neglect-Corrected within 30 days Minimum of $10,000, maximum of $250,000 Willful Neglect-Uncorrected Minimum of $50,000, maximum of $1.5 million 12
Willful Neglect Means conscious, intentional failure or reckless indifference to the obligation to comply with the HIPAA provision violated Disclosure does not have to be on purpose; just that an entity shows indifference 13
Federal Criminal Penalties For Fraud and Abuse (ex. Disclosure for money) $50,000 and 1 year minimum $250,000 and 10 years maximum Average sentence for 1 st time offender at highest level: $87,000 plus 67 months, according to federal sentencing guide 14
Texas Medical Records Privacy Act Provides for a $3,000 fine (per offense) for civil violation Provides $250,000 fine for criminal violation and up to 10 years in prison Allows Attorney General to seek injunctive relief 15
Breach Notification Under the Final Rule 16
Current Breach Rules Effective as of September 23, 2009 With a breach, the covered entity must provide notice to all affected individuals, HHS, and the media for breaches involving more than 500 individuals Business associates must notify the covered entity 17
Current Breach Rules Under the current breach rules, a breach only occurs if the breach poses a significant risk of financial, reputational, or other harm to the individual This is known as the Harm Standard 18
The New Standard Impermissible use or disclosure of PHI is presumed to be a breach unless the entity or business associate demonstrates that there is a low probability that the PHI has been compromised The burden of proof is now on the entity 19
The New Standard The federal government has taken a stronger enforcement posture and is investigating more complaints All breaches must be reported Big breaches are posted online Violations Posting Page 20
Investigation HHS will (not may ) investigate any complaint filed when a preliminary review of the facts indicates a possible violation due to willful neglect HHS has discretion to proceed to directly to fines in all cases 21
Business Associates-New Definition A business associate is a person/entity who, on behalf of a covered entity: Creates PHI Receives PHI Maintains PHI, or Transmits PHI Excluding mail, some delivery companies, phone, and internet services 22
Business Associate Agreement If an organization transmits data on your behalf and needs access to PHI, there should be a BAA Billing Companies epcr vendors (Zoll and UMC) Consulting firms Clearinghouses 23
Business Associate Agreement Business Associate now include subcontractors Collection agencies Billing company consultants that access PHI Subcontractors must enter into a BAA with the business associate NOT the covered entity 24
Business Associate Agreement BAA may continue to operate under existing BAAs entered into before January 25, 2013 for up to one year beyond compliance date (September 23, 2014) All other BAAs must be updated by September 23, 2013 25
New Restriction Rule Gives patients the right to pay out of pocket for a service and require the entity to NOT submit a claim to their insurance for that service 26
New Access Rule Grants patients the right to get an electronic copy of their PHI in a form and format requested, if it is readily producible in that form and format Word, Excel, Text, HTML, PDF Requires an entity to transmit PHI to a 3 rd party if requested by the patient 27
Notice of Privacy Practices ALL patients MUST be informed of the Privacy practices for your entity New rule will require changing of NPP Must include: a statement that patient authorization is required for: Sale of PHI Disclosures of psychotherapy notes Marketing 28
Notice of Privacy Practices Must also include: The patient s right to pay out of pocket Breach notice: the entity has a duty to inform the patient following a breach of their PHI Fundraising opt out. If an entity intends to contact individuals to conduct fundraising activities that fall under HIPAA 29
Notice of Privacy Practices All NPPs (HIPAA forms) must be updated by September 23, 2013 It is even more important now to obtain a signature on the HIPAA form for ALL patients 30
New Deceased Patient Rule PHI is protected for 50 years after the date of death Entity may disclose decedent s information to family members and other who were involved in patient s care or payment for care prior to death of patient; unless doing so is inconsistent with the patient s preference 31
Review 32
HIPAA Disclosure okay to release examples Anyone in the chain of treatment, who has a medical need for the sharing of the patient information is permitted to receive the information. Ambulance to hospital to nursing home to specialists all involved in the direct care of the patient may share the information 33
HIPAA Disclosure okay to release examples Billing companies, insurance companies, and any one the patient directs may receive the patient information Can get Cover Sheet A parent may have a copy of a minors medical records Refer to Privacy Officer The nursing home asks for a copy of the transport for a returning patient you are dropping off OK to give The destination hospital asks for patient vital signs over the radio OK to give 34
Disclosures Required by Law Infectious diseases Child Abuse Elder Abuse MVC Homicide Assault Other violent acts 35
Other Permitted Disclosures If Patient is Deceased: JPs Coroners Funeral Directors Family (unless against patient s wishes) Serious Threat to Health or Safety National security and intelligence activities (CIA, Homeland Security, FBI) 36
Examples (1 of 5) A member of the city council asks you what was the matter with his neighbor when the city ambulance responded -Decline Comment The EMS billing company contacts you and asks specific questions about care you provided -OK to discuss 37
Examples (2 of 5) A fellow EMT who did not respond to a certain call asks about the patient particulars -Decline Comment The nursing home calls you the day after you transported one of their residents to ask if you gave the patient aspirin -OK to discuss 38
Examples (3 of 5) The local newspaper is doing a story on an accident and they request an interview about the patient treatment -Decline Comment Another EMT, who did not make the run, calls you at home and asks about the run you just made -Decline Comment 39
Examples (4 of 5) Your EMS Director asks you about a call due to concerns with patient treatment -OK to discuss A police officer drops by the station (or scene) and asks for a copy of a transport report -Decline 40
Examples (5 of 5) Your partner calls you 2 hours after an EMS call because she is not feeling good about how the call went -OK to discuss During a CE class, the instructor asks for a copy of a run to use for an example -Decline or remove all patient identifiers 41
Best Policy To be safe, do NOT release any information to anyone, without contacting the Privacy Officer beforehand!!! 42
Corrections on Run Reports It should be the policy of the EMS service that unless there is a mistake on a medical record it will not be changed This includes only mistakes on patient information such as age, DOB, SS#, etc Should not include mistakes or misdiagnosis relating to medical care, regardless of what you find out later 43
Privacy Rule What you say here. What you see here.. What you hear here.. When you leave here Let it STAY here 44
HIPAA How to Comply Appoint a Privacy Officer who oversees the training and compliance of the act Train all employees, volunteers, anyone who comes in contact with patient medical records Enforce your Policies and Procedures Provide Patients with a copy of their privacy rights Establish Policies and Procedures 45
Policies Must Cover: (1 of 2) Notice of Privacy Practices Privacy Policies User of Computer equipment Privacy Training Medical Records of Employees 46
Policies Must Cover: (2 of 2) Patient Care Reports Handling Access, Security and Disclosure Patient Request for Protected Health Information E N F O R C E M E N T 47
Training, Testing, etc Every employee, associate, paid or volunteer must be trained and tested and attendance certified Every new hire/affiliate must be trained and tested within 30 days Yearly, a refresher must be conducted 48
HIPAA Safeguards (1 of 3) Keep voices down when at ER or other places where there could be inadvertent disclosure of PHI Ask patients permission to release information to family members present. If unable to give permission, limit information given Tell them only where you are transporting to But.get what info you can from them 49
HIPAA Safeguards (2 of 3) Do NOT release ANY information to people who do NOT have a need to know Police officers (except only as required) Your Family members Coffee shop talk Business associates Other EMS personnel not on the call 50
HIPAA Safeguards (3 of 3) Protect Documents Place run reports behind locked doors Keep run reports inside clipboard while in the Unit Password or otherwise protect computers Shred unneeded documentation 51
Summary Use common sense Reasonableness is used throughout the Standard People treating the patient are entitled to the information When in doubt in an administrative situation don t release the information When in doubt, keep your mouth shut! 52