HIPAAHIPAA

Annual Training Annual Training

Anne Arundel County Fire Anne Arundel County Fire DepartmentDepartment

What is HIPAA??What is HIPAA??

HIPAA = Health Insurance Portability HIPAA = Health Insurance Portability and Accountability Actand Accountability Act

Created by – United States Created by – United States Department of Health and Human Department of Health and Human Services (HHS)Services (HHS)

Still not clear??Still not clear??

HIPAA is a common set of standards HIPAA is a common set of standards that protects certain health that protects certain health informationinformation

There are several components – but, There are several components – but, we are most concerned with the we are most concerned with the “Privacy Rule.”“Privacy Rule.”

The Privacy RuleThe Privacy Rule

The intent of the Privacy Rule is to The intent of the Privacy Rule is to provide basic rights regarding the use provide basic rights regarding the use of “Protected Health Information” of “Protected Health Information” (PHI).(PHI).

It protects all “individually identifiable It protects all “individually identifiable health information.”health information.”

Electronic, paper, or oralElectronic, paper, or oral Applies to “covered entities”Applies to “covered entities”

Who is a Covered Entity?Who is a Covered Entity?

Three Categories:Three Categories: Health plansHealth plans Health care clearinghousesHealth care clearinghouses Health care providers who transmit Health care providers who transmit

any health information electronicallyany health information electronically

AACo Fire Department falls under the Health Care Provider category

What’s Required?What’s Required?

The Privacy Rule requires Covered Entities to:The Privacy Rule requires Covered Entities to: Protect PHIProtect PHI Designate a Privacy OfficerDesignate a Privacy Officer Look for “leaks” in the policyLook for “leaks” in the policy Conduct/document training for the ENTIRE Conduct/document training for the ENTIRE

departmentdepartment Develop an Authorization Form for release Develop an Authorization Form for release

of PHIof PHI

More RequirementsMore Requirements

Develop a Notice of Privacy PracticesDevelop a Notice of Privacy Practices When permitted, When permitted, alwaysalways disclose disclose

only the only the minimum necessaryminimum necessary PHI PHI Update policies and proceduresUpdate policies and procedures Identify Business Associates and Identify Business Associates and

create contractscreate contracts Apply reasonable administrative, Apply reasonable administrative,

technical, and physical safeguardstechnical, and physical safeguards

Privacy OfficerPrivacy Officer

An individual within the organization that is An individual within the organization that is responsible for developing and implementing responsible for developing and implementing policies and procedures required by HIPAApolicies and procedures required by HIPAA

Anne Arundel County Fire Department’s Anne Arundel County Fire Department’s Privacy Officer is Battalion Chief Matthew Privacy Officer is Battalion Chief Matthew TobiaTobia

Protected Health Protected Health InformationInformation

PHI is any information created or PHI is any information created or received by a health care provider received by a health care provider which relates to:which relates to:

Past, present, or future physical or Past, present, or future physical or mental conditionsmental conditions

Provision of health careProvision of health care Past, present, or future payment for Past, present, or future payment for

carecare

Examples of PHIExamples of PHI

NameName Address Address Date of Birth/AgeDate of Birth/Age Social Security NumberSocial Security Number Medical condition/Past medical Medical condition/Past medical

historyhistory Full face photosFull face photos

HIPAA should NEVER negatively impact the HIPAA should NEVER negatively impact the quality of patient care or impede the ability to quality of patient care or impede the ability to provide care!!provide care!!

The appropriate communication of PHI with The appropriate communication of PHI with other health care providers directly involved other health care providers directly involved in providing patient care does in providing patient care does notnot constitute a constitute a violation of HIPAA.violation of HIPAA.

Safeguarding PHISafeguarding PHI

PCR’s should be kept in a secure PCR’s should be kept in a secure locationlocation

Networks containing PCR’s should be Networks containing PCR’s should be password-protectedpassword-protected

Include confidentiality statements on Include confidentiality statements on e-mails and faxes that contain PHI e-mails and faxes that contain PHI

Use Caution…Use Caution…

Beware of discussion of PHI, such as:Beware of discussion of PHI, such as:

Talking about current or prior incident while re-Talking about current or prior incident while re-stocking ambo or writing reportstocking ambo or writing report

Discussing a call Discussing a call anywhereanywhere other than an official other than an official audit or reviewaudit or review

Discussing “interesting” calls, famous patients, or Discussing “interesting” calls, famous patients, or neighborsneighbors

Sharing co-workers or fellow responders PHI

Unsure About Discussing an Unsure About Discussing an Incident??Incident??

Ask yourself…Ask yourself…

Would a Judge agree that the disclosure Would a Judge agree that the disclosure

benefited patient care AND was performed benefited patient care AND was performed with the utmost discretion???with the utmost discretion???

If you were the patient, would you want an If you were the patient, would you want an “embarrassing” injury or illness to be “embarrassing” injury or illness to be discussed?discussed?

Notice of Privacy PracticesNotice of Privacy Practices(NPP)(NPP)

The department must make a Good The department must make a Good Faith attempt to provide a NPP to Faith attempt to provide a NPP to each patienteach patient

The department must also make an The department must also make an effort to get a signed effort to get a signed “Acknowledgement of Receipt”“Acknowledgement of Receipt”

Anne Arundel County Fire Anne Arundel County Fire Department’s NPPDepartment’s NPP

The department sends our NPP with the request The department sends our NPP with the request for insurance information, including a signature for insurance information, including a signature form which acknowledges receipt and permission form which acknowledges receipt and permission to bill insurance on the patient’s behalf.to bill insurance on the patient’s behalf.

The NPP is also available on the internet at The NPP is also available on the internet at www.aacounty.org/firewww.aacounty.org/fire. Every uniformed and . Every uniformed and civilian member of the Department civilian member of the Department must review must review and be familiarand be familiar with this material. with this material.

A copy can be viewed on the next two slides.A copy can be viewed on the next two slides.

NPP in Emergency SettingsNPP in Emergency Settings

During the emergency treatment of a patient, the During the emergency treatment of a patient, the NPP must be given as soon as practical.NPP must be given as soon as practical.

The Anne Arundel County Fire Department The Anne Arundel County Fire Department provides the NPP and Acknowledgement through provides the NPP and Acknowledgement through the mail.the mail.

This ensures that the provision of this information This ensures that the provision of this information does not interfere with patient care or become does not interfere with patient care or become lost during the emergent phase of treatment.lost during the emergent phase of treatment.

Permitted DisclosuresPermitted Disclosures

Disclosure of PHI Disclosure of PHI is acceptable in is acceptable in the following the following circumstances:circumstances:

TreatmentTreatment PaymentPayment OperationsOperations Public Health Public Health

RegulationsRegulations Victims of AbuseVictims of Abuse Judicial proceedingsJudicial proceedings Law EnforcementLaw Enforcement Births and DeathsBirths and Deaths ResearchResearch Protection of Public Protection of Public

SafetySafety

Treatment, Payment, and Treatment, Payment, and OperationsOperations

Treatment – giving PHI to other Treatment – giving PHI to other providers involved in patient care, providers involved in patient care, such as the hospitalsuch as the hospital

Payment – receiving PHI from other Payment – receiving PHI from other providers, as necessary for billingproviders, as necessary for billing

Operations – audits, quality Operations – audits, quality assurance assessmentsassurance assessments

Public Health ActivitiesPublic Health Activities

Disclosures to public health Disclosures to public health authorities, as authorized by State authorities, as authorized by State LawLaw

Also allows for notification of Also allows for notification of communicable diseases to EMS communicable diseases to EMS providers involved in an exposureproviders involved in an exposure

Victims of Abuse, Neglect, and Victims of Abuse, Neglect, and Domestic ViolenceDomestic Violence

The law requires (and HIPAA allows):The law requires (and HIPAA allows): reporting an “endangered adult” believed to reporting an “endangered adult” believed to

be a victim of battery, neglect, or exploitation be a victim of battery, neglect, or exploitation to Adult Protective Services or law to Adult Protective Services or law enforcementenforcement

Reporting a child that is believed to be a victim Reporting a child that is believed to be a victim of abuse or neglect to the immediate of abuse or neglect to the immediate supervisor, Child Protective Services, or law supervisor, Child Protective Services, or law enforcementenforcement

Judicial ProceedingsJudicial Proceedings

Disclosure must only be made when a Judge Disclosure must only be made when a Judge or Grand Jury orders disclosure through a or Grand Jury orders disclosure through a

subpoena or warrant.subpoena or warrant.

**A private attorney does not have the **A private attorney does not have the authority to order a Fire Department authority to order a Fire Department

provider to discuss a case. If contacted by provider to discuss a case. If contacted by an attorney, always contact the county’s an attorney, always contact the county’s law office for advice before proceeding.**law office for advice before proceeding.**

Law EnforcementLaw Enforcement

Disclosure of PHI to Disclosure of PHI to Law Enforcement is Law Enforcement is permitted when:permitted when:

Required by lawRequired by law

Ordered by a courtOrdered by a court

Ordered by Ordered by Administrative Administrative subpoenasubpoena

Law EnforcementLaw Enforcement

When assisting the When assisting the police to identify or police to identify or locate a suspect, locate a suspect, missing person, or missing person, or witness, the provider witness, the provider may release:may release:

Name/addressName/address

Date/Place of birthDate/Place of birth

Social Security #Social Security #

Blood TypeBlood Type

Date/time of treatmentDate/time of treatment

Distinguishing Distinguishing characteristics – height, characteristics – height, weight, tattoos, scars, weight, tattoos, scars, etc…etc…

Law EnforcementLaw Enforcement

As patient care advocates, EMS As patient care advocates, EMS providers providers

should encourage law enforcement to should encourage law enforcement to gain gain

information directly from the source, information directly from the source, when when

possible.possible.

Civil PenaltiesCivil Penalties

The U.S. Dept of Health and Human The U.S. Dept of Health and Human Services may impose civil penalties Services may impose civil penalties

on a covered entity of $100 per on a covered entity of $100 per failure to comply with a Privacy Rule failure to comply with a Privacy Rule

requirement.requirement.

Criminal PenaltiesCriminal Penalties

A person who knowingly obtains or A person who knowingly obtains or discloses individually identifiable discloses individually identifiable health information in violation of health information in violation of HIPAA faces a fine of $50,000 and up HIPAA faces a fine of $50,000 and up to one year imprisonment. to one year imprisonment.

Criminal sanctions are enforced by Criminal sanctions are enforced by the Department of Justice.the Department of Justice.

ResourcesResources

http://www.hhs.gov/ocr/privacy/hipaahttp://www.hhs.gov/ocr/privacy/hipaa//

http://www.dhmh.state.md.us/hipaahttp://www.dhmh.state.md.us/hipaa

http://www.aacounty.org/firehttp://www.aacounty.org/fire

NEXT STEPNEXT STEP

Complete the QuizComplete the Quiz Submit a Training Report – Use Submit a Training Report – Use

Training Course Code- Training Course Code- HIPA11HIPA11