The document discusses HIPAA regulations regarding protected health information (PHI). It defines PHI and explains that HIPAA aims to protect patient privacy. It outlines who is considered a Covered Entity bound by HIPAA and provides examples of when PHI can and cannot be disclosed. Specific rules are given around securing, sharing, and disposing of PHI to prevent violations.

2. HIPAA
• In 1996 the Health Insurance Portability and
Accountability Act was passed by the federal
government.
• It’s aim, among other things, was to force
health care providers to protect the privacy
of patient health information (PHI).

3. Covered Entity
• An organization or business which is bound
by HIPAA regulations is called a “Covered
Entity”
• Big Tree VFC is a “Covered Entity”

4. What is PHI?
“Health information means any information,
whether oral or recorded in any form or medium,
that-
• (A) is created or received by a health care
provider, health plan, public health authority,
employer, life insurer, school or university, or
health care clearinghouse; and
• (B) relates to the past, present, or future
physical or mental health or condition of any
individual, the provision of health care to an
individual, or the past, present, or future
payment for the provision of health care to an
individual.”

5. What is PHI? (cont.)
“Individually identifiable health information is information
that is a subset of health information collected from an
individual, and:
• (1) Is created or received by a health care provider, health
plan, employer, or health care clearinghouse; and
• (2) Relates to the past, present, or future physical or
mental health or condition of an individual; the provision
of health care to an individual; or the past, present, or
future payment for the provision of health care to an
individual; and
• (i) That identifies the individual; or
• (ii) With respect to which there is a reasonable basis to
believe the information can be used to identify the
individual.”

6. To simplify, PHI is:
Any information that can identify or
potentially identify a patient and/or pertains to
the patients past, present or future health
status.
For us this is:
Name ,DOB, SS#, history, meds, chief
complaint, etc.

7. Restricted Use and Disclosure of PHI
• Patients can ask that health information not be
shared with certain people, groups, or
companies.
• In cases like this the EMT in charge of the
patient needs to make the chiefs aware of this
request as soon as possible without
compromising patient care or safety.
• For Example, a patient may ask that there
information not be shared or made known to a
certain member.

8. When is it okay to release PHI?
• Generally patients must give a “covered
entity” WRITTEN consent to release any PHI
• There are a few ways some PHI may be
released without written consent:
– A patients name may be used in a radio
transmission if a crew is having difficulty
locating said patient. For example – there are no
room numbers on an apartment list, but there
are resident names. Dispatch can radio the
name of the patient to the crew.

9. When is it okay to release PHI?
– An EMS crew may report the condition of a
patient to an immediate family member (spouse,
child, grandchild, or health care proxy) (IF
VERBAL PERMISSION IS GIVEN BY THE
PATIENT), but try to let the patient do it.
– If the patient is a victim of a crime, EMS may tell
law enforcement about the patient’s injuries and
condition. If the patient is NOT a victim of a
crime the patient may agree to speak to police
about their condition if they so choose.

10. When is it okay to release PHI?
– An EMS crew may report patient injuries to law
enforcement if the patient is possibly wanted in
relation to a crime.
– When EMS is delivering a report to a hospital or
receiving medical facility. This is to preserve the
continuity of care, providers NEED to pass on
pertinent medical information and history and
treatments given. EMS can disclose PHI to a triage
nurse or doctor at a receiving facility.
– EMS also has the right to open and review patient
records when being transferred from a facility.

11. When is it okay to release PHI?
– When EMS is reporting suspected abuse that is
covered under Mandated Reporting;
• Child abuse/ neglect
– 50 years following the date of death of the
individual

12. When is it NOT permissible to
disclose PHI?
Posting it on Social Media
• EMS providers may not post details about runs
on any electronic medium. This is true even
when a patient name is not used. If there is
enough information for someone to identify
the patient (for example the nature of the
injury, the time and location of an incident, etc.)
the provider will be in violation.
• Please also be aware that we do have a social
media policy that all members must adhere to.

13. When is it NOT permissible to
disclose PHI?
Discussions with colleagues/friends
• Just as with electronic mediums, discussing
patient encounters with colleagues who
were not part of the patient care team (face
to face, or in writing) is a definite no-no.
• This applies also to conversations outside of
work with the provider’s friends or family.
KEEP IN MIND: YOU NEVER KNOW WHO
KNOWS WHOM!

14. When is it NOT permissible to
disclose PHI?
Statements to news media
• EMS providers may not provide any information
about the nature or severity of a patient’s
illness or injuries.
• EMS providers may not verify the identity of a
patient being treated EVEN IF the media agency
claims to already know the identity of the
patient.
• “NO COMMENT” and/or “PLEASE SEE THE
PIO/CHIEF” are always rules of thumb!

15. When is it NOT permissible to
disclose PHI?
Sharing patient status or information with
neighbors
• EMS providers may not disclose any patient
information to a patient’s neighbor, friends,
or other persons who are not involved in the
treatment of said patient.
• If a concerned neighbor or friend wants to
know about the patient, let the patient tell
them.

16. So in other words this is not good

17. Allowing other people to access your
PCR/ePCR
• PCRs are confidential.
• PCRs and other hard copy PHI (med lists, etc.)
should be secured in a receptacle designed to
protect against unauthorized access.
• EMS providers may not allow others to see
their PCRs, however, there are some
exceptions:
– When the member in question is on the call with you
– When a EMTs number are on that PCR
– For training/learning/QA&QI purposes with patient
info redacted.

18. Why is HIPAA Important?
• Individuals and agencies who violate HIPAA
privacy can be fined and individuals can even
serve jail time if found guilty of violating
these statutes.
• It’s just the right thing to do – we are patient
advocates and should be protecting the
privacy of our patients.

19. HIPAA breach notification
• In the event that PHI is accidently or
deliberately disclosed in violation of HIPAA
regulations, the covered entity is required to
report the breach immediately.
• It is unlawful to hide or cover-up any
confirmed or potential breach.
• If you feel that a HIPAA breach has occurred,
report the situation to any Chief or EMS
officer immediately!

20. Civil HIPAA breach penalties
HIPAA Violation Minimum Penalty Maximum Penalty
Unknowing
$100 per violation, with an
annual maximum of
$25,000 for repeat
violations (Note: maximum
that can be imposed by
State Attorneys General
regardless of the type of
violation)
$50,000 per violation, with
an annual maximum of
$1.5 million
Reasonable Cause
$1,000 per violation, with
an annual maximum of
$100,000 for repeat
violations
$50,000 per violation, with
an annual maximum of
$1.5 million
Willful neglect but violation
is corrected within the
required time period
$10,000 per violation, with
an annual maximum of
$250,000 for repeat
violations
$50,000 per violation, with
an annual maximum of
$1.5 million
Willful neglect and is not
corrected within required
time period
$50,000 per violation, with
an annual maximum of
$1.5 million
$50,000 per violation, with
an annual maximum of
$1.5 million

21. Criminal HIPAA breach penalties
• Criminal violations of HIPAA are handled by the DOJ. As
with the HIPAA civil penalties, there are different levels
of severity for criminal violations.
• Covered entities and specified individuals, as explained
below, who "knowingly" obtain or disclose individually
identifiable health information, in violation of the
Administrative Simplification Regulations, face a fine of
up to $50,000, as well as imprisonment up to 1 year.
• Offenses committed under false pretenses allow
penalties to be increased to a $100,000 fine, with up to 5
years in prison.
• Finally, offenses committed with the intent to sell,
transfer or use individually identifiable health information
for commercial advantage, personal gain or malicious
harm permit fines of $250,000 and imprisonment up to 10
years.

23. Scenario 1
After a call your writing your PCR in length. It
was a bad call, and you know that it is going to
go to court. After your done writing it you
take a picture with your cellphone, which is
passcode protected, so you won’t forget the
details of it.
NO, its not okay, there are requirements for
electronic storage of PHI. Even though the
device is passcode protected, it may need more
security like encryption and other measures.
Generally most personally owned devices don’t
meet HIPAA requirements for PHI.

24. Scenario 2
You wrote some confidential and specific
patient information on some scratch paper
that you later entered into the E-PCR software.
You decide to rip it up into tiny pieces and
throw it in the garbage can as you no longer
need it.
This is not considered a secure way to
dispose of PHI, some one may be able to
easily put it back together. You must shred
the health care records to prevent someone
from possibly being able to tape it together.

25. Scenario 3
You are in a hospital common area with 2
other members whom are discussing a EMS
call you were not on from the other night.
There are no patients or other personnel
around.
Because you were not on the EMS call, you do
not know the patient involved. During the
conversation, they mention the patients name
and that he was diagnosed as being
schizophrenic.

26. What should you do?
A. Advise the members to please stop discussing the
call and patient while you are with them. Remind
them that they should not be discussing PHI or
other confidential information with you or with
others who are not authorized to have it.
B. Since you are from the same agency, tell the other
members that they can continue their discussion,
but should be quieter since other people might
overhear what they are saying.
C. Continue what you're doing and don’t say anything.
D. Since the same thing can happen on other calls, ask
for more information as it can be a great learning
experience.

27. Reasoning
The correct option is A. When discussing PHI
or other confidential information with others
(in person or on the phone), this information
should be shared with only those people who
are authorized to receive the information and
have a “need to know” status.

28. Scenario 4
You find a portion of a patients record left on the
glass of a copy machine in a public area of the
hall. No one else is around.
What should you do?
A. Call the patient and notify them that their PHI
was left out in the open.
B. Shred the document.
C. Leave it by the copier. The person who left it
will most likely come back.
D. Secure the document by putting it in a folder
or envelope and report it to a chief.

29. Reasoning
The correct option is D. Securing the
document prevents further unintentional
disclosure, and a chief can make sure the
incident is properly documented. Be sure to
cover the information appropriately at all
times while delivering it.

30. Scenario 5
While you are leaving a patient at the hospital, a doctor is
talking quietly to another patient in another hospital bed in
the same room. You, your patient, and your patients family
overhear parts of the conversation.
What should you do?
A. Nothing.
B. Speak to the doctor after you both leave the room,
reminding him of his patients right to privacy.
C. Speak loudly while you are in the room so that your
patient and there visitors cannot overhear the
conversation.
D. Interrupt the doctor to remind him of his patients
protection under privacy laws.

31. Reasoning
The correct option is A. “Incidental”
disclosures are allowed, so as long as the
Covered Entity takes reasonable measures to
keep the disclosure to the minimum necessary.