2. Reasoning
• NYS and REMS require initial training at time
of hire as well as annual refresher training on
healthcare privacy.
3. Agenda
• What is HIPPA?
• Privacy
• Requirements
• Protected Health Information (PHI)
• Notice of Privacy Practices
• Permitted Disclosures
4. What is HIPAA?
HIPAA = Health Insurance Portability and
Accessibility Act
Created by the US Department of Health and
Human Services and full-implemented in April of
2005.
5. What is HIPAA?
• HIPAA is a common set of standards that
protects certain health information
• There are several components but, as EMS
providers, we are most concerned with the
“Privacy Rule.”
6. “The Privacy Rule”
• The intent of the Privacy Rule is to provide
basic rights regarding the use of “Protected
Health Information” (PHI).
• It protects all “individually identifiable health
information.”
• Electronic, paper, or oral
• Applies to “covered entities”
7. Covered Entities
Three Categories:
• Health plans
• Health care clearinghouses
• Health care providers who transmit any health
information electronically
REMS falls under the “health care providers”
category.
8. Requirements
The Privacy Rule requires Covered Entities to:
• Protect PHI
• Designate a Privacy Officer
• Look for “leaks” in the policy
• Conduct/document initial and annual
refresher training for ALL personnel
• Develop an Authorization Form for release of
PHI
9. Other Requirements
• Develop a Notice of Privacy Practices
• When permitted, disclose only the minimum
necessary PHI
• Update policies and procedures
• Identify business associates with access to PHI
and create contracts (i.e. EMScharts)
• Apply reasonable administrative, technical,
and physical safeguards.
10. Protected Health Information
PHI is any information created or received by a
health care provider which relates to:
• Past, present, or future physical or mental
conditions (medical history)
• Provision of health care (treatment)
• Past, present, or future payment for care
11. Protected Health Information
Examples:
• Name
• Address
• Date of Birth/Age
• Social Security Number
• Medical condition/Past medical history
• Full face photos
12. Transfer of Patient
• HIPAA should never negatively impact the
quality of patient care or impede the ability to
provide care.
• The appropriate communication of PHI with
other health care providers DIRECTLY involved
in providing patient care does NOT constitute
a violation of HIPAA.
13. Safeguards
• PCRs should be kept in a secure location (PCR
boxes located at both stations)
• Networks containing PCRs should be
password-protected (EMScharts)
• Include confidentiality statements on e-mails
and faxes that contain PHI (administration-level)
14. Caution
Beware of discussion of PHI, such as:
• Talking about current or prior incident while re-stocking
ambo or writing report
• Discussing a call anywhere other than an official audit
or review
• Discussing “interesting” calls, famous patients, or
neighbors
• Sharing co-workers or fellow responders PHI (i.e. “My
partner is a bad diabetic” or “Yeah, my partner had a
heart attack a few years ago too.”)
15. Still unsure?
Ask yourself:
• Would a Judge agree that the disclosure
benefited patient care and was performed
with the utmost discretion?
• If you were the patient, would you want an
“embarrassing” injury or illness to be
discussed?
16. Notice of Privacy Practices
• REMS must make a Good Faith attempt to
provide a Notice of Privacy Practices to each
patient
• REMS must also make an effort to get a signed
“Acknowledgement of Receipt”
17. Notice of Privacy Practices
• At REMS, this is achieved with the AOB forms,
which include a privacy notice provision.
• If a patient requests a Notice of Privacy
Practices, a separate form is located in the
clipboard that can be provided to the patient.
18. Permissible Disclosures
• Treatment
• Payment
• Operations
• Public Health Regulations
• Victims of Abuse
• Judicial proceedings
• Births and Deaths
• Research
• Protection of Public Safety
• Law Enforcement
19. Permissible Disclosures
Treatment
• As previously noted, full disclosure is
permitted (and required) to those DIRECTLY
involved in care of the patient.
• This covers destination facility healthcare
providers (tech, RN, NP, PA, MD/DO, etc.)
Payment
• REMS is authorized to disclose PHI to
insurance companies for billing purposes
20. Permissible Disclosures
Victims of abuse
• EMS providers are mandated reporters for
child abuse but may report any type of abuse
without concern of HIPAA violations.
• Definitive proof is not required, only a
reasonable suspicion of abuse.
Judicial Proceedings
• Under subpoena, disclosure is required in a
court of law.
21. Permissible Disclosures
Victims of abuse
• EMS providers are mandated reporters for
child abuse but may report any type of abuse
without concern of HIPAA violations.
• Definitive proof is not required, only a
reasonable suspicion of abuse.
Judicial Proceedings
• Under subpoena, disclosure is required in a
court of law.
22. Permissible Disclosures
Births/Deaths
• Disclosure to medical examiner/coroner
permitted
Research
• Disclosure to entities such as REMO for
research and statistics tracking.
23. Law Enforcement Disclosures
Law Enforcement
• It is important to remember that we are
healthcare providers and not information
sources for law enforcement. Permissible
disclosures are found under Section 164.512
24. Law Enforcement Disclosures
1. When required by law or pursuant to process
(e.g., gunshot wound reporting)
2. Identification and location purposes (victim or
material witness, includes type of injury)
3. Response to request for information about a
victim of a crime (can’t be used against the
victim, needed to determine violation of law,
in the best interests of the individual)
25. Law Enforcement Disclosures
4. Decedents (if suspected death may be from
criminal conduct)
5. Crime on the premises (evidence of criminal
conduct)
6. Reporting crime in emergencies (identity,
description and location of perpetrator)
26. Law Enforcement Disclosures
May disclose to identify or locate a:
– Suspect
– Fugitive
– Material witness
– Missing person
27. Victims of crime
• May disclose PHI in response to a law
enforcement request, where the individual is a
possible crime victim
• If patient agrees
OR
• If patients unable to agree because of
condition, may release PHI if:
– Law enforcement represents that the info is
needed immediately; AND
– Won’t be used against the victim
28. Victims of crime
• May release PHI to alert law enforcement of a
patient’s death, IF the death may have
resulted from criminal activity
• You are not required to make a “legal
conclusion” that the death resulted from a
crime
• Only a “suspicion” is required
29. Reporting a crime
• Healthcare providers may release PHI to law
enforcement to alert them to:
– Commission and nature of a crime
– Location of the crime or of the victim
– Identity, description, and location of perpetrator
30. Remember:
• Permissible disclosures can only be made to
appropriate authorities (i.e. you can notify the
county health department of a patient with
tuberculosis but you MAY NOT alert any
media)
31. Penalty
• A person who knowingly obtains or discloses
individually identifiable health information in
violation of HIPAA faces a fine of $50,000 and
up to one year imprisonment.
