Mais conteúdo relacionado
Semelhante a Hipaa sept 2014 (20)
Hipaa sept 2014
- 1. HIPAA
Initial & Annual Training
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 2. What is HIPAA?
HIPAA = Health Insurance Portability and
Accountability Act
Developed by United States Department
of Health and Human Services (HHS)
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 3. A Common Set of Standards
To ensure health insurance portability
To reduce health care fraud and abuse
To guarantee the integrity and
confidentiality of health information
(“Privacy Rule”)
To improve the operations of health care
systems
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 4. We are most concerned with
the “Privacy Rule”
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 5. The Privacy Rule
The intent of the Privacy Rule is to provide
basic rights regarding the use of
“Protected Health Information” (PHI).
It protects “individually identifiable health
information” – whether electronic, on
paper, or oral.
Applies to “covered entities”
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 6. Who is a Covered Entity?
Three Categories:
Health plans
Health care clearinghouses
Health care providers who transmit any
health information electronically
North East Mobile Health Services falls
under the Health Care Provider category
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 7. What’s Required?
The Privacy Rule requires Covered Entities to:
Protect PHI
Designate a Privacy Officer
Look for “leaks” in the policy
Conduct & document training for the ENTIRE
organization
Develop an Authorization Form for release of
Protected Health Information
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 8. More Requirements
Develop a Notice of Privacy Practices
When permitted, only disclose only the
minimum necessary PHI
Update policies and procedures
Identify business associates and create
contracts
Develop & apply reasonable
administrative, technical, and physical
safeguards
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 9. Privacy Officer
An individual within the organization that is
responsible for developing and implementing
policies and procedures required by HIPAA.
The Privacy Officer for North East Mobile Health
Services is Robert Russell and can be reached
at 207-510-0073
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 10. Protected Health Information
Any information created or received by a
health care provider which relates to:
Past, present, or future physical or mental
conditions
Provision of health care
Past, present, or future payment for care
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 11. Examples of PHI
Name
Address
Date of Birth/Age
Social Security Number
Medical condition(s)
Past medical history
Full face photos
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 12. HIPAA should NEVER negatively impact the quality of
patient care or impede the ability to provide care!!
The appropriate communication of PHI with other
health care providers directly involved in providing
patient care does not constitute a violation of HIPAA.
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 13. Safeguarding PHI
PCRs should be kept in a secure location
Keep all documentation provided by
patient, medical providers, and any others
secure throughout your shift, and give to
receiving facility or place into the run sheet
drop box at each base, at the earliest
opportunity.
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 14. Safeguarding PHI
In our buildings, offices and crew areas,
you don’t need to “hide” paperwork as you
are working with it, but you DO need to
secure/cover when not at your desk. In
other words, do not leave info lying
around!
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 15. Safeguarding PHI
In vehicles, ensure any paperwork is not
readable from outside the vehicle.
NO ! YES
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
!
- 16. Use Caution…
Beware of discussion of PHI, such as:
Talking about current or prior incident while re-stocking
or cleaning ambulance or writing report where others
may overhear
Discussing “interesting” calls, famous patients, or
neighbors
Sharing about co-workers or fellow responders PHI
If you are not sure you can say it, DON’T
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 17. Unsure About Discussing an
Incident??
Ask yourself…
Would a Judge agree that the disclosure
benefited patient care AND was performed with
the utmost discretion???
If you were the patient, would you want an
“embarrassing” injury or illness to be discussed?
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 18. Notice of Privacy Practices
(NPP)
Providers must make a Good Faith
attempt to provide a NPP to each patient
They must also make an effort to get a
signed “Acknowledgement of Receipt”
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 19. North East Mobile Health Services
Notice of Privacy Policy
The NPP is provided to EVERY patient by YOU!
We also send the notice when we need to request
insurance information, including a signature form which
acknowledges receipt and permission to bill insurance on
the patient’s behalf.
You must review and be familiar with this material.
A copy can be viewed on the next two slides.
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 20. !
NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU
CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IF CAREFULLY
Your health information is personal, and North East Mobile Health Services (NEMHS) is committed to protecting it. We are required by law to
maintain the privacy of health information that could be used to identify you (PHI). The law requires us to provide you with a copy of this Notice of
Privacy Practices (Notice), which describes our privacy practices and our legal duties with respect to PHI. Under certain circumstances, we may also
be required to notify you following a breach of unsecured PHI.
HOW WE MAY USE OR DISLCOSURE YOUR PHI
Treatment. We may use or disclose your PHI in connection with our treatment or transportation of you. For example, we may disclose your PHI to
doctors, nurses, technicians, medical students or any other health care professional involved in taking care of you. We may also provide information
about you to a hospital or dispatch center via radio, telephone or other electronic means. We may provide a hospital or other health care facility with
a copy of the medical records created by us in the course of treating or transporting you.
Payment. We may use and disclose your medical information to obtain payment from you, an insurance company or other third parties. For
example, we may provide PHI to your health insurance plan in order to receive payment for our services.
Health care operations. We may use and disclose your PHI for quality assurance activities, licensing and training programs to ensure that our
personnel meet our standards for care, and to ensure that our personnel follow our established policies and procedures. We may also use your
information for obtaining legal, financial or accounting services, conducting business planning, processing complaints, and for the creation of reports
that do not individually identify you.
Other uses or disclosures that do not require authorization. The law permits us to use or disclose your PHI without your authorization in the
following circumstances:
· When required by law, but only to the extent required by law.
· For public health activities, including disclosures to public health authorities authorized by law to collect information for the purpose of
preventing or controlling disease, injury or disability, for reporting births and deaths, and for the conduct of public health investigations.
We may also be required by law to disclose information related to possible child abuse or neglect.
· To a social service or other protective services agency authorized by law to receive reports about victims of abuse, neglect or domestic
violence. We will make every effort to obtain your permission before releasing this information; however, in some cases, we may be
required or authorized by law to act without your permission.
· For health oversight activities.
· For judicial and administrative proceedings, in response to a court order, subpoena, discovery request or other lawful process.
· For law enforcement purposes, including disclosures: (i) to comply with laws requiring the reporting of certain types of injuries, (ii) made
pursuant to a court order, warrant, subpoena, grand jury subpoena or other lawful process, (iii) to assist law enforcement in identifying or
locating a suspect, fugitive, material witness or missing person, (iv) about the victim of a crime, if, under the circumstances, we are unable
to obtain your permission, (v) about a death we reasonably believe may be the result of a crime, (vi) about a crime committed on our
premises, or (vii) to notify law enforcement of the commission of a crime, the location of a victim or to identify the perpetrator of a crime,
but only in emergency situations.
· To coroners, medical examiners and funeral directors.
· To organ procurement organizations.
· For approved medical research projects.
· To avert a serious threat to health or safety.
· For military and veterans activities, national security and other specialized government functions.
· To comply with laws relating to workers’ compensation or similar programs.
USES OR DISCLOSURES WHERE YOU HAVE THE RIGHT TO OBJECT
Unless you object, we may provide relevant portions of your PHI to a family member, friend or other person that you indicate is involved in making
decisions about your health care, or in paying for your health care. We may use or disclose PHI to notify your family member, friends or personal
representative about your condition. In an emergency or when you are not capable of agreeing or objecting to these disclosures, we will disclose
your PHI only to the extent we reasonably believe such disclosure to be in your best interest, and we will tell you about such disclosure after the
emergency has passed, and give you the opportunity to object to future disclosures to family, friends or personal representatives. Unless you object,
we may also disclosure your PHI to persons involved in providing disaster relief, for example, the American Red Cross.
USES OR DISCLOSURES THAT REQUIRE YOUR WRITTEN CONSENT
Any other use or disclosure of PHI, other than those listed above will only be made with your written authorization. The law also requires your
written authorization before we may use or disclose: (i) psychotherapy notes, other than for the purpose of carrying out our treatment, payment or
health care operations purposes, (ii) any PHI for our marketing purposes or (iii) any PHI as part of a sale of PHI. You may revoke a previous written
authorization in writing at any time. If you elect to revoke a previously authorization, we will immediately stop any further uses or disclosures of
your PHI for the purposes set out in the written authorizations to the extent we have not already acted in reliance on your authorization; however, we
will be unable to retract any disclosures previously made with your permission.
© NNoorrtthh EEaasstt MMoobbiillee
HHeeaalltthh SSeerrvviicceess 22001144
- 21. YOUR RIGHTS WITH RESPECT TO YOUR PHI
You have the following rights with respect to your PHI:
· The right to request restrictions on the use and disclosure of your PHI. To exercise this right, you must submit a written request to our
Privacy Officer. We are not required to agree to your request; however, if we do agree, we will put our agreement in writing, and will
abide by that agreement exception to the extent the use or disclosure of such PHI is necessary to provide you treatment in an emergency.
Notwithstanding the foregoing, we must agree to a restriction on the use or disclosure of your PHI if: (i) the disclosure is for our payment
or health care operations purposes and is not otherwise required by law and (ii) you or another person acting on your behalf has paid for our
services in full.
· The right to request to receive your PHI in a specific location (for example, at your work address rather than your home) or in a specific
manner (for example, by email rather than regular mail). We will comply with all reasonable requests. Any such request should be made in
writing to our Privacy Officer.
· The right to inspect and copy your PHI, except in limited circumstances. Any such request should be made in writing to our Privacy
Officer. We will respond to your request within 30 days. The law gives us the right to deny your request in certain instances; in which
case, we will notify you in writing of the reasons for the denial and explain your rights with regard to having the denial reviewed. A
reasonable fee may be charged for making copies.
· The right to request that we amend your PHI to the extent you believe it is inaccurate or incomplete. Any such request should be made in
writing to our Privacy Officer, and should include the reasons you believe that your information is inaccurate or incomplete. We will
respond to your request within 60 days. We are not required to change your information, but if we do not agree to change your
information, we will notify you of the reasons for our decision, and will explain your rights to submit a written statement of disagreement,
to file a complaint, or to request that your requested change be included in any future disclosures of your PHI. If we agree to a change, we
will ask you whom else you would like us to notify of the change.
· The right to receive an accounting of any disclosures of your PHI made within the 6 years immediately preceding your request. We are not
required to provide you an accounting of disclosures: (i) made for our treatment, payment or health care operations purposes, (ii) made
directly to you, your family or friends, (iii) made for national security purposes, to law enforcement or certain other governmental
purposes. We are also not required to provide an accounting of disclosures made prior to April 14, 2003. If you request more than one
accounting within a 12 month period, we may charge you a reasonable fee for each additional accounting.
· The right to receive a paper copy of this Notice.
NOTIFICATION IN THE EVENT OF AN UNAUTHORIZED USE OR DISCLOSURE
The law may require us to notify you in the event of an unauthorized use or disclosure of your unsecured PHI. To the extent we are required to notify
you, we must do so no later than 60 days following our discovery of such unauthorized use or disclosure. This notification will be made by first class
mail or email (if you have indicated a preference to be notified by email), and must contain the following information:
· A description of the unauthorized use or disclosure, including the date of the unauthorized use or disclosure and the date of its discovery, if
known.
· A description of the type of unsecured PHI that was used or disclosed.
· A description of the steps you should take to protect yourself from potential harm resulting from the unauthorized use or disclosure.
· A brief description of what we are doing to investigate the breach, to protect against future breaches, and to mitigate the harm to you.
· A way to contact us to ask questions or obtain additional information.
CHANGES TO THIS NOTICE
NEMHS is required to comply with the terms of this Notice as currently in effect. We reserve the right to change or amend our privacy practices at
any time in the future, and to make any changes applicable to PHI already in our possession. This Notice will be revised to reflect any changes in our
privacy practices. You may obtain a copy of our revised Notice by contacting our Privacy Officer.
CONTACT
If you would have questions or comments about our privacy practices, or if you would like to obtain additional information regarding your privacy
rights, please contact our Privacy Officer.
COMPLAINTS
If you believe that your privacy rights have been violated, you may file a complaint with NEMHS or with the Secretary of the Department of Health
and Human Services (DHHS). To file a complaint with us, please put your complaint in writing and mail it to our Privacy Office. To file a complaint
with the DHHS, you must put your complaint in writing and mail it to: Office for Civil Rights, U.S. Department of Health and Human Services, 200
Independence Avenue, S.W., Washington, D.C. 20201. You will not be retaliated against or denied any health services if you elect to file a
complaint.
Effective Date: April 14, 2003
Revision Date: March 26, 2013
Privacy Officer
Robert Russell, CCEMT-P
Clinical Compliance Officer
NEMHS, 24 Washington Ave, Scarborough Maine 04074
Office: 207-510-0073
Email: rrussell@mobilehealthmedics.pro © NNoorrtthh EEaasstt MMoobbiillee
HHeeaalltthh SSeerrvviicceess 22001144
- 22. NPP in Emergency Settings
During the emergency treatment of a patient, the NPP must
be given as soon as practical.
DO NOT DELAY emergency care to obtain a signature or
give a NPP!
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 23. Permitted Disclosures
Disclosure of PHI is
acceptable in for
Treatment, Payment &
Operations
Public Health Regulations
Victims of Abuse
Judicial proceedings
Law Enforcement
Births and Deaths
Research
Protection of Public
Safety
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 24. Treatment, Payment, and
Operations
Treatment – giving PHI to other providers
involved in patient care, such as hospital
staff
Payment – receiving PHI from other
providers, as necessary for billing
Operations – audits, quality assurance
assessments
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 25. Public Health Regulations
Information for the purpose of preventing or
controlling disease, injury or disability
Reporting births and deaths
The conduction of public health investigations
Notification of communicable diseases to EMS
providers involved in an exposure
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 26. Victims of Abuse, Neglect, and
Domestic Violence
The law requires (and HIPAA allows):
reporting an “endangered adult” believed to be a
victim of battery, neglect, or exploitation to Adult
Protective Services or law enforcement
reporting an “endangered child” believed to be a
victim of battery, neglect, or exploitation to Child
Protective Services or law enforcement
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 27. Judicial Proceedings
Disclosure must only be made when a Judge or
Grand Jury orders disclosure through a court
order, subpoena or other lawful request.
**A private attorney does not have the authority to
order an EMS provider to discuss a case. If
contacted by an attorney, always contact a
manager at North East Mobile Health Services
for advice before proceeding.**
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 28. Law Enforcement
Disclosure to comply with laws requiring the
reporting of certain types of injuries
Pursuant to a court order, warrant, subpoena,
grand jury subpoena or other lawful process
To assist law enforcement in identifying or
locating a suspect, fugitive, material witness or
missing person
About the victim of a crime
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 29. Other Allowable Disclosures
To coroners, medical examiners and funeral
directors.
To organ procurement organizations.
For approved medical research projects.
To avert a serious threat to health or safety.
For military and veterans activities, national
security and other specialized government
functions.
To comply with laws relating to workers’
compensation or similar programs.
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 30. The Media and You....
Disclosing health information to the media is not
permitted - Management should be the contact for
the media.
Politely inform them “Please see a member of our
management team”
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 31. Civil Penalties
The U.S. Dept of Health and Human
Services may impose civil penalties on a
covered entity of $100 per failure to
comply with a Privacy Rule requirement.
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 32. Criminal Penalties
A person who knowingly obtains or
discloses individually identifiable health
information in violation of HIPAA faces a
fine of $50,000 and up to one year
imprisonment.
Criminal sanctions are enforced by
the US Department of Justice.
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 33. “I want a copy”
If a patient, law enforcement officer,
lawyer, or any other person needs a copy
of the patient care report, they need to call
North East Mobile Health Services at 207-
510-0073 to obtain the form needed.
They may also fax a request to 207-883-
5566.
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144
- 34. To quote the law firm of Page,
Wolfberg, and White
What you see here,
What you hear here,
When you leave here,
Let it stay here.
© North East MMoobbiillee HHeeaalltthh SSeerrvviicceess 22001144