SMHCEMS HIPAA Compliance by ewghwehws


									WCEMS HIPAA Compliance

This course is designed to educate you on our
 legal requirements to protect our patient’s
 rights and confidentiality.
  WCEMS HIPAA Compliance
After completing this educational program…
• You will be required to complete, sign and date
  the short quiz.
• You will be required to read, sign, date, and have
  a witness attest to your signature, the Employee
  Non-disclosure form.
• And…
• Submit the accompanying documentation to
  Theresia Carter upon completion.
At completion of this education program, you will:
• Be able to understand the HIPAA privacy
• Understand how they effect WCEMS
• Be informed of the new laws and procedures.
• Be informed of the consequences of failure to
  perform these procedures.
Q. What is HIPAA and what does it have to do
   with me?
A. HIPAA is the Health Insurance Portability
   Accountability Act.

This act became federal law in 1996. The Privacy Rule
    became effective in 2001 and the compliance deadline is
    April 14th 2003.
This act will forever change the manner in which we
    perform our duties and care for our patient’s medical
• HIPAA- Health Insurance Portability
  Accountability Act
• The Privacy Rule- Refers to the HIPAA Privacy
• PHI- Protected Health Information
• NPP- Notice of Privacy Practices
 HIPAA Provides the following:
Gives patients more        Protects the patients PHI
control over their         from intentional and
Protected Health           unintentional misuse and
Information                exposure

Provides for civil and     Establishes a National
criminal penalties for     Standard for handling
violators of the Privacy   and disclosure of PHI
             Patients Rights:
• The patient has the right to be informed of the
  Provider’s Privacy Practices.
• The patient has the right to examine, copy and
  request amendments to their PHI.
• Control certain uses and disclosures of their PHI.
     Patients rights to examine
The patient has the right to examine, copy and
request amendments to their PHI. These requests
will be handled through the Administration
Office Only. Any request should be directed to:

        Theresia Carter @ 512-943-1264

A patient may request an amendment to their PHI.
This request may only be done through Theresia
Carter at the administration office.
    Notice of Privacy Practices
• The Privacy Rule requires that providers adopt a
  NPP and train employees on the use of the NPP
  and NPP-AF forms.
• All patients that WCEMS encounters, whether
  transport or refusal, must be given access to
  where and how to obtain a NPP.
• The Privacy Rule excludes this requirement
  during an emergency, therefore, the NPP is
  posted on the Williamson County website
Notice of Privacy Practices (Cont.)
WCEMS practice…

   and there will be posted in each unit contact
   information on how to obtain a NPP.

• We will make every effort to notify the patient
  with contact information on how to obtain a
  NPP at time of service.
         WCEMS Practices
• The WCEMS Practices are required…
  – To comply with HIPAA
  – To comply with our legal counsel’s
  – To deter potential civil/criminal actions
     • Williamson County
     • Williamson County EMS
     • You
      What is Considered PHI?
List not all inclusive…   • Insurance Information
• PCR’s (run forms)       • Billing Information
• Name, DOB, SSN          • Address, Photos,
• FRO Reports               Signatures
• Oral Conversation       • Dispatch Records
• Age                     • EKG, Labs, X-Rays
• Employer                • Notes
• Phone Number            • Email Address
Any information that may make a person identifiable.
              PHI applies to:
• Information pertaining to the past, present or
  future health.
• Any person living or deceased.
• Electronic, paper or conversation.
        “minimum necessary”
• “minimum necessary” means that only minimum
  amount of personnel have access to PHI.
• In other words…
• If the information does not apply to your job, you
  should not have access to the information (does
  not mean you cannot see other’s run forms for
  QA/QI, training, etc.)
• Off-duty you should not be reviewing PCR’s
  (technically, this can be construed as a violation)
               Security Rules
• Information on computer are PHI (ie, database)
• Secure buildings when away on calls.
• Screen Savers should be password protected and
  should activate within 5 min’s of inactivity.
   – We will provide system-wide standard password
• Do not allow anyone access to your computers or
  reports that do not require specific access to
  perform their duties.
           Compliance Rules
• Talking to a family member on the phone about a
  call and mentioning a name or address or other
  identifiable fact
• Using your job with EMS to check on, or find out
  what happened on a call for someone that was not
  involved in the call
• Keeping any copy of a report, EKG, notes,
  photos, etc., that may identify the patient
   These are all examples of VIOLATIONS of
    Privacy applies to everyone
• What if you come into a room and find medical
  records lying on a table.
   – Have employee that left them out place them in the
     designated secure location for the station, or…
   – You place them in the secure location designated for
     the station
    Privacy applies to everyone
• What if you find information on a computer
  screen and left unattended?
   – Activate the secure screensaver and report your
     actions to the station crew and station officer
    Privacy applies to everyone
• What if you overhear your coworker at the
  hospital talking about a patient in a manner that
  the patient may be identified?
   – Remember if you can hear it, someone else can.
   – Remind your coworker of the privacy rules
 Protecting Spoken Information
• What if you arrive at the hospital and see a
  patient you know?
   – You may certainly approach them and offer your
     concern if appropriate at that time
   – You cannot ask them what their problem or injury is.
     They may offer it – but you cannot ask.
   – You are a healthcare professional and are not entitled
     to PHI unless you are required to have it to perform
     your job.
   What about hospital reports?
• You must give a hospital report to the nurse or
  doctor that is assuming patient care
• This report is not subject to “minimum required”,
  you may relay any information concerning HX,
  DX,TX or billing information in order to further
  the continuum of care
• Use good judgment to assure that you do not
  unnecessarily reveal PHI to persons that are not
  entitled to it.
       Computers and viruses
• Every attempt should be taken to limit exposure
  to viruses.
• Some viruses and spyware programs can open
  our computer systems to outside exposure.
• Computer security and safety should be followed
  to prevent any “hacking”
• Any violations are to be reported immediately to
  the Privacy Officer.
    Compliance Responsibility
• Federal Level
   – Dept. of Health and Human Services
      • Office of Civil Rights
• State Level
   – Texas Attorney General
   – Texas Department of Health
• Local
   – Williamson County Human Resources/Benefits
      • County Privacy Officer – Suzanne Hays
      • EMS Privacy Officer – Theresia Carter
          Reporting Violations
• Any violation (known or inadvertent) must be
  reported to the Privacy Officer
   – Privacy Officer has to log the violation and the
     corrective action taken
• Failure to report a violation has implications on
  the County, Department and you.
     Violations of Privacy Rule
 On first offense:
• Carelessness – Discussion documentation
• Intentional Violation – Notice of Unsatisfactory
• For personal gain in any form- Termination.

• Repeat of an offense may result in escalation to
  next level of action.
          Criminal Liabilities
-Federal Criminal Penalties:
-Up to $50,000 and 1 year in prison for obtaining or
  disclosing protected information.
-Up to $100,000 and up to 5 years in prison for
  obtaining or disclosing protected information
  under false pretenses.
-Up to $250,000 and up to 10 years in prison for
  obtaining or disclosing protected information
  with the intent to sell, transfer, or use it for
  commercial advantage, personal gain, or
  malicious harm.
           Civil Liabilities

– Tier A - Offender didn’t know, and by
  reasonable diligence would not have known,
  that he or she violated the law.
   • $100 per violation
   • $25,000 annual maximum total per violator
– Tier B - Violation due to reasonable cause and
  not willful neglect.
   • $1,000 per violation
   • $100,000 annual maximum total per violator
– Tier C - Violation due to willful neglect but
  was corrected.
   • $10,000 per violation
   • $250,000 annual maximum total per violator
– Tier D - Violation due to willful neglect and
  was not corrected.
   • $50,000 per violation
   • $1,500,000 annual maximum total per violator
       Some new Procedures
• Ensure password-protected screensaver is
  activated when the computer is not in use and
• Protect and prevent any access to your paperwork-
  before, during and after preparing your PCR’s.
• Place all completed PCR’s into station-designated
  secure location when finished preparing reports.
    Some new Procedures (Cont.)
• Use caution where oral PHI is required.
• Destroy all notes and paperwork that is PHI that
  will not be attached to PCR’s.
• If it needs to be shredded…
   – Place in envelop and write DESTROY on envelope
     and send up with paperwork.
• Provide every patient information on how to
  obtain a copy of NPP.
            Related Documents
Policies                         Forms
• NPP                            • NPP-AF
• Definitions                    • Disclosure Log
• General Privacy Policy         • Employee Non-disclosure
• Individuals Rights
                                 • Employee Training
• Minimum Necessary
                                 • Restrictions of Use &
• Safeguards of PHI
• Uses & Disclosure of PHI
• Enforcement
   Copies of All Williamson County HIPAA Policies will soon be
             accessible at:
• All PHI is to be protected as if it was your own
  medical information.
• Internal access to PHI should be limited to
  “minimum required” to complete the job.
• Report all violations promptly and prevent further
  risk of exposure until the privacy officer can make
  the corrections.
• Click HERE for Quiz
• Click HERE for Employee Non-Disclosure Form

To top