Learning Center
Plans & pricing Sign in
Sign Out

Meck Hipaa



      November 2010
First Responder In-service
•Health Insurance Portability and Accountability Act
•Federal law passed by Congress in 1996
•Regulations promulgated by the Dept of Health and
 Human Services
•Guidelines implemented in April, 2003

                         Why HIPPA?
 A Michigan-based health system accidentally posted the medical records of
  thousands of patients on the Internet. (The Ann Arbor News, February 10,

 A banker who also served on his county's health board cross-referenced
  customer accounts with patient information. He called due the mortgages
  of anyone suffering from cancer. (M. Lavelle, "Health Plan Debate Turning
  to Privacy: Some Call For Safeguards on Medical Disclosure. Is a Federal
  Law Necessary?" The National Law Journal, May 30, 1994)

                                                                              1, 2
                          Why HIPPA?
 Country singer Tammy Wynette's medical records were sold to the National
  Enquirer and Star tabloids by a hospital employee for $2,610. William Cox's
  position at the hospital entitled him to authorized access to several medical
  record databases. He retrieved medical information about Wynette and faxed it
  to the tabloids without her consent. Cox pleaded guilty to one count of wire
  fraud and was sentenced to six months in prison. ("Selling Singer's Files Gets
  Man Six Months,“ Houston Chronicle, December 2, 2000)

 The late tennis star Arthur Ashe's positive HIV status was first disclosed
  publicly not by himself but by a newspaper without his permission after
  receiving the information from a health care worker.

                                                                               1, 2
         What does HIPAA do?
1.Creates standards for protecting the
  privacy of health information

2. Creates standards for the security
  and electronic exchange of health

            Privacy Standard
Protects and enhances rights of
 patients by providing them access and
 control of their information
Specifies who can and can not access
 PHI without the patient knowledge
Allows the patient to review and ensure
 accuracy of their medical records

     Security & Electronic Exchange
Ensure the confidentiality, integrity, and
 availability of all e-PHI they create, receive,
 maintain or transmit
Identify and protect against reasonably
 anticipated threats to the security or integrity
 of the information
Protect against reasonably anticipated,
 impermissible uses or disclosures
Ensure compliance by their workforce
Who must follow the guidelines?
Health Plans
Healthcare Clearing Houses
Healthcare Providers

Who must follow the guidelines?
In Mecklenburg County each first responder
agency has a signed agreement with MEDIC
and the county, that they abide by HIPAA
regulations and standards.
  Protected Health Information (PHI)
 Identifies or can be used to identify an
 Written, Spoken, or Electronic
 Created or received by a health care provider,
 public health authority, employer, school or

                      PHI Examples
 Patient name                          Vehicle identification and
 All geographic subdivisions            serial numbers
  smaller than state
                                        Device identifiers and serial
 All elements of dates related to
  patient(Date of Birth,                 numbers
  Admission, Discharge or Death)        Web Universal Resources
 Telephone numbers                      Locators (URL)
 Fax numbers                           Internet Protocol (IP) address
 Electronic Email Addresses             numbers
 Social Security numbers
                                        Biometric Identifiers
 Medical record numbers
 Health plan numbers                   Full face photographs
 Account numbers                       Any unique identifying
 Certificate/license numbers            characteristic, number, or

First Responders Expectations with PHI
Respect the patient’s privacy
Do not share PHI unless absolutely necessary
 when providing pt care.
Abide by the “minimum amount necessary”
Follow the “Golden Rule” and common sense
 when handling PHI
   “Minimum Amount Necessary”
“A covered entity must make reasonable efforts to use,
  disclose, and request only the minimum amount of
  protected health information needed to accomplish
  the intended purpose of the use, disclosure, or
  request” 3

Do I need this to do my job?
              “Golden Rule”
“Do unto others as you would have them do
  unto you.”

Treat everyone's PHI as you would like your
  health records to be treated.
               How to Protect PHI
Spoken or verbal                  Written and Electronic
 Lower your volume when           Ensure access controls for
  discussing PHI during             reports
  transfer of care                 Ensure HIPAA compliant fax
                                    numbers and email
 Provide patient reports in        addresses
  non-public areas                 Protect your computer
 Do not discuss call after the     screen when entering
  incident to anyone not            reports
  involved in patient care         Avoid photocopying
 Limit the information you        Use HIPAA shredders and
  broadcast over the radio          waste bins
                                   Do not take pictures/video
                                                                 2, 5
  When can PHI be released? (1 of 2)
    Written patient authorization must be
 obtained before releasing Protected Health
 Information for purposes other than:

 Treatment
 Payment
 Operations

   When can PHI be released? (2 of 2)
YES:                              NO:
 Other responders on scene        Press Releases / statements
  providing direct patient care    Social Networking Websites
 MEDIC providing care             Department Websites
 MedCenter Air                    Fire dept. members not
 Medical Control (in               providing patient care
  person/radio)                    Patient’s neighbors/friends
 Hospital registration staff
 Public Health Department        Maybe:
 Reporting suspected abuse        Law Enforcement
                                   Family / Care provider
                 Law Enforcement
Covered entities may disclose protected health information to
law enforcement officials for law enforcement purposes under
the following six circumstances, and subject to specified

1. as required by law (including court orders, court-ordered
   warrants, subpoenas) and administrative requests
2. to identify or locate a suspect, fugitive, material witness, or
   missing person
3. in response to a law enforcement official’s request for
   information about a victim or suspected victim of a crime

                Law Enforcement
Covered entities may disclose protected health information to law
enforcement officials for law enforcement purposes under the
following six circumstances, and subject to specified conditions:

4. to alert law enforcement of a person’s death, if the covered
   entity suspects that criminal activity caused the death
5. when a covered entity believes that protected health
   information is evidence of a crime that occurred on its premises
6. by a covered health care provider in a medical emergency not
   occurring on its premises, when necessary to inform law
   enforcement about the commission and nature of a crime, the
   location of the crime or crime victims, and the perpetrator of
   the crime

            Family / Care Providers
YES:                                 NO:
 Patient gives verbal or            Patient does not consent
  written consent                    Neighbor arrives asking,
 Power of Attorney papers            “What happened?”
  are present                        Friends when patient is
 If pt is incapacitated; closest     incapacitated
  relative or care provider          HIV status
                                     Psychiatric Issues
  What happens if I violate HIPAA?
Civil Penalties         Criminal Penalties

 $100 per person per    Up to $50,000 and/or 1 year
  violation               in jail for intentional
 up to $25,000/year      violations
                         Up to $100,000 and 5 years in
                          jail for obtaining PHI under
                          false pretenses
                         Up to $250,000 and 10 years
                          in jail for obtaining PHI with
                          intent to sell, transfer, use for
                          personal gain or cause
                          material harm

              HIPAA Scenario 1
56yo male c/o CP,           Tell the neighbor that you
  dyspnea, n/v. Medic         and Medic are taking
  arrives and takes over      care of a patient and
  patient care. They          that the information
  determine the pt is a       she is requesting is
  STEMI.                      private, she’ll have to
Neighbor arrives and asks     speak with the patient
  if the patient is ok.       or family.
What can you tell the
               HIPAA Scenario 2
Same patient as before.        You may provide the pt’s
  You arrive at the              name and state they are
  hospital and the               here for chest pain.
  registration staff ask for   You can’t tell them they
  the pt’s name and              are having an MI
  reason they are here.          because this would
                                 violate “minimum
What can you tell them?          amount necessary”
               HIPAA Scenario 3
Your best friend’s sister was   Yes – you could tell her that
  involved in a wreck and is       her daughter was injured
  being taken to the trauma        and taken to CMC.
  center priority 1.            You may not give specific
                                   information on injuries or
Can you call your best             details of the accident.
  friend’s mother and tell      “ Health care providers can share
  her what happened?              patient information as necessary to
                                  identify, locate, and notify family
                                  members, guardians, or anyone
                                  else responsible for the individual's
                                  care of the individual's location,
                                  general condition, or death”3

              HIPAA Scenario 4
You just provided care to a   NO – Obtaining an
  Carolina Panther’s           autograph or photo is
  player.                      unprofessional and
                               violates the pt’s privacy
Can you ask for an
  autograph or picture?       Putting information about
                                a patient on Face book®
Can you Face book ® his         violates the pt’s privacy.
               HIPAA Scenario 5
The patient tells you he has   If asked you can tell them
  consumed 12 beers in the         what the patient has just
  past 3 hours. He was             told you. You are allowed
  involved in a MVC. The           to inform law enforcement
  police come up and ask           about the commission and
  you if the pt is                 nature of a crime.
  intoxicated.                  You may not give the police a
                                   copy of your report, but
What can you say to them?          you should document
                                   EXACTLY what the patient
                                   told you.
              HIPAA Scenario 6
You responded to a house     You may discuss the fire
  fire and only                suppression aspects of
  participated in the fire     the incident.
  suppression . You saw      Tell the news, “patient
  three people treated by      care is something you
  Medic while you were         will need to speak to
  on scene.                    one of Medic’s PIOs
When the news asks you         about.”
  about pt. injuries what
  can you say?
              HIPAA Scenario 7
Should you take a picture     Not advisable – PHI is so
  of a car wreck and put it     prevalent that it would
  on your department or         be very difficult to
  personal website?             remove all of it from a
                                photo. All victims,
                                license plates, and
                                anything else that can
                                be used to identify the
                                victims would have to
                                be removed.
              HIPAA Scenario 8
You plan on faxing a copy   You should call the
  of your CPR                 intended recipient and
  documentation to            verify the fax number,
  medical services.           then include a cover
                              sheet. Once finished
How should you proceed?       you should contact the
                              individual again and
                              ensure they received it.
              HIPAA Scenario 9
You get back to the station   No. This would violate the
  after responding to a         patient’s right to
  medical call at an            privacy. They were not
  apartment complex.            involved in the patient
Can you tell the other          care and have no right
  members of your               to know.
  station what happened
  even though they were
  not there?
               HIPAA Scenario 10
You are on scene of a call.      Yes – “Covered entities may
  The patient tells you he         disclose protected health
  and a friend plan to kill 12     information that they
  of his classmates and            believe is necessary to
  gives you a “hit list.”          prevent or lessen a
                                   serious and imminent
Can you call the police and        threat to a person or the
  tell them what was said?         public, when such
                                   disclosure is made to
                                   someone they believe can
                                   prevent or lessen the
                                   threat (including the
                                   target of the threat)”3
            HIPAA Scenario 11
You run a cardiac arrest   Yes – Dissemination of PHI
  and need the patient’s     is not just to a higher
  name and DOB for your      trained individual. It
  report.                    works both ways. You
Can you contact the          have the right to get
  Medic crew for this        basic demographic
  information?               information form the
                             Medic crew.
            HIPAA Scenario 12
An insurance investigator   Follow your department
  arrives at your station     guidelines as to giving
  and wants a copy of the     out fire reports.
  house fire report you     You must refer the
  responded to last week.     investigator to Medic
  They also want the          for names of the injured
  names of all the people     and patient care report
  injured.                    information.

What can you give them?
              HIPAA Scenario 13
The news camera crew is on   No - News outlet and the
  scene and they are           public are subject to
  filming you treating a       common domain laws
  patient.                     and HIPAA does not apply
                               to them. You can’t stop
Can you make them stop?        them from filming.

Are you required to shield   You could as a courtesy
  the patient?                 shield the pt as best as
                               possible, but you are not
                               required to shield them.
             HIPAA Scenario 14
You are on scene of a        Yes - radio transmissions,
  priority patient.            while not private, are
                               permitted because it
Can you call Medic and         involves treatment and
  give them a patient care     care of the patient. The
  report over the radio?       information you give
                               should be “minimally
              HIPAA Scenario 15
After the call, Medic or the   Yes - PHI is able to be
  hospital wants to know         disclosed for education
  about a call you ran. They     and research purposes.
  state they are doing           As part of Medic’s
  research on first              disclosure with all
  responders and on scene        patients they are notified
  trauma times.                  that their information
                                 could be used for that
Can you give them the            purpose.
  information they request
  without a subpoena?
            Summary (1 of2)
HIPAA provides for privacy and security
 protections of healthcare information.
The penalties are severe for violating HIPAA.
You are required as a first responder agency to
 protect PHI.
Your department should have written
 guidelines for complying with HIPAA and you
 should follow them.
            Summary (2 of2)
Never provide any PHI without the patient’s
 authorization unless you are dealing with
 someone directly treating the patient.
When in doubt don’t provide information until
 you are sure who it is going to and that they
 have a right to the information.
                    Works Cited
5. CHS HIPAA ACE Module 2009

To top