HIPAA and the EMS Instructor

Mike Carroll, EMT-P; EMS Coordinator, So, Portland Fire Department

Published in the Winter 2005 edition of the Maine EMS I/C News

What should an EMS Instructor teach students regarding HIPAA? While the students’ services are responsible for making sure that all their providers are trained in the HIPAA regulation, I believe an EMS instructor should touch on the topic during the students’ initial course. In this article, I have attempted to cover a few of the highlights that I feel should be covered.

HIPAA stands for Health Insurance Portability and Accountability Act. As the name implies, it began as a bill to allow the portability of insurance. But, as with many things in politics, it developed a life of its own and began to grow. Part of that growth encompassed health care providers and the protection of patient. HIPAA limits how you may disclose Protected Health Information (PHI). When you do disclose or request any information you should only give or receive the minimum amount necessary to accomplish the purpose of the request or disclosure.

You must provide written notice of your service’s privacy practices to all your patients. This notice states for what purposes you will be using any PHI. Such uses may be QI, billing, data collection and the like. Patients should sign an acknowledgement of receiving the Notice of Privacy Practice. This may be incorporated into your service’s insurance authorization form. If the patient is unable to sign, a relative may sign, and you should document that the patient could not sign and the reason why. The Notice of Privacy Practice can be printed on a flyer, booklet, or any form your service deems appropriate.

You must allow patients to inspect and copy any PHI upon request. Patients have the right to request any PHI be amended. The service does not have to amend the PHI, but should add an addendum to the PHI indicating the change requested. You must allow the patient to restrict the things you do with their PHI.

Who can you share PHI with? Yes you can talk to your fellow providers on the call about what is going on with the patient and signs and symptoms as well as treatment options. You still need to provide quality patient care. You should not be telling anyone not directly involved in the care of this patient any PHI, however. You can also share information with the person(s) to whom you are turning your patient over for direct patient care. For instance, you can give your report to the emergency room staff when you deliver the patient to the hospital. You can also give a good radio report to the hospital, advising them of status of the patient whom you are transporting. It is understood that there are people in “scanner land” that will hear your report and may be able to put enough information together and figure out who it is you may be transporting. This cannot be avoided. It is also understood that when you give your verbal report some bystanders may overhear it. You should take every precaution reasonable to assure this is avoided.

Run reports need to be secured. While they are in the emergency department, ambulance or wherever, before getting back to the ambulance base, you must make every effort to assure the information on the report is not accessible to others. Once back at the station the report should be kept in a locked box or office, or secured somehow with limited accessibility.

There are a number of things the service needs to do for HIPAA compliance. One is to appoint a Privacy Officer. The service must develop numerous forms: Notice of Privacy, Acknowledgment of Receipt form, Accountability Log (which tracks where all requests for run reports go and by whom and why they were requested), and others. The service must also have agreements with business associates such as billing companies, hardware and software vendors, claims consultants, and medical directors (if contracted), to name a few. If the service is doing its own billing they must institute other security safeguards. The service administrators should become familiar with these and institute them. Most safeguards are dealing with electronic filing of claims and password protection stuff.

In closing, I found that the material offered by Page Wolfberg and Wirth to be extremely helpful in developing my HIPAA compliance material as well as training and educational material. I am far from an expert in the regulation and I might suggest anyone interested look at their material for further information.