HIPAA: Self-Vigilance + Better Understanding
- joshishmael85
- Jul 17, 2023
- 3 min read
HIPAA (not HIPPA) applies to all of us, and we all have a responsibility to safeguard all forms (written, electronic/digital, verbal) of protected health information (PHI). If you provide healthcare and your agency bills for healthcare services, you are indeed a covered entity, and this message pertains to you. The game changed for everyone when this formal act of Congress was passed in the summer of 1996. Many updates and revisions have come across since that time, buts lots of misunderstandings and misconceptions still exist today, not only in the pre-hospital arena, but across all of healthcare.
Why should we care about data protection? First of all, it's the right thing to do. Put yourself in the patient's shoes; would you want your most personal information shared freely to the world? Secondly, HIPAA violations/non-compliance comes with stiff civil and criminal penalties. Large data breaches occasionally make national headlines and while they should get attention, I believe it has led to conservatism amongst providers and health networks. Knowing your responsibilities and better understanding the laws can prevent an overly guarded approach to disclosing information. I get it... HIPAA is complex, and I believe that helps drive most of the uncertainty - but at the end of the day, it is not intended to be a barrier or roadblock.
Source: TotalHIPAA
There are many cases in EMS where HIPAA actually promotes and endorses the sharing of data in a bidirectional manner. These cases are centered around treatment, payment and/or overall healthcare operations. To avoid interfering with an individual’s access to quality health care or the efficient payment for such health care, the Privacy Rule permits a covered entity to use and disclose protected health information, with certain limits and protections, for treatment, payment, and health care operations activities.
Using or disclosing PHI for the activities below can happen WITHOUT the individual's authorization. You can voluntarily get their consent, but it is not an absolute requirement.
Limit the disclosures to the minimum necessary (redaction or removal of some information may be justified) and consider role-based access to only those that need to know.
The items below are just an example and not intended to be an exhaustive list. Visit hhs.gov for a more comprehensive review.
Treatment - simply the provision of services to a patient, this includes consultations and referrals. (Minimum necessary standard may not always apply here)
Payment - activities to determine medical necessity or to obtain payment or be reimbursed, (think of your billing related folks - they are business associates).
Operations - this is broad and can be tied to QA/QI sessions, audits or legal review, business planning/financial analysis.
Some other pertinent facts about HIPAA
HIPAA still applies to a deceased patient and their health information is considered protected until 50 years after their death. After that time, the privacy rules no longer apply as the data is no longer considered "protected".
The average fine for a violation is around $1.5M.
You don't own your healthcare information, but accommodations have to be made so you can get access to your health-related records.
The HIPAA privacy rules don't apply to schools, health information only on students is considered "education records" and they have to comply with separate FERPA requirements.
Patients cannot automatically sue you, even if they fall victim to an egregious violation. HHS will investigate and likely determine what happens next.
July 17, 2023
Author: Joshua Ishmael, MBA, MLS(ASCP)CM, NRP
Pass with PASS, LLC.
Comments