Dec. 28, 2016 marks the 16th anniversary of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule – the federal regulations designed to protect patient information and to ensure patients have easy access to their own health information. The security rule followed two years later. A lot has happened over that time to help ensure compliance by HIPAA-covered entities, which includes most ambulance services and EMS agencies, with these sweeping patient privacy rules.
The bottom line is that EMS agencies and individual EMS professionals have a legal and ethical obligation to safeguard protected health information (PHI) and prevent a breach. HIPAA has certainly been the “gold standard” for that protection, and in recent years, numerous state laws have also been enacted that are intended to safeguard patient information.
Now that 2017 is upon us, the HIPAA enforcement climate has changed drastically. The federal government took a more educational approach to HIPAA in the early years of the regulations. But now, with the advent of stiff fines and penalties, HIPAA enforcement from the criminal and civil side is in full swing. There continue to be major breaches of patient information – affecting thousands of patients – that are getting both large and small healthcare organizations into big trouble.
One of the largest HIPAA settlements to date involved an assessment of $5.55 million in penalties against Advocate Health Care Network. That settlement came about after several breach incidents, including the loss of an unencrypted laptop that was left in an unlocked vehicle overnight that contained records on thousands of patients. The combined breaches affected the electronic PHI of approximately four million individuals.
But it was much more than the unsecured laptop that got Advocate in trouble. The government found that Advocate:
Words to the wise EMS agency – make sure you have in place comprehensive HIPAA privacy and security policies, initial and ongoing privacy and security training for your staff, business associate agreements where required, and procedures to perform a risk analysis in the event of a potential breach of protected health information. EMS is particularly vulnerable to breaches because of our reliance on portable electronic devices to complete electronic patient care reports. These devices must be properly secured and should be encrypted so that if they are lost or stolen, no one can improperly access the data.
There are five critical risks that an EMS agency will encounter in the event of a HIPAA breach:
At the end of the day, HIPAA compliance is mostly about your people – their attitude toward patient privacy, how they act and how they treat patient information. This brings into play critical concepts of ethics, integrity and human decency. Common sense must apply as well. There been numerous news stories and legal action involving healthcare providers who have literally taken advantage of patients that are in compromised conditions – even misusing their images or health care information for personal gain or amusement. This is happening in all sectors of healthcare, including EMS.
Recently, two Florida paramedics were arrested after they engaged in a “selfie war” posing and taking selfies in the back of the ambulance with dozens of unconscious patients. For more information, read the JEMS article, The Selfie Challenge and Misuse of Patient Images. This was apparently a sick type of joke contest to see who could get the most comical photo with a patient. In one instance, the paramedic allegedly took a selfie with the patient while holding the patient’s eyelids open. In another instance, the paramedic allegedly took a selfie with an elderly patient after exposing her breast.
This grossly improper conduct reflects a lack of respect for the patient and human dignity. The key to ensuring HIPAA compliance and the protection of patient information is to follow the regulations and have an active patient privacy compliance program in place. And when it comes to personal conduct, all healthcare providers need to step back and make sure that in every interaction they have with a patient that their conduct is respectful of the patient in all cases. Being empathetic and putting yourself in the shoes of the patient can help ensure that the EMS provider doesn’t do anything that would compromise the confidential information about the patient.
For more information on HIPAA compliance, visit www.pwwemslaw.com or www.pwwmedia.com.