Lessons from EMS HIPAA Audits: 5 Violations We See at (Almost) Every Agency

(5 min read) Our firm has been doing on-site HIPAA audits for over 15 years now and one of the most popular questions we get is: “What are the most common HIPAA violations you see?”  While the answer varies slightly depending on the agency, here’s a list of the five most common violations.   

1. Not Granting Proper Access to Patient Records

Often agencies mistakenly believe that they can dictate how a patient (or a personal representative) can request and receive a copy of their records.   But under HIPAA, patients must be given options, and patients generally get to decide how they receive their records.

Things You Can’t Do:

• Make the Requester to Show Up in Person. Patients can call, email, or fax a request for a copy of their records.  It’s okay if they show up in person, but you can’t require them to do it.
• Require the Request Through the Provider’s Online System. The government recognizes that some folks don’t have access to the internet.  So, you can’t require them to request their records only through your online portal. 
• Require the Requester to Accept Encrypted Email. Encrypted email is the most secure way to email the requester their records.  But if the patient asks for regular email, you must send it that way. 
• Deny the Records Request Because You Don’t Like the Reason. Even if you think the patient is going to sue you, you cannot deny their request based upon that reason.  There are limited specific reasons for which you can deny a records request and you should talk to your attorney before denying a request for patient records. 

2. No HIPAA Risk Analysis

The failure to perform a risk analysis is the number one deficiency cited by the government in their settlement agreements.  And most EMS agencies haven’t done one. 

What is a Risk Analysis?  HIPAA says you must:

“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”  45 CFF §164.308.

In a nutshell, that means you need to look at every place health information lives at your agency – including your business associates - and determine whether you are adequately safeguarding that information.  If you’re looking for some guidance, you can start with the Office for Civil Rights Guidance.  If you’re still unclear about how to conduct a Risk Analysis, get help.  Contact Page, Wolfberg and Wirth or another qualified agency to assist you with the risk analysis. 

3. Not Properly Distributing the Notice of Privacy Practices

We often find agencies that don’t have copies of the NPP on ambulances, crews that never offer the NPP to patients, and agencies that think it is ok to just show the patient an electronic NPP on the ePCR or direct them to the agency’s website to get a copy. 

The NPP Rules:

• Every Patient. You must make a reasonable attempt to give every patient a copy of your NPP.
• Non-Emergencies. In non-emergency treatment situations, the NPP should be offered to patients no later the first date of service delivery (e., at the time of service) and you should get the patient’s signature acknowledging she received the NPP.
• In emergency treatment situations the NPP can be provided to the patient as soon as “reasonably practicable” after the service (i.e., it can be mailed later).
• Physical Copy. The patient must receive a physical copy of your NPP, unless the patient expressly agrees to receive a digital copy via email.
• Posted Online. If your agency has a website, you must post a link to your NPP on your website. 

Best NPP Practices:

• Have NPPs on every ambulance.
• Train your crews to give out the NPP whenever the patient is not under duress and to get a signature from patients that they received it.
• Put a copy of your NPP in the first mailing that you or you billing company send to your patients.

4. Snooping

Just because a staff member has access to a record doesn’t mean the staff member has a right to access the record.  Whenever your staff members are accessing health information, it should be for a legitimate, business-related reason.  For example, if a supervisor looks at a run report to perform quality assurance, the supervisor may do so.  But, if that same supervisor accesses the record of his ex-wife to be nosy, the supervisor is violating HIPAA. 

Tips to Prevent Snooping:

• Train your staff members about appropriate access and remind them that you track their access.
• Limit physical access to records to only those who need access.
• Grant electronic access to staff members based on their role within the organization. Staff members should only be able to access what they need to do their job.
• Periodically run access reports on your system to make sure only the folks that should be looking at your records are doing so. Audit records of staff members, family members, friends of staff members, and celebrities or well-know people. 

5. PHI on Personal Devices

At just about every agency we audit, crew members tell us that they have taken pictures of patients at the scene on a cell phone to show mechanism of injury to someone at the hospital.  And most of the time the agency is unaware that it’s happening. 

While taking a picture of a patient for legitimate treatment or operations reasons is not necessarily a HIPAA violation, having a picture on a personal phone can lead to violations.  Recently, a paramedic from Florida was sentenced for 6 months in prison for taking selfies with patients in the back of the ambulance.  Make sure your organization has a clear policy on the practice and crack down on improper use of cell phones.  It would be our strong recommendation that crew members never be permitted to capture images on a personal cell phone.