Dec. 28, 2016 marks the 16th anniversary of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule – the federal regulations designed to protect patient information and to ensure patients have easy access to their own health information. The security rule followed two years later. A lot has happened over that time to help ensure compliance by HIPAA-covered entities, which includes most ambulance services and EMS agencies, with these sweeping patient privacy rules.
The bottom line is that EMS agencies and individual EMS professionals have a legal and ethical obligation to safeguard protected health information (PHI) and prevent a breach. HIPAA has certainly been the “gold standard” for that protection, and in recent years, numerous state laws have also been enacted that are intended to safeguard patient information.
Now that 2017 is upon us, the HIPAA enforcement climate has changed drastically. The federal government took a more educational approach to HIPAA in the early years of the regulations. But now, with the advent of stiff fines and penalties, HIPAA enforcement from the criminal and civil side is in full swing. There continue to be major breaches of patient information – affecting thousands of patients – that are getting both large and small healthcare organizations into big trouble.
One of the largest HIPAA settlements to date involved an assessment of $5.55 million in penalties against Advocate Health Care Network. That settlement came about after several breach incidents, including the loss of an unencrypted laptop that was left in an unlocked vehicle overnight that contained records on thousands of patients. The combined breaches affected the electronic PHI of approximately four million individuals.
But it was much more than the unsecured laptop that got Advocate in trouble. The government found that Advocate:
- Did not conduct an accurate and thorough assessment of the potential risks and vulnerabilities of all of its e-PHI;
- Failed to implement policies and procedures and facility access controls to limit physical access to electronic information systems; and
- Failed to obtain satisfactory assurances in the form of written business associate agreements that its business partners would appropriately safeguard all e-PHI in their possession.
Words to the wise EMS agency – make sure you have in place comprehensive HIPAA privacy and security policies, initial and ongoing privacy and security training for your staff, business associate agreements where required, and procedures to perform a risk analysis in the event of a potential breach of protected health information. EMS is particularly vulnerable to breaches because of our reliance on portable electronic devices to complete electronic patient care reports. These devices must be properly secured and should be encrypted so that if they are lost or stolen, no one can improperly access the data.
There are five critical risks that an EMS agency will encounter in the event of a HIPAA breach:
- A breach can harm your reputation. Patients and the public may have great concern if a breach occurs. They will likely be uncertain about your EMS agency and how it uses and protects confidential health information. This could ultimately lead to a loss of patients and loss of contracts with other healthcare providers that the ambulance service does business with – such as hospitals and nursing homes.
- A breach can cause significant financial repercussions. There is significant cost to dealing with a breach such as, among many other costs, providing individual notices to all parties affected. There will be costs for the investigation, potential legal fees and the cost of tuning up what may be a deficient HIPAA compliance program. There are likely to be potential insurance costs and costs of interruption of business because of dealing with the consequences of the breach.
- A breach brings significant legal issues. Not only can there be fines and penalties from the Office of Civil Rights – which enforces HIPAA – there may also be fines and penalties under state breach notification and protection laws. Even though there is no private right of action under HIPAA, there may well be common law rights of action by affected patients for an invasion of privacy. Also, state attorneys general have the right to bring HIPAA actions on behalf of their citizens.
- A breach has significant operational repercussions. There will be the cost of training and retraining as well as development of specific policies and procedures that should have been in place in the first instance. There may be costs in personnel to ramp up HIPAA compliance, and there may be costs and adopting new technology and security measures to ensure the protection of patient information.
- A breach has significant clinical issues. Whenever there is a breach of patient information, the patient data stored and used by the healthcare organization may also be compromised. This can lead to unreliability of healthcare records. That can cause delayed care – and even improper care – if critical patient information can’t be relied upon as 100 percent accurate.
At the end of the day, HIPAA compliance is mostly about your people – their attitude toward patient privacy, how they act and how they treat patient information. This brings into play critical concepts of ethics, integrity and human decency. Common sense must apply as well. There been numerous news stories and legal action involving healthcare providers who have literally taken advantage of patients that are in compromised conditions – even misusing their images or health care information for personal gain or amusement. This is happening in all sectors of healthcare, including EMS.
Recently, two Florida paramedics were arrested after they engaged in a “selfie war” posing and taking selfies in the back of the ambulance with dozens of unconscious patients. For more information, read the JEMS article, The Selfie Challenge and Misuse of Patient Images. This was apparently a sick type of joke contest to see who could get the most comical photo with a patient. In one instance, the paramedic allegedly took a selfie with the patient while holding the patient’s eyelids open. In another instance, the paramedic allegedly took a selfie with an elderly patient after exposing her breast.
This grossly improper conduct reflects a lack of respect for the patient and human dignity. The key to ensuring HIPAA compliance and the protection of patient information is to follow the regulations and have an active patient privacy compliance program in place. And when it comes to personal conduct, all healthcare providers need to step back and make sure that in every interaction they have with a patient that their conduct is respectful of the patient in all cases. Being empathetic and putting yourself in the shoes of the patient can help ensure that the EMS provider doesn’t do anything that would compromise the confidential information about the patient.