EMS agencies are very attractive targets for cybercriminals. But, there are easy steps you can take to better protect your ...
Ryan Stark | July 23, 2019
(5 min read) Our firm has been doing on-site HIPAA audits for over 15 years now and one of the most popular questions we get is: “What are the most common HIPAA violations you see?” While the answer varies slightly depending on the agency, here’s a list of the five most common violations.
Often agencies mistakenly believe that they can dictate how a patient (or a personal representative) can request and receive a copy of their records. But under HIPAA, patients must be given options, and patients generally get to decide how they receive their records.
Things You Can’t Do:
The failure to perform a risk analysis is the number one deficiency cited by the government in their settlement agreements. And most EMS agencies haven’t done one.
What is a Risk Analysis? HIPAA says you must:
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” 45 CFF §164.308.
In a nutshell, that means you need to look at every place health information lives at your agency – including your business associates - and determine whether you are adequately safeguarding that information. If you’re looking for some guidance, you can start with the Office for Civil Rights Guidance. If you’re still unclear about how to conduct a Risk Analysis, get help. Contact Page, Wolfberg and Wirth or another qualified agency to assist you with the risk analysis.
We often find agencies that don’t have copies of the NPP on ambulances, crews that never offer the NPP to patients, and agencies that think it is ok to just show the patient an electronic NPP on the ePCR or direct them to the agency’s website to get a copy.
The NPP Rules:
Best NPP Practices:
Just because a staff member has access to a record doesn’t mean the staff member has a right to access the record. Whenever your staff members are accessing health information, it should be for a legitimate, business-related reason. For example, if a supervisor looks at a run report to perform quality assurance, the supervisor may do so. But, if that same supervisor accesses the record of his ex-wife to be nosy, the supervisor is violating HIPAA.
Tips to Prevent Snooping:
At just about every agency we audit, crew members tell us that they have taken pictures of patients at the scene on a cell phone to show mechanism of injury to someone at the hospital. And most of the time the agency is unaware that it’s happening.
While taking a picture of a patient for legitimate treatment or operations reasons is not necessarily a HIPAA violation, having a picture on a personal phone can lead to violations. Recently, a paramedic from Florida was sentenced for 6 months in prison for taking selfies with patients in the back of the ambulance. Make sure your organization has a clear policy on the practice and crack down on improper use of cell phones. It would be our strong recommendation that crew members never be permitted to capture images on a personal cell phone.
Ryan Stark is a Managing Partner with Page, Wolfberg & Wirth, and is the firm’s resident “HIPAA guru.” He counsels clients on labor relations, privacy, security, reimbursement, and other compliance matters affecting the ambulance industry. Ryan is passionate about educating EMS professionals and loves collaborating with providers and CEOs alike. He is a featured speaker in PWW seminars and webinars, including the firm’s signature abc360 Conference, where he hosts the abc360 Game Show. Always enthusiastic, Ryan has been invited to speak at many state and regional EMS conferences, as well as national industry events. He is also an adjunct professor at Creighton University in the school’s Master of Science in Emergency Medical Services Program.
We’re used to hearing about ‘interoperability’ in terms of communications, but how about its use in information ...
What response times can tell us (if we gather the data accurately) (5 min read) Nine minutes or less, 90% of the time – or ...