Skip to main content

Tag: compliance

HIPAA and Mobile Devices: What Your Service Needs to Know

Written by Joe Bilello on . Posted in Operations, Technology.

For ambulance services, HIPAA compliance is a particularly sensitive issue. Because of the sensitive nature of the health data that EMS and EMT professionals deal with on a daily basis, HIPAA Privacy and Security standards must be carefully adhered to.

This issue becomes even more sensitive when you consider that most of the data collected during pre-hospital care will likely be collected, tracked, and documented on a mobile device. Laptops, smartphones, and tablets are indispensable tools for ambulance care. Most of these devices will have access to electronic health records (EHR) platforms, which will in turn be connected to the rest of a hospital’s EHR data.

While mobile devices can provide convenience in life-or-death situations, they are also particularly vulnerable to the risk of a data breach. A data breach of unsecured health information can lead to serious HIPAA violations and put patient privacy at risk.

The kind of health information that these devices have access to is called protected health information, or PHI. PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, dates of birth, medical information, insurance ID numbers, addresses, full facial photos, and telephone numbers, to name a few.

The HIPAA Rules set specific standards for maintaining the privacy, security, and integrity of PHI. Though the regulation can seem complex, the standards are in place to safeguard PHI. As per HIPAA, ambulance services necessarily fall under the category of Covered Entities, meaning that they are responsible for maintaining compliance with both the HIPAA Privacy Rule and the HIPAA Security Rule.

These two rules set limits for how and when PHI must be stored and accessed. Below, we list a few of the major components of the HIPAA Rules that all ambulance services can implement in order to keep PHI safe and secure on the go.

  • All mobile devices that can access PHI must have full-disc encryption. Additionally, all devices should be routinely backed-up on encrypted servers. In the event that a device is lost or stolen, full-disc encryption will keep hackers or thieves from accessing sensitive health data.
  • Your organization should have HIPAA policies and procedures in place pertaining to mobile devices taken “off-site.” This would necessarily include all laptops, tablets, and smartphones with access to PHI that are used in pre-hospital care in an ambulance. By outlining when devices are permitted to be used, who is permitted to use them, and how they are to be handled in off-site settings, your organization will mitigate the risk to PHI stored on these devices.
  • Keep a full inventory of all devices within your organization that can access or handle PHI in any way. Routine check-ups on the condition and location of devices listed in your inventory will help ensure that devices are not misplaced. And in the event that a device is misplaced or stolen, organization officials will notice as soon as the inventory is reviewed so that action can be taken to remedy the breach.
  • Access to PHI on mobile devices and in pre-hospital settings should be limited only to essential members of the organization’s workforce. This is known as the Minimum Necessary Standard. It’s a part of the HIPAA Privacy Rule that states that access to PHI must be limited based on employees’ roles, and that when access is granted, it should be limited to the minimum access necessary for each employee to perform their role.

These are just a few of the ways that ambulance services can protect PHI and comply with HIPAA mobile device standards.

In addition to the actions listed above, a total compliance program that addresses the full extent of the law must be in place in order to prevent HIPAA violations and data breaches.

Addressing HIPAA compliance can help ambulance services confidently treat their patients without worrying about the risk of data breaches or government fines.

Maintaining Compliance Within an EMS Service

Written by Scott McConnell on . Posted in Leadership & Management, Operations, Professional Standards, Training, Vehicle Standards.

Maintaining compliance within an EMS service can be a daunting task, especially given the number of regulations that we must follow.

One way to look at EMS is if a trucking company married a hospital.

There are rules and regulations to abide by for an entire fleet of vehicles, from safe operation guidelines all the way down to the use and color of lights. Then there are requirements for a group of healthcare providers, which include necessary certifications such as CPR and knowledge of pertinent life-saving skills.

Not only does maintaining compliance keep vehicles and equipment running smoothly, but it can offer employees valuable peace of mind and keep everyone focused on the same goals of providing the best care possible.

I like to consider compliance an investment in common sense.

Employees know what is expected of them at all times, and they know what type of support their employer will provide to keep their skills sharp. In turn, an EMS service gains from being in good standing with regulators and from an engaged, confident workforce.

The benefits of a strong culture of compliance are immense. An organization that lives and breathes compliance can help ensure a smooth-running operation that features top-notch communication and quality providers who offer excellent care.

Journey to Compliance

These six key ways ensure compliance will serve as a roadmap to a strong culture in your organization:

  1. Start from the top: Backing from leadership ensures a strong culture of compliance. For certification and education compliance to stick, it starts with the attitudes of upper management, such as the board of directors, chiefs, officers, and day-to-day operations staff. Leaders must actively support all compliance efforts, including regular compliance-related reports, approving policies and having a general knowledge of the rules that govern EMS providers. Without the right tone from the top, an EMS service’s compliance efforts are usually undermined and ultimately fail. This results in issues with governing bodies, payers, scheduling and staffing.
  2. Commit to resources: Having the right personnel and systems in place are both vital to creating a strong compliance culture. The organization’s compliance staff should have experience in directing compliance efforts and supporting the evaluation of compliance-related risks. When it comes to certifications and education, compliance is always black and white. Knowing how to evaluate and respond to operational issues is important to maintaining compliance and successfully operating an EMS service. Systems that provide information to assist the service in complying with its obligations are a necessity.
  3. Have the write stuff: Developing written policies and procedures for compliance programs and internal controls is essential to adequately address regulatory requirements and an EMS service’s specific risks. Having these policies and procedures in writing sets the expectation of what is required of both managers and employees. Assessing risks before drafting these programs will help identify key areas where controls are needed. A compliance program should include how a service’s policies can be implemented from an operational perspective. This will include internal controls and standard operating procedures.
  4. Provide education: Providing the training for your EMS employees gives them peace of mind that they will be in compliance and acknowledges that the service values them.
  5. Test the system: Subjecting procedures to an independent review and audit ensures the compliance system is working correctly. This review provides an evaluation of where the EMS service’s compliance efforts stand. It also offers an opportunity to correct deficiencies before an outside regulatory audit is performed.
  6. Communicate more: Communication is vital to all organizations, but it can be the most difficult piece of the puzzle to achieve. With compliance-related responsibilities, sharing information is very helpful and, in some cases, required. Communicating expectations within EMS training programs is imperative. Reporting compliance efforts and noting any deficiencies should be a part of a communication strategy, especially if your state has an active medical director and/or board of EMS.

Stay In Touch!

By signing up, you agree to the AAA Privacy Policy & Terms of Use