Tag: compliance

HIPAA and Mobile Devices: What Your Service Needs to Know

For ambulance services, HIPAA compliance is a particularly sensitive issue. Because of the sensitive nature of the health data that EMS and EMT professionals deal with on a daily basis, HIPAA Privacy and Security standards must be carefully adhered to.

This issue becomes even more sensitive when you consider that most of the data collected during pre-hospital care will likely be collected, tracked, and documented on a mobile device. Laptops, smartphones, and tablets are indispensable tools for ambulance care. Most of these devices will have access to electronic health records (EHR) platforms, which will in turn be connected to the rest of a hospital’s EHR data.

While mobile devices can provide convenience in life-or-death situations, they are also particularly vulnerable to the risk of a data breach. A data breach of unsecured health information can lead to serious HIPAA violations and put patient privacy at risk.

The kind of health information that these devices have access to is called protected health information, or PHI. PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, dates of birth, medical information, insurance ID numbers, addresses, full facial photos, and telephone numbers, to name a few.

The HIPAA Rules set specific standards for maintaining the privacy, security, and integrity of PHI. Though the regulation can seem complex, the standards are in place to safeguard PHI. As per HIPAA, ambulance services necessarily fall under the category of Covered Entities, meaning that they are responsible for maintaining compliance with both the HIPAA Privacy Rule and the HIPAA Security Rule.

These two rules set limits for how and when PHI must be stored and accessed. Below, we list a few of the major components of the HIPAA Rules that all ambulance services can implement in order to keep PHI safe and secure on the go.

  • All mobile devices that can access PHI must have full-disc encryption. Additionally, all devices should be routinely backed-up on encrypted servers. In the event that a device is lost or stolen, full-disc encryption will keep hackers or thieves from accessing sensitive health data.
  • Your organization should have HIPAA policies and procedures in place pertaining to mobile devices taken “off-site.” This would necessarily include all laptops, tablets, and smartphones with access to PHI that are used in pre-hospital care in an ambulance. By outlining when devices are permitted to be used, who is permitted to use them, and how they are to be handled in off-site settings, your organization will mitigate the risk to PHI stored on these devices.
  • Keep a full inventory of all devices within your organization that can access or handle PHI in any way. Routine check-ups on the condition and location of devices listed in your inventory will help ensure that devices are not misplaced. And in the event that a device is misplaced or stolen, organization officials will notice as soon as the inventory is reviewed so that action can be taken to remedy the breach.
  • Access to PHI on mobile devices and in pre-hospital settings should be limited only to essential members of the organization’s workforce. This is known as the Minimum Necessary Standard. It’s a part of the HIPAA Privacy Rule that states that access to PHI must be limited based on employees’ roles, and that when access is granted, it should be limited to the minimum access necessary for each employee to perform their role.

These are just a few of the ways that ambulance services can protect PHI and comply with HIPAA mobile device standards.

In addition to the actions listed above, a total compliance program that addresses the full extent of the law must be in place in order to prevent HIPAA violations and data breaches.

Addressing HIPAA compliance can help ambulance services confidently treat their patients without worrying about the risk of data breaches or government fines.

OIG Releases SemiAnnual Report to Congress

The Office of the Inspector General of the Department of Health and Human Services (HHS-OIG) recently issued the “Measuring Compliance Program Effectiveness: A Resource Guide“. The Guide was developed by a group of HHS-OIG professionals who wanted to provide a set of metrics by which health care providers can measure the elements of their compliance program. The authors recognize that not all the metrics are applicable to all health care providers but intended to be used as a guide. The Guide was released on March 27.

You can also read the full “Semiannual Report to Congress (October 1, 2016 – March 31, 2017)“.

Maintaining Compliance Within an EMS Service

Maintaining compliance within an EMS service can be a daunting task, especially given the number of regulations that we must follow.

One way to look at EMS is if a trucking company married a hospital.

There are rules and regulations to abide by for an entire fleet of vehicles, from safe operation guidelines all the way down to the use and color of lights. Then there are requirements for a group of healthcare providers, which include necessary certifications such as CPR and knowledge of pertinent life-saving skills.

Not only does maintaining compliance keep vehicles and equipment running smoothly, but it can offer employees valuable peace of mind and keep everyone focused on the same goals of providing the best care possible.

I like to consider compliance an investment in common sense.

Employees know what is expected of them at all times, and they know what type of support their employer will provide to keep their skills sharp. In turn, an EMS service gains from being in good standing with regulators and from an engaged, confident workforce.

The benefits of a strong culture of compliance are immense. An organization that lives and breathes compliance can help ensure a smooth-running operation that features top-notch communication and quality providers who offer excellent care.

Journey to Compliance

These six key ways ensure compliance will serve as a roadmap to a strong culture in your organization:

  1. Start from the top: Backing from leadership ensures a strong culture of compliance. For certification and education compliance to stick, it starts with the attitudes of upper management, such as the board of directors, chiefs, officers, and day-to-day operations staff. Leaders must actively support all compliance efforts, including regular compliance-related reports, approving policies and having a general knowledge of the rules that govern EMS providers. Without the right tone from the top, an EMS service’s compliance efforts are usually undermined and ultimately fail. This results in issues with governing bodies, payers, scheduling and staffing.
  2. Commit to resources: Having the right personnel and systems in place are both vital to creating a strong compliance culture. The organization’s compliance staff should have experience in directing compliance efforts and supporting the evaluation of compliance-related risks. When it comes to certifications and education, compliance is always black and white. Knowing how to evaluate and respond to operational issues is important to maintaining compliance and successfully operating an EMS service. Systems that provide information to assist the service in complying with its obligations are a necessity.
  3. Have the write stuff: Developing written policies and procedures for compliance programs and internal controls is essential to adequately address regulatory requirements and an EMS service’s specific risks. Having these policies and procedures in writing sets the expectation of what is required of both managers and employees. Assessing risks before drafting these programs will help identify key areas where controls are needed. A compliance program should include how a service’s policies can be implemented from an operational perspective. This will include internal controls and standard operating procedures.
  4. Provide education: Providing the training for your EMS employees gives them peace of mind that they will be in compliance and acknowledges that the service values them.
  5. Test the system: Subjecting procedures to an independent review and audit ensures the compliance system is working correctly. This review provides an evaluation of where the EMS service’s compliance efforts stand. It also offers an opportunity to correct deficiencies before an outside regulatory audit is performed.
  6. Communicate more: Communication is vital to all organizations, but it can be the most difficult piece of the puzzle to achieve. With compliance-related responsibilities, sharing information is very helpful and, in some cases, required. Communicating expectations within EMS training programs is imperative. Reporting compliance efforts and noting any deficiencies should be a part of a communication strategy, especially if your state has an active medical director and/or board of EMS.

Webinar Now 9/21: Scott Moore, Esq on Employment Lawsuits

It’s not too late! Scott Moore, Esq’s Know When to Hold ‘Em or Fold ‘Em webinar has been rescheduled to September 21 at 2:00 p.m. ET.  Register now►

Employment Lawsuits: Know When to Hold ‘Em or Fold ‘Em

September 21 at 2:00 PM ET
$99 for Members
$199 for non-Members

This SHRM SEAL-Recertification Provider_CMYK_2016_1.25in (®)program is valid for 1 PDC for the SHRM-CP or
SHRM-SCP

Speaker: Scott Moore, Esq., EMS Resource Advisors

Your organization has been served with a lawsuit or investigative demand on an employment claim. Is your organization prepared for what is ahead? This session will follow what an employer should do long before the Constable serves the papers. Human Resources Managers treat employee personnel records like it is evidence in a case because it could be. This session will also discuss the financial and practical costs of defending your organization and how you can still lose even if you win.

Spotlight: Rebecca Williamson

Rebecca Williamson
Compliance Officer, Muskogee County EMS
Medicare Regulatory Committee Co-Chair,
AAA Board & Committees
Tulsa, OK

Tell us a little about yourself.

I was born in Muskogee, OK and currently live in Tulsa, OK. I received my nursing degree from Connors State College and my bachelor’s degree in English from Northeastern State University. I began working at Muskogee County EMS as a paramedic 24 years ago, have moved through the ranks over the years, and have held my current title of Compliance Officer for about 12 years. When I’m not doing EMS, I am the Director of Nurses at Kids’ Space, a child advocacy center in Muskogee.

I’m married to Steve Williamson, CEO/President of EMSA, and between us we have 7 children and 6 grandchildren.

What do you enjoy most about your job?

It’s always a challenge. Nothing is ever the same. I enjoyed being a paramedic because it was always different and no two patients were alike. Even though I’m now in administration and I’m dealing with Medicare, Medicaid, and insurance and regulatory issues and legislation, it is still never the same between days. I never feel like I have everything figured out, so there’s always a challenge in my job.

What is your biggest professional challenge?

The EMS industry as a whole has so many challenges, but my biggest professional challenge would be making sense of some of the laws, regulations and rules that govern how we operate and how we get paid. Also, dealing with the bureaucracy and taking a simple concept, such as “we provide medical care,” and trying to get people in Congress and the legislature to understand that we’re not a supplier, but a provider. Translating all of that into simple, real-world language that everyone can understand so we can all be on the same page – that is a challenge.

What is your typical day like?

I don’t really have a typical day! I’m very fortunate that, because I travel so much and because I have to be in different places, my schedule is very flexible and I’m able to work from home a lot. But typically when I go into the office, I can tell in the first five minutes if it’s going to be one of those days that I’m not going to sit down at all, or one of those days where I’ll have blocks of time to sit down and be productive. I try to talk to the medics every morning, and I talk to our Director and do a brief overview every morning and deal with any problems that may have occurred. My day is a constant interaction with the other administrators, the staff, and the medics, and can be a lot of running around.

How has participation in AAA membership and advocacy helped your organization?

I feel as though we as an organization (Muskogee County EMS) are light years ahead of so many other ambulance services because we get the information and the education that we need so easily. We can stay on the forefront of what is happening legislatively with Medicare and Medicaid regulatory issues, and we are in such a better position as a company and as a business because we have access to frontline information and top-of-the-line education. With AAA, industry experts are just a phone call or an email away. I cannot imagine trying to do my job and be effective at all without the education, the experts, and the ability to contact people who can help at a moment’s notice. I cannot imagine doing my job without having access to the AAA.