Tag: HIPAA

OCR Issues Guidance on HIPAA, COVID-19 Vaccinations, and the Workplace

Today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued guidance to help the public understand when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine.

In the guidance, OCR reminds the public that the HIPAA Privacy Rule does not apply to employers or employment records. The HIPAA Privacy Rule only applies to HIPAA covered entities (health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions), and, in some cases, to their business associates.  The HIPAA Privacy Rule applies to most EMS providers but only as it relates to it’s patient’s Protect Health Information (PHI).

Today’s guidance addresses common workplace scenarios and answers questions about whether and how the HIPAA Privacy Rule applies. The Privacy Rule does not apply when an individual:

  • Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
  • Asks another individual, their doctor, or a service provider whether they are vaccinated.
  • Asks a company, such as a home health agency, whether its workforce members are vaccinated.

Generally, the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its workforce

The Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:

  • Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
  • Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or other vaccination record to their employer.
  • Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
  • Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

OCR stated that they are issuing this guidance to help consumers, businesses, and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19.

More details about the latest guidance on HIPAA, COVID-19 Vaccinations, and the Workplace may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-covid-19-vaccination-workplace/index.html.  If you have questions regarding what information you may or may not share relative to COVID-19 vaccinations, please contact the AAA for assistance.

 

EMS.gov | New Resources Help EMS Clinicians and Agencies Navigate HIPAA

Nationwide, EMS agencies regularly report that hospitals and other healthcare workers refuse to share patient information with them, citing Health Insurance Portability and Accountability Act (HIPAA) concerns. Misconceptions about HIPAA can create artificial barriers to the legitimate, approved exchange of data between EMS and other providers, resulting in missed opportunities to improve patient outcomes and advance evidence-based practices in prehospital care.

To address this issue, the NEMSIS Technical Assistance Center collaborated with the law firm Page, Wolfberg & Wirth to provide helpful resources explaining the sharing of patient information between EMS and other healthcare professionals:

While obstacles may remain for the appropriate sharing of patient information, HIPAA is not one of them. Sharing patient information benefits EMS agencies and improves prehospital patient care by revealing evidence-based practices that make a difference for patients in the field.

NEMSIS | EMS Body Cam Guide

New Guide Offers Body-Worn Camera Legal Considerations for EMS Agencies

Although body-worn cameras aren’t yet widely used in EMS, interest is growing and organizations that have employed them have seen significant benefits – and some limitations.

To help guide agencies, the National Emergency Medical Services Information System Technical Assistance Center (NEMSIS TAC), in cooperation with the legal firm Page, Wolfberg & Wirth, has released the EMS Body-worn Camera Quickstart Guide: Legal Considerations for EMS Agencies. The guide provides an overview of general legal issues for EMS agencies thinking about using body-worn cameras.

An overview of these key legal considerations for EMS agencies are covered in the new document:

  • Federal HIPAA standards
  • State invasion of privacy laws
  • State wiretap/eavesdropping laws
  • State open records laws
  • Data retention requirements
  • Developing a body-worn camera policy

Every EMS agency considering the use of body-worn cameras must evaluate not just legal issues but financial considerations, public perception, impact on staff, potential union bargaining and more.

Download PDF

OCR Guidance on COVID-19 and HIPAA Disclosures

Office for Civil Rights Guidance on COVID-19 and HIPAA disclosures to law enforcement, paramedics, other first responders, and public health authorities
 by Kathy Lester, J.D., M.P.H.

 On March 24, the Office for Civil Rights (OCR) released guidance clarifying that any covered entity may share the name or other identifying information of an individual who has been infected with, or exposed to, COVID-19 with law enforcement, paramedics, other first responders, and public health authorities without an individual’s authorization.  This clarification allows ground ambulance entities and their personnel to share the information consistent with the guidance.  It also allows other covered entities such as hospitals, physicians to share the information with ground ambulance entities and their personnel.  Finally, there are no HIPAA restrictions on non-covered entities, such as law enforcement, families, public health departments, and 911 call centers (not otherwise covered entities), from sharing the information.  There may be State confidentiality laws that apply as well, and the AAA encourages ground ambulance entities to review the laws in the States in which they operate.

The authority to share this information is in the existing HIPAA regulation – this is not a waiver or a change in the current law.  OCR highlights the current authority in the guidance.

  • Disclosure of PHI pursuant to treatment (45 C.F.R. § 164.506(c)(2)). Covered entities may disclose PHI to another covered entity for purposes of treatment, payment, or health care operations.  The guidance provides the example of a skilled nursing facility (SNF) disclosing PHI about a COVID-19 positive individual to emergency transport personnel who will be treating a patient during the transport of the individual to a hospital emergency department.  This is an example and not the only scenario to which the disclosure policy applies.
  • Disclosures required by law (45 C.F.R. § 164.512(a)). Covered entities may disclose PHI when such disclosure is required by law.  The guidance provides the example of a hospital disclosing PHI about a COVID-19 positive individual to public health officials when such a disclosure is required by state law.  Again, this is an example and not the only scenario to which the disclosure policy applies.
  • Disclosure to public health authorities (45 C.F.R. §§ 164.512(b)(1) & 164.501 (definition of public health authority). Covered entities may disclose PHI about a COVID-19 positive individual to a public health authority that is authorized by law to collect or receive such information for the purpose of controlling disease, injury, or disability.  The purposes include public health surveillance, public health investigations, and public health interventions.  Examples of public health authorities include the Centers for Disease Control and Prevention and state, tribal, local, and territorial public health departments).
  • Disclosures when risk of infection to a person (45 C.F.R. § 512(b)(1)(iv)).  Covered entities or public health authority may disclose to a person – including first responders – who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.  The guidance provides the example of a county health department disclosing such information to a police office to prevent or control the spread of COVID-19.  This authority would also apply to ground ambulance personnel, even though the example does not reference them specifically.
  • Disclosures to prevent or lessen a serious and imminent threat to the health and safety of a person or the public (45 C.F.R. § 164.512(j)(1)). Covered entities may disclose PHI to a person or the public to prevent or lessen a serious and imminent threat to the health and safety of a person or the public when the disclosure is made to someone the person making the disclosure believes that doing so will prevent or lessen the threat.  The guidance provides an example of disclosing COVID-19 status to firefighters, child welfare workers, mental health crisis personnel, or others – which would include ground ambulance personnel as well.  The covered entity must believe in good faith that the disclosure is necessary to prevent or minimize the threat of imminent disclosure to the person or public.
  • Disclosure to a correctional institution or law enforcement having lawful custody of an inmate or other individual under certain circumstances (45 C.F.R. § 164.512(k)(5)). Covered entities may disclose PHI related to an inmate’s positive COVID-19 status under the following circumstances:
  • Providing health care to the individual;
  • The health and safety of the individual, other inmates, officers, employees, and others present at the correctional institution, or persons responsible for the transporting or transferring of inmates;
  • Law enforcement on the premises of the correctional institution; or
  • The administration and maintenance of the safety, security, and good order of the correctional institution.

The guidance provides the example of a physician at a medical facility sharing an inmate’s positive COVID-19 status with correctional guards.

For all of these disclosures, with the exception of those that are required by law or for the purpose of treatment, the covered entity must provide the minimum amount of information necessary to accomplish the purpose.  For example, the guidance states that a hospital should not distribute a list of individuals who are COVID-19 positive or suspected to have the virus to EMS personnel, but rather disclose the information on a case-by-case basis about the specific patient being treated.  Similarly, a 911 call center that is a covered entity may provide such information to a police office or similar personnel being dispatched to the scene to allow the responder to take the necessary precautions.

The guidance also provides additional examples that reference specific types of covered entities, but these are just examples.  The laws apply to all covered entities and not just those highlighted in the examples.

HIPAA and Mobile Devices: What Your Service Needs to Know

For ambulance services, HIPAA compliance is a particularly sensitive issue. Because of the sensitive nature of the health data that EMS and EMT professionals deal with on a daily basis, HIPAA Privacy and Security standards must be carefully adhered to.

This issue becomes even more sensitive when you consider that most of the data collected during pre-hospital care will likely be collected, tracked, and documented on a mobile device. Laptops, smartphones, and tablets are indispensable tools for ambulance care. Most of these devices will have access to electronic health records (EHR) platforms, which will in turn be connected to the rest of a hospital’s EHR data.

While mobile devices can provide convenience in life-or-death situations, they are also particularly vulnerable to the risk of a data breach. A data breach of unsecured health information can lead to serious HIPAA violations and put patient privacy at risk.

The kind of health information that these devices have access to is called protected health information, or PHI. PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, dates of birth, medical information, insurance ID numbers, addresses, full facial photos, and telephone numbers, to name a few.

The HIPAA Rules set specific standards for maintaining the privacy, security, and integrity of PHI. Though the regulation can seem complex, the standards are in place to safeguard PHI. As per HIPAA, ambulance services necessarily fall under the category of Covered Entities, meaning that they are responsible for maintaining compliance with both the HIPAA Privacy Rule and the HIPAA Security Rule.

These two rules set limits for how and when PHI must be stored and accessed. Below, we list a few of the major components of the HIPAA Rules that all ambulance services can implement in order to keep PHI safe and secure on the go.

  • All mobile devices that can access PHI must have full-disc encryption. Additionally, all devices should be routinely backed-up on encrypted servers. In the event that a device is lost or stolen, full-disc encryption will keep hackers or thieves from accessing sensitive health data.
  • Your organization should have HIPAA policies and procedures in place pertaining to mobile devices taken “off-site.” This would necessarily include all laptops, tablets, and smartphones with access to PHI that are used in pre-hospital care in an ambulance. By outlining when devices are permitted to be used, who is permitted to use them, and how they are to be handled in off-site settings, your organization will mitigate the risk to PHI stored on these devices.
  • Keep a full inventory of all devices within your organization that can access or handle PHI in any way. Routine check-ups on the condition and location of devices listed in your inventory will help ensure that devices are not misplaced. And in the event that a device is misplaced or stolen, organization officials will notice as soon as the inventory is reviewed so that action can be taken to remedy the breach.
  • Access to PHI on mobile devices and in pre-hospital settings should be limited only to essential members of the organization’s workforce. This is known as the Minimum Necessary Standard. It’s a part of the HIPAA Privacy Rule that states that access to PHI must be limited based on employees’ roles, and that when access is granted, it should be limited to the minimum access necessary for each employee to perform their role.

These are just a few of the ways that ambulance services can protect PHI and comply with HIPAA mobile device standards.

In addition to the actions listed above, a total compliance program that addresses the full extent of the law must be in place in order to prevent HIPAA violations and data breaches.

Addressing HIPAA compliance can help ambulance services confidently treat their patients without worrying about the risk of data breaches or government fines.

HHS Office of Civil Rights Announces Phase 2 HIPAA Audit Review Program

On March 21, 2016, the Office for Civil Rights of the Department of Health and Human Services announced Phase 2 of its HIPAA Audit Program.  The Health Information Technology for Economic and Clinical Health Act (HITECH) required HHS to perform periodic audits of covered entities and business associates to assess their compliance with the HIPAA Privacy, Security and Breach Notification Rules.  These rules are enforced by the HHS Office for Civil Rights (OCR).

Background on Phase 1

In 2011, OCR implemented a pilot audit program to assess the controls and processes covered entities have adopted to meet their HIPAA obligations.  The pilot audit program was conducted in three phases.  OCR first developed a set of audit protocols that it would use to evaluate covered entities’ compliance.  This protocol was then tested using a limited number of audits.   The final step involved using the revised audit protocols on a larger number of covered entities.  Ultimately, 115 covered entities were selected for review, and all audits were concluded by December 31, 2012.

Phase 2

Phase 2 of the HIPAA Audit Program will focus on the policies and procedures adopted and employed by entities to meet the requirements of the Privacy, Security, and Breach Notification Rules.  OCR has indicated that these audits will be conducted primary through desk audits (i.e., document submissions), although by a limited number of on-site audits will also be conducted.

Unlike Phase 1, which focused exclusively on covered entities, OCR is indicating that Phase 2 will involve audits of both covered entities and their business associates.

As with the initial pilot audit program, Phase 2 will consist of several stages.  The first stage involves verification of a covered entity’s or business associate’s address and contact information.  A sample address verification letter can be viewed by clicking here.  OCR has indicated that emails will be sent to entities requesting accurate contact information for the entity.  OCR will then transmit a “pre-audit questionnaire” to the entity.  These questionnaires will be used to gather data about the size, type, and operations of potential auditees.  Based on this data, OCR will create potential audit subject pools.

Note: OCR has indicated that if an entity fails to respond to OCR’s request to validate its contact information and/or fails to return the pre-audit questionnaire, OCR will use publicly available information about the entity to create its audit subject pool.  As a result, an entity that fails to respond may still be selected for audit and/or compliance review.  OCR is specifically reminding entities to check their email “junk” or “spam” folders for any communications from OCR.

Once OCR has developed its audit subject pools, it will randomly select auditees from these pools.  Auditees will then be notified by OCR of their participation.  OCR has indicated that the first set of audits will focus on covered entities, with a subsequent round of audits focused on business associates.  These audits will focus on compliance with specific requirements of the Privacy, Security, or Breach Notification Rules.  Auditees will be notified of the scope of their audit in a document request letter.  Both of these rounds will be desk audits.  OCR indicated that all desk audits will be completed by the end of December 2016.

A third round of on-site audits will take place after the completion of the desk audits, and will examine a broader scope of requirements under HIPAA.  OCR further indicated that desk auditees may also be subject to on-site audits.

If an entity is selected for audit, OCR will notify them by email.  The email will introduce the OCR audit team, explain the audit process, and discuss OCR’s expectations in greater detail.  The email notification letter will also include initial requests for documentation.  OCR has indicated that it will expect entities to respond to these documentation requests within ten (10) business days.  Documents will be submitted through a new secure online portal.  Once received, OCR’s auditors will review the submitted information and inform the entity of its draft findings.  The entity will then have ten (10) business days to respond with written comments, if any.  OCR will then review the entity’s comments and issue a final audit report within thirty (30) business days.

OCR has indicated that the audits are primarily intended as a compliance improvement activity.  OCR will use aggregated data to better understand compliance with respect to particular aspects of the HIPAA rules.  The goal being to understand what types of technical assistance and/or corrective actions would be most helpful.  In other words, OCR is indicating that the goal of these audits is to improve its understanding of the state of compliance, and not to penalize specific companies for violations.  However, OCR indicated that should an audit reveal a serious compliance issue, OCR may initiate a further compliance review of the company.

OCR indicated that it will not post a list of the audited entities, nor will its findings be available in a format that would clearly identify the audited entity.  However, OCR noted that audit notification letters and other information regarding these audits may be discoverable under the Freedom of Information Act (FOIA).

Additional information from OCR regarding the Phase 2 HIPAA Audit Program can be obtained by clicking here.

Stay In Touch!

By signing up, you agree to the AAA Privacy Policy & Terms of Use

PO Box 96503 #72319
Washington, DC 20090-6503
hello@ambulance.org

Customer Service

Email hello@ambulance.org to open a support ticket for friendly assistance!

Media Inquiries

media@ambulance.org (Press only, please.)

© 2023 American Ambulance Association, Inc.