HIPAA:
Basic to Advanced
(What it is and what it isn’t)
Jonathan Moore
Director, Fire & EMS Operations/ GIS
International Association of Fire
Fighters
What is HIPAA?
Health Insurance Portability and
Accountability Act
HIPAA Security Rule
Focused on Patient Information Privacy
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160, 162, and 164
[CMS-0049-F]
RIN 0938-AI57
Health Insurance Reform: Security Standards
AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.
ACTION: Final rule.
SUMMARY: This final rule adopts standards for the security of electronic
protected health information to be implemented by health plans, health
care clearinghouses, and certain health care providers. The use of the
security standards will improve the Medicare and Medicaid programs, and
other Federal health programs and private health programs, and the
effectiveness and efficiency of the health care industry in general by
establishing a level of protection for certain electronic health information.
This final rule implements some of the requirements of the Administrative
Simplification subtitle of the Health Insurance Portability and Accountability
Act of 1996 (HIPAA).
Are you covered by HIPAA?
Are you an EMS provider?
Do you bill for your EMS services?
Do you bill Medicare?
Do you transmit Medicare billing
information electronically?
Covered Entities
Health Plans
Health Care Clearinghouse
Health Care Provider
– Who transmits any health information in
electronic form in connection with a “covered
transaction”
– Claim filing is most common covered
transaction, but there are others
Common Covered Electronic
Transactions
Claims filing
Remittance advice
Coordination of benefits
Claim status
Health plan enrollment/disenrollment
Eligibility
Referral certification
What is the worry about
“transactions”?
Protected Health Information “PHI”
Three Basic Permitted Uses of PHI
Treatment, Payment and Operations
Called the “TPO” Uses
Consent, authorization or other permission
is NOT REQUIRED for these uses
“OOPS”
Incidental Disclosures Happen and are
“Expected”
Examples?
– Radio Communications
– ER Arrival “Report”
Protections?
– “Reasonable Safeguards”
Does not require that you implement new
technologies for privacy purposes
Dispatch Communications
Scanner World…
Internet CAD pages Martin County
Emergency Services "FIRE/RESCUE
SCANNER“
Dispatch Communications
Most public safety and EMS
communications are treatment related
You have to find the patient and SHOULD
have an idea what the nature of the
problem is
Any radio disclosure of patient information
for location or treatment purposes is
permitted
And What About Law
Enforcement?
….be careful here…..
Law Enforcement Disclosures
HIPAA limits the disclosures that EMS
providers can make
EMS providers are patient care advocates,
not law enforcement information sources
Permissible law enforcement disclosures
are limited to specific situations.Covered
under Section 164.512
Permissible Law Enforcement
Disclosures…Overview
1. When required by law or pursuant to process
(e.g., gunshot wound reporting)
2. Identification and location purposes (victim or
material witness, includes type of injury)
3. Response to request for information about a
victim of a crime (can’t be used against the
victim, needed to determine violation of law, in
the best interests of the individual)
Permissible Law Enforcement
Disclosures…Overview
4. Decedents (if suspected death may be from
criminal conduct)
5. Crime on the premises (evidence of criminal
conduct)
6. Reporting crime in emergencies (identity,
description and location of perpetrator)
Required By Law/Pursuant to
Process
Health care providers permitted to disclose
PHI under HIPAA for injury reporting when
required by state law
– Examples
Gunshot injuries
Burns
Animal bites
Check state law for specifics
Required By Law/Pursuant to
Process
Court orders
Warrant
Grand jury subpoena
Civil investigative demand, administrative
subpoena or other authorized, official
request
The PHI must be relevant and material to
legitimate law enforcement inquiry
Identification and Location
To identify or locate a:
– Suspect
– Fugitive
– Material witness
– Missing person
Identification and Location
The covered entity may only furnish:
–
–
–
–
–
–
–
–
–
Name
Address
DOB
SSN
Blood type
Type of injury
Date/time of treatment
Date/time of death*
Description of distinguishing physical characteristics
Crime Victims
May disclose PHI in response to a law
enforcement request, where the individual
is a possible crime victim
IF patient agrees; OR
If patients unable to agree because of
condition, may release PHI if:
– Law enforcement represents that the info is
needed immediately; AND
– Won’t be used against the victim*
Decedents
May release PHI to alert law enforcement of a
patient’s death, IF the death may have resulted
from criminal activity
You are not required to make a “legal
conclusion” that the death resulted from a crime
Only a “suspicion” is required
Note: there is a general exception for releasing
PHI to coroners and funeral directors for non
crime-related deaths
Crime on Premises
Health care provider can disclose PHI to
report a crime at the provider’s premises
Need only have a “good faith belief” that
the information may constitute evidence of
a crime on the premises
Examples: Child Abuse, Assault
Reporting Crime in Emergencies
Emergency care providers may release
PHI to law enforcement to alert them to:
– Commission and nature of a crime
– Location of the crime or of the victim
– Identity, description and location of perpetrator
“Channel 11 News Reports…..”
What can you say to the Media?
OR
What can the Media say?
Media Disclosures and HIPAA
There are no express provisions in the
Privacy Rule addressing media
disclosures
However, EMS organizations are often put
in the position of fielding media requests
Is it possible to strike a balance?
Media Disclosures and HIPAA
Disclosures made with patient
authorization
– Use a HIPAA-compliant authorization form
– Must specifically inform the patient of the
information to be disclosed and to whom it will
be disclosed
– Disclosures must be limited to those in the
authorization
Media Disclosures and HIPAA
Disclosures of de-identified information
De-identified PHI is information that:
– Does not identify an individual; AND
– There is no reasonable basis to believe the
information could be used to identify an
individual
“De-Identification”?
The following information must be removed:
–
–
–
–
–
–
–
–
–
Name
Geographic identifiers smaller than a state
Phone/fax/e-mail address
SSN
Medical records numbers
Photographs
Account numbers
License numbers
Other unique identifiers
Permissible Media Disclosures
General information about the incident,
number of victims and hospital
destinations
– Example: “a total of five patients were
transported from the accident scene. Four
were taken by ambulance to the City Hospital
and one by helicopter to the County Trauma
Center.”
Permissible Media Disclosures
General information about the incident
location, if it cannot reasonably be used to
identify an individual patient
– Example: “we responded to an incident at the
Downtown Outlet Center and transported one
patient to the hospital.”
– NOT: “we responded to a residence in the 100
block of Hobart Street and transported a
patient from the scene to the local hospital.”
Permissible Media Disclosures
Information about the crew and other
responding agencies
– Example: “Paramedics Smith and Wesson
responded on behalf of Speedy Ambulance
Service. The Awesome City Fire Department,
County Sheriff’s office, and other agencies
also responded.”
Permissible Media Disclosures
General information about patient condition if
it cannot reasonably be used to identify a
patient
– Example: “Last month we transported 300
patients, 80% were transported to emergency
room, 20% had alternative destinations.”
– Example: “Over ‘Motorcycle Weekend’ we
transported 27 victims of motorcycle collisions,
only 50% of those patients were wearing
helmets.”
How Soon Must You Comply?
April 20, 2005!
Comply With What? The Security
Rule…
“Security” is a grey area
The regulation incorporates concepts of:
– Scalability
– Flexibility
– Generalization
The Rule itself reads more like a guide –
hope your interpretation/implementation
meets someone else’s understanding of
the “Rule”
Security Rule
Applies only to electronic PHI (“e-PHI”)
e-PHI is any PHI that is in electronic form
prior to transmission
What Can We Do About This?
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Administrative Safeguards
Policies and procedures; disciplinary
standards, to ensure that your
personnel protect your patients’ PHI
Compliance officer
Training
Physical Safeguards
Security of your buildings, offices,
cabinets, etc. where e-PHI is stored,
as well as your computers,
workstations and electronic media
Technical Safeguards
Protections such as passwords,
backups and other security features
on your computers, networks, PDAs,
laptops, etc.
HIPAA “In Your Face”
Not a catch-all for protecting providers or
patients
Can make ‘fact finding’ difficult for
discipline or grievance processes
Other privacy protections are available
Medical Information Privacy
IAFF Dominick F. Barbera EMS in the Fire Service
Conference
Kurt Rumsfeld
IAFF Legal Counsel
June, 2007
Legal Disclaimer
Please note that this presentation is offered
solely for informational purposes, and is
not intended, nor should it be relied upon,
as legal advice. An individual or affiliate in
need of legal advice or assistance on any
topic covered in this presentation should
contact and confer with legal counsel to
obtain legal advice appropriate to his or
her particular situation.
Dealing with HIPAA as a Union
Representative
Frank, a member of your union, is disciplined for
allegedly failing to follow patient care protocol
during an EMS response. Frank says he did
everything “by the book” and that the “paperwork
will prove it.” During the grievance process, you
request the company’s records related to the
response, but management refuses your request
because the records contain protected health
information under HIPAA. How do you respond?
Dealing with HIPAA as a Union
Representative
Disclosure of PHI is permitted for
“resolution of internal grievances.” 45
C.F.R. 164.501
Incidental disclosures do not violate the
Privacy Rule “if the minimum necessary
and reasonable safeguards are met.” 45
C.F.R. 164.502(a)(1)(iii)
Consider redacting information or entering
into a confidentiality agreement.
Dealing with HIPAA as a Union
Representative
Alleging that EMS employees have been taking
excessive and unnecessary sick leave, your employer
institutes a policy requiring anyone taking sick leave for
more than one shift to obtain a certificate from a doctor
certifying that such leave was necessary and that the
employee can return to work. During negotiations, you
demand documentation substantiating the employer’s
concerns regarding sick leave abuse. Your employer
refuses your demand on grounds that, as an EMS
provider, it is a “covered entity” under HIPAA, and
therefore cannnot release any records that contain
protected health information of its employees.
Dealing with HIPAA as a Union
Representative
“Covered entities must comply with [HIPAA’s
Privacy Rule] in their health care capacity, not in
their capacity as employers. For example,
information in hospital personnel files about a
nurse’s sick leave is not protected health
information under this rule.” 65 Fed. Reg.
82,612 (2000)
“Employment records held by a covered entity in
its role as an employer” are excluded from the
definition of “protected health information.” 45
C.F.R. 160.613
What laws govern your employer’s
decision to require employee medical
exams and its handling of employee
medical records?
Fasten your seat belts.
Limits on Employers’ Use of
Employee Medical Information
Americans with Disabilities Act (ADA)
Family and Medical Leave Act (FMLA)
Title VII of the 1964 Civil Rights Act
U.S. and State Constitutions
State Statutory and Common Law Rights
– Invasion of privacy
– Defamation
Americans with Disabilities Act
(ADA)
“A covered entity shall not require a
medical examination and shall not make
inquiries of an employee as to whether
such employee is an individual with a
disability or as to the nature or severity of
the disability, unless such examination or
inquiry is shown to be job-related and
consistent with business necessity.” 42
U.S.C. 12112(b)(4)(A)
ADA (cont’d)
“A covered entity may make inquiries into the ability of an
employee to perform job-related functions.” 42 U.S.C.
12112(b)(4)(B)
Information regarding the medical condition or history of
any employee must be collected and maintained on
separate forms and in separate medical files and is
treated as a confidential medical record. 42 U.S.C.
12112(b)(4)(C)
Supervisors and managers may be informed regarding
necessary restrictions on the work or duties of
employees, and first aid and safety personnel may be
informed, when appropriate, if the disability might require
emergency treatment. 42 U.S.C. 12112(b)(3)
ADA – Periodic Medical Exams
“Periodic medical examinations for public safety positions that are
narrowly tailored to address specific job-related concerns and are
shown to be consistent with business necessity would be
permissible.” Watson v. City of Miami Beach, 177 F.3d 932 (11th Cir.
1999) (quoting EEOC Compliance Manual)
In Watson, city required incumbent police officers to submit to TB
tests, because of police exposure to high-risk individuals, even
where such exams required the officers to reveal their HIV-AIDS
status (since this was necessary to properly diagnose and treat an
individual with TB)
ADA also allows for “voluntary medical examinations…which are
part of an employee health program available to employees.” 29
U.S.C. 12112(d)(4)(C)
ADA - Fitness for Duty Exams
An employer may require incumbent employees
to obtain medical certification before returning to
work after an injury or medical procedure to
demonstrate the employee’s ability to perform
job-related functions. 29 C.F.R. 1630.14(c);
Porter v. United States Alumoweld Co., 125 F.3d
243 (4th Cir. 1997)
An employer can require a medical exam for an
employee who has record of chronic
absenteeism. Yin v. California, 95 F.3d 864 (9th
Cir. 1996)
ADA – Fitness for Duty Exams
Conroy v. NY Dep’t of Correctional Services, 333
F.3d 88 (2d Cir. 2003):
– employer must show more than that the inquiry is
“convenient or beneficial to its business”
– must show “business necessity” which may include
“ensuring that the workplace is safe and secure or
cutting down on egregious absenteeism”
– inquiry or examination canot be any broader or
intrusive than necessary
ADA – Chronic Absenteeism
Policies
Transport Workers Local 100 v. NYC Transit Authority,
341 F.Supp.2d 432 (S.D.N.Y. 2004)
– Citing sick leave abuse, employer requires all employees out
sick for two or more days and employees on “sick leave control
list” to submit medical certificate from doctor stating the
diagnosis/objective finding as well as treatment prognosis
– Court sustains policy for those on “control list” and for employees
in “safety sensitive positions” (e.g. bus drivers)
– But for all other employees, employer may only require
employee to submit doctor’s certificate confirming employee was
incapable of performing duties, and that the employee is now fit
to resume duties, but may not require doctor’s description of the
nature of the illness or treatment
ADA – Confidentiality of Medical
Records
Great protection in theory, not always in practice
Doe v US Postal Service, 317 F.3d 339 (D.C.Cir. 2003): report from
employee’s physician confirming that employee had HIV (required
by employer for employee to qualify for FMLA leave) was an
“inquiry” under ADA entitled to confidentiality
Medlin v. Rome Strip Steel Co., 294 F.Supp.2d 279 (N.D.N.Y. 2003):
contents of functional capacity evaluation (FCE) conducted by
physical therapist and required by employer as a condition of
returning to work constitute confidential medical information under
ADA
Yoder v. Ingersoll-Rand Co., 31 F.Supp.2d 565 (N.D. Ohio 1997):
employer didn’t violate ADA by inadvertently turning over unopened
medical report showing employee had AIDS to employee’s mother, a
co-worker, because confidentiality requirement applies only to
applicant exams and “on site” medical exams; 6th Circuit affirmed
ADA – Other Limits on Scope
ADA exempts insurers, health maintenance
organizations or other benefit plan
administrators when they underwrite or classify
risks. 42 U.S.C. 12201(c)
Barnes v. Benham Group, 22 F.Supp.2d 1013
(D.Minn. 1998): employer may require
employees to fill out extensive medical histories
as required by plan administrators for purpose of
risk assessment or waiving coverage eligibility
for a new employee health plan
Family and Medical Leave Act
(FMLA)
Provides for unpaid leave for serious medical conditions
Allows employers to obtain medical certification of such
conditions; limited to medical facts supporting conclusion
that condition qualifies for FMLA leave, onset dates,
likely duration, likely treatment and impact on work; DOL
approved form: dol.gov/esa/regs/compliance/whd/fmla.
Also allows employers to require “simple statement”
certifying ability to return to work, and to obtain second
opinion, and possibly third, at employer’s expense – 29
C.F.R. 825.306
Medical records must be kept separate and confidential
Non-Discrimination Laws
Norman-Bloodsaw v. Lawrence Berkeley Lab.,
135 F.3d 1260 (9th Cir. 1998): employer violated
Title VII (sex and race discrimination) by testing
blood samples taken as part of general medical
exam for pregnancy and sickle cell traits without
informing employees
Wroblewski v. Lexington Gardens, 448 A.2d 801
(Conn. 1982): employer committed sex
discrimination by conducting medical inquiry into
female applicant’s “urogenital health” where no
such inquiries were made of men
Constitutional Limitations
For public sector employees, actions of employers are
subject to constitutional limitations (federal and state)
Fourth Amendment protects against unreasonable
searches, and balances employee’s privacy interest with
employer’s interest in obtaining the medical information
– Tough argument for public safety employees (see drug testing)
– Norman-Bloodsaw v. Lawrence Berkeley Lab., 135 F.3d 1260
(9th Cir. 1998): employer violated 4th Amendment and due
process clause (privacy) by testing employee blood samples for
medical and genetic information related to syphilis, sickle cell
and pregnancy without knowledge of the employees; “that one
has consented to a general medical examination does not
abolish one’s privacy right not to be tested for intimate, personal
matters involving one’s health – nor does consenting to giving
blood or urine samples, or filling out a questionnaire”
– Also found violation of privacy right under California Constitution
State Statutory Protections
A “morass” of different statutory and regulatory schemes
36 states impose a general duty on physicians (and in
most cases other health care providers) to maintain
patient confidentiality
Fewer states impose restrictions on employers
– Pettus v. Cole, 57 Cal.Rptr.2d 46 (Cal.App. 1996): employer
refers stressed employee for psychological evaluation after he
seeks disability leave; doctor, retained by employer, discloses to
the employer highly personal information revealed by employee;
court finds violation of California Confidentiality of Medical
Information Act because disclosure exceeded exception in the
Act allowing for health care provider to disclose to employer
“functional limitations on the patient that may entitle the patient to
leave from work for medical reasons or limit the patient’s fitness
to perform present employment, provided that no statement of
medical cause is included in the information disclosed”
State Common Law Protections
Invasion of privacy
– Medical information is protected by common law doctrine of
privacy, but disclosure may be protected by “qualified privilege”
when only shared with those with a “need to know”
– Davis v. Monsanto, 627 F.Supp. 418 (S.D.W.Va. 1986): no
breach of privacy where psychologist’s report on employee’s
suicidal tendencies was shared by company’s manager with the
personnel department and union representative; all had a
legitimate interest in protecting the plant and its employees from
danger
– White v. Township of Winthrop, 116 P.3d 1034 (Wash.App.
2005): mayor breached privacy of town marshall by telling press
he resigned for “health reasons” related to a “seizure,” insofar as
disclosure was “highly offensive” where marshall intended to
keep reason private
State Statutory Protections (cont’d)
S & A Plumbing v. Kimes, 756 So.2d 1037
(Fla.Dist.Ct. App. 2000): employee does not
have state constitutional privacy claim where
health care provider gave medical records to
employer and insurance carrier in conjunction
with worker’s comp claim, despite employee’s
lack of express consent
– court cites Florida statute that provides for exchange
of such information, and employee essentially
consented when he presented himself for evaluation
of the injury as assessment of whether it is
attributable to his employment
State Common Law Protections
Defamation: an erroneous medical report might be
construed as a false statement of fact harmful to the
employee’s reputation; can apply to physician’s
publication or subseqent publication by other parties
– Physicians typically enjoy a qualified privilege to report, but this
can be defeated if it is found that physician harbored a malicious
motive; if the information was recklessly disseminated, or
involved a reckless disregard for the truth of the information; or if
report exceeded scope of the privilege
– McDermott v. Hughley, 561 A.2d 1038 (Md. 1989): psychologist
exceeded scope of privilege by reporting to employer that
employee was “malingerer and a virtual pathological liar” as a
result of an altercation he had with the employee; purpose of the
report was supposed to be limited to whether the employee
could perform a particular job assignment
IAFF Resources
IAFF Fire & EMS Operations Department
IAFF Health and Safety Department
IAFF Legal Department
– Your local president can request guidance by
a request submitted through your District Vice
President