Do you remember HIPAA? HIPAA is the Health Insurance Portability and Accountability Act of 1996.
Remember 1996? Bill Clinton was President of the United States, Don Shula retired as the Miami Dolphins head coach, we got socked with a huge blizzard in the eastern United States, and Dolly the sheep was the first mammal to be successfully cloned from an adult cell.
Somewhere in between all of these events, new legislation was passed by Congress to meet three goals: protect health insurance coverage for workers and their families when changing jobs, require that personal or Protected Health Information (PHI) only be released with the appropriate signature authorization from a patient or a patient representative, and encourage, secure and protect the electronic exchange of health data by standardizing how this data is digitally exchanged.
17 Years Later
Fast forward to 2013. HIPAA is alive and well.
In fact, HIPAA has evolved with a new set of updated rules coming into play for the days ahead.
Most of us in the ambulance industry, as well as the ambulance billing industry, had no clue about the headaches this legislation would produce for all of us when these sweeping changes were first announced.
Like most Federal mandates, HIPAA has taken on a life of its own.
As we interact with ambulance services all across the country, we still find many EMS administrators and providers have at least forgotten or have chosen to conveniently forget that we must all comply with HIPAA rules. In some cases, we find pockets of ambulance providers who were never properly trained or who have received no guidance from those in their network—EMS consultants, municipal leaders, billing companies (other billing companies- not Enhanced), etc. about what and how they must comply.
Be it willfully or unwillfully, the penalties for not complying with the rules are expensive and, quite frankly, embarrassing.
To Comply, Take These Simple Steps
Most ambulance companies can take a few quick steps to be in compliance with the meat of the rules. These steps are:
Any ambulance provider that works for you in just about any capacity in which they will be exposed to PHI should have completed a simple HIPAA training overview. There are many HIPAA videos and training packages available out there (we really like the package available from our friends at the EMS law firm Page, Wolfberg and Wirth at www.pwwemslaw.com.)
All new hires should receive some type of training and be sure you have them sign-off on a roster that can be consulted for future reference as proof of completion of the course. Online training from several sources is also available.
All patients must be presented with a HIPAA Notice of Privacy Practices. This written document must be posted on an ambulance company’s website and physically presented to each patient you come into contact with. The document informs the patient how your service (and you) can utilize the information you collect and explains how you must adhere to certain standards when sharing information either willfully or accidentally.
If a patient’s PHI is collected by your organization and stored in documents, written or electronic, that are prepared as a result of the treatment and transport provided, then the patient must be provided with a copy of your company’s NPP, and the patient must sign a statement verifying they have been provided with the NPP.
The signature portion is simple and can be combined (if done so properly) with the signature authorization you obtain from the patient or patient representative for billing purposes.
We find ambulance companies that developed an NPP back in the day, but then dropped the ball in presenting it to patients in the field. We find new administrators that didn’t realize that a HIPAA NPP must be presented, and they are often shocked when we advise them that they are not in compliance with the rules.
Ignorance is not bliss. Know the rules and comply, now!
Electronic Data Interchange and Protection
HIPAA mandated insurance companies and anyone that interacts with insurance companies electronically to take steps to protect the misuse, fraud and abuse of persons’ PHI. Electronic insurance claims submitted by your billing office or outsourcing contractor must be sent electronically in an approved and encrypted format. PHI cannot be emailed or even texted in an unsecure manner, and if that data is “hacked” and compromised, the hacked entity must report the breach of information or face fines and penalties for not doing so.
We suggest that your ambulance service consults a reputable IT contractor or uses a knowledgeable in-house IT manager to ensure that all the appropriate data protection elements are in place. Of course, simple things like password protection measures and other easy steps are not hard to put into place without too much cost or pain to the ambulance company.
What Happens in the Ambulance Stays in the Ambulance (or the Station)
Controlling one’s tongue may be the biggest move that any ambulance provider can take to protect PHI and comply with HIPAA guidelines.
Providers must be put on notice that it is not acceptable to share intimate details about completed ambulance runs in open public settings. This is just common sense, but when pressured by a friend or family member to disclose gory details of your last ambulance scenario, be sure to think twice.
In addition, guidelines must be put in place guarding releasing information via phone inquiries and even when pressed to do so without the proper legal inquiries being issued by the requester.
HIPAA is Here to Stay!
HIPAA is here to stay. It’s actually stronger and carries more weight than it did back in 1996.
Now is the time to reassess your organization’s compliance and readiness by taking all the above-mentioned steps. For some reason, we in EMS, because of the fluid nature and seeming indispensability of the services we offer to the community, feel we have earned a “get out of jail free” card on the subject and wrongly conjecture that we will not be sanctioned for non-compliance.
That is a dangerous assumption and not at all accurate!
Use Enhanced as a Starting Point
Is this HIPAA stuff new to you? Are you having a tough time knowing where to begin to be compliant?
Enhanced Management Services works together with our clients to provide guidance, and we network with industry professionals that specialize in HIPAA compliance to assist our clients in their quest to be HIPAA compliant.
Our billing software contains all the latest tracking mechanisms and HIPAA encryption measures mandated by the Federal Government. We can even provide your service with templates for a correctly worded HIPAA NPP document and help you to obtain a patient signature form detailing the presentation of the NPP to the patients your serve.
If we don’t have the resource you need directly available, we’ll help you make connections with the correct vendor to make it easier for your service to get back on a compliance track.
Readers representing ambulance companies who are interested in learning more about the features and benefits of working with Enhanced, including the networking connections for HIPAA compliance, can contact Enhanced Business Development Manager, Chuck Humphrey for more information. You can reach Chuck via e-mail at firstname.lastname@example.org or by picking up the phone to call toll-free (800) 369-7544.
Current Enhanced clients may contact Client Services at email@example.com to connect with your representative who can help you with your needs.