Ems.documentation.2010.final

Editor's Notes

• #2: In Documenting procedures, OEMS& T has received 17 “not known” and 75 “not available” In documenting EMS runs by gender, OEMS&T has received 134 “not known” and 190 “not available” Either some people either don’t know what procedure they’re doing or what gender their pt. is of they are not documenting it correctly. We’re going to look at some of the “correct” things to do.
• #3: Basic using profanity on the scene and being ETOH (alcohol impaired).(Ya think?) Basic exceeding scope of license -performing ALS procedures and falsifying PCR EMT manufacturing Crystal Meth. w/o docs. EMT starting IV on co-worker – both dehydrated from ETOH. No medical control or PCR EMT self administered medication without medical control or documentation of a PCR.
• #4: EMT-Basic did not allow EMT-Paramedic to enter the residence to deliver a baby after mother called 911 Reason: The EMT -Basic was the father of the baby and the EMT-Paramedic was the ex husband
• #5: See Rule No. 1
• #6: If it ain’t wrote down . . . it didn’t happen! The way it is wrote down is the way it happened regardless of the way it happened
• #7: Substantiates proof of services, so you ca bill. Provides continuity of care Documentation must be objective facts, not opinions
• #8: Pt. was assessed Medical care was rendered Pt. was transported and to where Pt. pronounced DOS Pt. Transferred to another facility Pt. transferred to another licensed service Pt. refused transport
• #9: Pt.s’ problem presented Vital signs w/time Treatment and time ECG strip, if monitored Δ Condition Online Medical contact Any deviation from protocol
• #10: Name Reason Vitals Other physical symptoms Competency of pt. in your judgment Level of consciousness Witnesses
• #11: Accurate and complete PCR as req’d by EMS&T Rules must be provided to the receiving facility upon delivery of pt. or ASAP but not more than 24 hrs. post delivery PCRs must be: NEMSIS compliant; meets reimbursement standards; Complies with agency policies; court defendable Run report must be submitted to EMS&T w/in 168 hrs. According to the terms of the American Recovery and Reinvestment Act (ARRA, PL. 111-5,)(February, 2009) a part of the Stimulus Package , all medical records must be electronic form by 2013. There is or may be Stimulus money which your agency may be able to get to invest in necessary software and hardware. Thus, you need to be planning now for how you are going to do all electronic records by 2013. That means you will give the PCR in electronic form not only to the State but to the ED in electronic form. You need to be working with the hospital on how you can develop a system that will interface. PCR should be submitted for billing to Insurance Company/Medicare/Medicaid ASAP Note: What is submitted to 3rd party payor must match what is actually documented and sent to facility and OEMS&Tor else, see next 2 slides
• #12: A New Jersey Slash – Tarquino v. City of Jersey City, et al. (Police, Fire and EMTs personally)* EMTs brought in pt. to ED Pt. died of epidural hematoma after discharge EMTs failed to note “pt. had vomited” on “run sheet” or to inform ED of same Held: Immunity does not lie for improper filling out forms or leaving out critical information *800 A 2d 255 (2002)
• #13: 31 USC §§ 3729-3733 Knowingly presenting a false claim for payment to a government agency, IE., fraudulent billing of Medicare or Medicaid fraudulently Enacted after Civil War a spate of frauds Amended in 1986 and 1988 to cut Federal deficit Provides for “whistleblower” to “rat out” someone and receive a “cut” (15-25%) usually health care Since 1987, feds collected ± $22 Billion from the false claimant business or individuals
• #16: Improvements in health care and community health require responsible sharing of some PHI In the absence of privacy protections, patients and others may avoid some clinical, public health and research interventions to their detriment Individual privacy protections must be balanced with legitimate community uses of PHI, i.e., health research and public health
• #17: All patient information is strictly confidential. Some Bad Scenarios. Bad scenarios equal bad liability. Conditions for release of information Prior written consent of patient, parent/guardian Subpoena in accordance with departmental policy Otherwise provided by law
• #18: Conditions for release of information Prior written consent of patient, parent/guardian. Subpoena in accordance with departmental policy Otherwise provided by law
• #19: Transfer information to physicians, health professionals with contract or other provider arrangements to provide care Some practitioners require consents to transfer out of abundance of caution
• #20: A Valid authorization contains: Description of the info to be released Name or description of info receiver Name of patient Description if the use of the info Expiration date or continuous Right of revocation by pt. Notice of possible re-disclosures Signature of pt or representative
• #21: If a minor is legally qualified to consent for services and in fact signs the “consent for treatment”, only the minor can sign to release the medical information regarding those services. If the parent/guardian signs the consent for treatment, the parent/guardian or the minor may consent for the release of medical records.
• #22: Alabama statue provides that all information, including medical records, pertaining to a child must be equally available to both parents in all types of custody arrangements unless otherwise ordered by a court of law. Code of Ala, § 30-3-154 If the parent or guardian gave consent for medical services, then the parent or guardian of the minor is generally entitled to his or her child’s medical record. This information would also be available to the other parent. If the child gave consent for services, neither parent may have access to the records without that child’s consent.
• #23: Criminal § 13A-11-35 “Divulging illegally obtained information” Civil actions (lawsuits v. the EMT and Co.) Suits for invasion of privacy Outrage - willful and wanton misconduct Breach of implied contract Administrative Loss of license of EMT or the service , or of job Or you can come argue with Denis Blair
• #24: HIPAA as amended by HITEC, a part of AARA, in the Stimulus package of 2009
• #25: (E)PHI – (Electronic) Protected Health Information Privacy – Individual’s right to control the acquisition, use and disclosure of identifiable PHI Confidentiality – Privacy interests hat arise from specific relationships e.g., doctor/patient, EMT/patient, researcher/subject and corresponding legal and ethical duties Security – Technological or administrative safeguards or tools to protect PHI from unwarranted access, use, or disclosure
• #26: How is PHI covered under HIPAA? Boundaries Setting limits on uses and disclosures Fair information practices Allowing individuals some level of access to their health data Accountability Making covered entities accountable for handling and abuses
• #27: Uses or disclosures of PHI require either Written authorization or Individual opportunities to object Covered Entities (CEs) may use or disclose PHI without individual’s informed consent for exceptions specified in rule
• #28: HIPPA and the Basis for Health Information Privacy Protections HIPPA seeks to increase individual access to health insurance by Reducing individual health insurance costs Lowering administrative claims costs Efficiently transmitting electronic data under enhanced health information privacy protections that encourage people to seek health care
• #29: HIPPA is the first national set of standards for protecting health information privacy The HIPPA Privacy Rule is one of the regulations that implements HIPPA. The Privacy Rule regulates the use and disclosure of protected health information by covered entities
• #30: What is covered? “Protected Health Information” (PHI): Individually-identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally 45 C.F.R. §160.103
• #31: You can use protected health information (PHI) without the patient’s authorization for: Treatment - provision, coordination or management of health care and related services Payment - includes the various activities of health care providers to obtain payment or be reimbursed for their services Operations – administrative, financial, legal, and quality improvement activities that are necessary to support the core functions of treatment and payment Where required by law
• #32: Who is covered? Health care providers that conduct certain electronic transactions, i.e.. billing or hybrid entities (like ADPH) Health care plans – i.e.., insurance companies Health care clearinghouses 45 C.F.R. §160.103
• #33: Business associates of CEs are bound by contract with the CE and new amendments to follow the same level of protection in the privacy rule and include: Claims or data processors; billing companies; Quality assurance providers; lawyers; Utilization reviewers; accountants and Financial service providers 45 C.F.R. §160.103
• #34: Business Associates of Covered Entities must now adhere to the Security Rule like covered entities They must establish administrative, physical, and technical safeguards for Protected Health Information (PHI) They must have their own policies and procedures to comply with the safeguards Business Associates now have an affirmative duty to ensure they are only using or disclosing PHI in accordance with HIPAA
• #35: Business Associates now have an affirmative duty to ensure they are only using or disclosing PHI in accordance with HIPAA “Rat Fink Provision” - Business Associates can now violate HIPAA if they know of a pattern of activity or practice by the covered entity that would constitute a violation and do not report this to HHS BAs are now liable for the same types of penalties and criminal sanctions as covered entities for HIPAA violations
• #36: Entities not covered: Life insurance companies Auto insurance companies Workers’ compensation carriers Employers Others who acquire, use, and disclose vast quantities of health data, However, PHI cannot be bought and sold.
• #37: PHI does not include Education records covered by FERPA Employment records held by a covered entity in its role as employer Non-identifiable health information 45 C.F.R. 160.103
• #38: HIPAA -What it Doesn’t Do State laws stay in force Only limited encryption of communications No requirement of major facility restructuring Incidental disclosures not totally eliminated Reporting not changed Relationships not changed
• #39: The “Minimum Necessary Rule” When using or disclosing PHI, a covered entity must make reasonable efforts to limit such information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Under HITEC, HHS is supposed to promulgate guidance on what they think the “minimum necessary” is – I can’t wait.
• #40: Outside the “need to know” never reveal a patient’s name, what he said, unusual behaviors or conditions or lifestyle Don’t even discuss patients with co-workers outside the need to know Never discuss patients outside the workplace unless authorized
• #41: Permitted disclosures” Disclosure of PHI to “public officials” to lessen the effects of the emergency To law enforcement for their necessary activities. We’ll see more later To national security and intelligence agencies To Public Health authorities To judicial authorities To Researchers To DHR for limited purposes Whatever we disclose, Covered Entities and their Business Associates should not use or disclose PHI beyond what is reasonably necessary for the purpose of the use or disclosure
• #42: The law enforcement purposes for which PHI may be released without authorization are: Pursuant to process and as otherwise required by law. 45 CFR §164.512(f)(1) For identification and location purposes (limited information only). 45 CFR §164.512(f)(2) In response to request for such information about an individual who is or is suspected to be a victim of a crime. 45 CFR §164.512(f)(3) For purpose of alerting law enforcement official about a suspicious death. 45 CFR §164.512(f)(4) For purpose of reporting evidence of criminal conduct occurring on premises of covered entity. 45 CFR §164.512(f)(5). An provider who is providing care in response to a medical emergency my alert law enforcement regarding information pertaining to crime. 45 CFR §164.512(f) (1) May use or disclose PHI if the use or disclosure: (i)(A) Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and (B) Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or Is necessary for law enforcement authorities to identify or apprehend an individual
• #43: The law enforcement purposes for which PHI may be released without authorization are: Pursuant to process and as otherwise required by law. 45 CFR §164.512(f)(1) To alert about a suspicious death When criminal conduct occurs on premises In emergency setting, to alert regarding information pertaining to crime Different situation: Where LE brings a prisoner to you, CE is permitted to disclose all info to LE or prison authority
• #44: CEs may disclose PHI to authorized federal officials for the conduct of intelligence, counter-intelligence, and other national security activities. If it is national security, we disclose any information they need. It is not subject to the law enforcement limitations.
• #45: Disclosures to Public Health The public health exception allows a covered entity to disclose PHI without individual authorization to a “public health authority that is authorized by law to collect and receive such information for the purpose of preventing and … controlling disease, injury, or disability, including… reporting of disease… and the conduct of public health surveillance….”
• #46: Alabama requires reporting of communicable diseases and conditions Code § 22-11A-2 Alabama requires EMTS to make run reports containing PHI – AAC Rule 420-2-1-.24 The Privacy Rule does not pre-empt these laws provided that the law or rule “provides for the reporting of disease or injury . . . Or for the conduct of public health surveillance . . . 45 CFR 160.203(c)
• #47: EMS has a duty to report cases or suspected cases of elder or child abuse or domestic violence. Examples of specific public health-based exceptions include disclosures About victims of abuse, neglect, or domestic violence To prevent serious threats to persons or the public. CE may disclose as much PHI as necessary
• #48: Death ≠ loss of privacy Information on decedents may be released to Law enforcement Transporting emergency medical personnel Coroners and their personnel Mortuary personnel Bureau of Health Statistics But, just because they are dead does not remove the general protection of the record.
• #49: Object - Protect the confidentiality, integrity, & availability of Electronic PHI (EPHI) when it is stored, maintained, or transmitted” The rule applies to electronic protected health information (EPHI), which is individually identifiable health information (IIHI) in electronic form. IIHI relates to 1) an individual's past, present, or future physical or mental health or condition, 2) an individual's provision of health care, or 3) past, present, or future payment for provision of health care to an individual, 4) payment records. The primary objective of the Security Rule is to protect the confidentiality, integrity, and availability of EPHI when it is stored, maintained, or transmitted.
• #50: Patients may ask for a listing of disclosures we have made of their PHI for up to six (6) years prior to the request (not including disclosures made prior to April 14, 2003). The following disclosures are NOT required to be accounted for: Treatment, Payment, Healthcare Operations (TPO) Disclosures authorized by the patient or authorized representative Disclosures to the patient or persons involved with their care
• #51: Other disclosures which are not required to be accounted for: National security or intelligence purposes Correctional institutions or law enforcement officials having lawful custody of an inmate Incidental disclosures Limited Data Sets used for research purposes An accounting is required for disclosures of which the patient may not be aware, e.g., those which are required by law (such as abuse or communicable diseases) or accidental disclosures. Accidental disclosures should also be reported to your Privacy Officer. If we have it in electronic form, we may be required to give it in electronic form. If we have it in electronic form, we may be required to give it in electronic form.
• #52: The HIPAA Log is a single file which relates to pt. files. It is kept with medical records. You should document the following “non-routine” disclosures. The information that must be documented for each disclosure is: the date of the disclosure; the name of the entity or person who received the PHI and, if known, the address and contact information; a brief description of the PHI disclosed (e.g., records for visit on June 7, 2003, all radiology reports related to broken wrist, etc.); and a brief statement of the purpose of the disclosure that reasonably informs the patient of the basis for the disclosure.
• #53: Required Logged Items Unauthorized releases on the AIR Form Releases required by law Releases based upon subpoena Releases to law enforcement for ID Requests to limit releases Requests to amend or correct PHI Requests by the patient for accounting Reports about victims of abuse, neglect, or domestic violence
• #54: made to carry out treatment, payment, or healthcare operations; made to the patient; made pursuant to a valid and effective authorization (one that complies with the requirements of state law as well as with the HIPAA Privacy Regulations) signed by the patient made to persons involved in the patient's care or other notification and location purposes; to federal officials for national security or intelligence purposes; to a correctional institution or law enforcement official that has custody of a patient; that are part of a limited data set; and to a health oversight or law enforcement official
• #55: When complaints or notice of breaches are received by privacy officer, the agency has a duty to: Investigate - Mitigate, Resolve, Respond, Document activities relating to the investigation, mitigation and response in HIPAA Log. Notification – we might have to notify the patient that his or her information has been compromised. Reporting - No report to HHS is required, though the process is subject to compliance audit. Remediation -The agency’s response may require amendment of privacy policies and procedures. Discipline - Response may require employee sanctions for employee breaches. HHS will look on an audit to see if this was followed up. See 45 CFR § 164.530(e-g). ADPH defines this in Policy 03-03. Criminal Penalties - A person’s knowing use or disclosure of PHI in violation of HIPAA may result in criminal penalties of up to $50,000 in fines and one year in prison. Uses or disclosures made under false pretenses may result in criminal penalties of up to $100,000 in fines and 5 years in prison. HIPAA Privacy Rule violations committed with intent to sell, transfer or use PHI for commercial or personal gain or malicious harm are punishable by a fine not to exceed $250,000 and/or 10 years in prison. A recent case in the Northwest has a hospital employee in big trouble. Civil Causes of Action - Does a violation of the HIPAA Privacy Rule create a civil cause of action? Yes. a failure to follow HIPAA privacy procedures may become the “standard of care” in common law breach of privacy actions under state law
• #57: Avoid inappropriate behaviors Participate in QA/QI and Con-Ed programs Know and follow policies , protocols, procedures, laws and regulations Strictly adhere to training protocols Strictly follow instructions of medical direction and superiors Document, document, document.