Medical records are a prime target of cyber thieves, fetching quadruple the price of Social Security numbers on the dark web. As a result, the U.S. Department of Health and Human Services (HHS) has been strengthening compliance requirements for the Health Insurance Portability and Accountability Act (HIPAA) through new regulations and enhanced cybersecurity standards. The consequence to fire and EMS providers is that HIPAA compliance has become more complicated than ever.
Keys to compliance
HIPAA-covered entities must comply with three regulatory subparts, aptly named the Security Rule, the Breach Notification Rule and the Privacy Rule. Each of these rules warrants its own training program. However, here are seven points that fire and EMS providers must consider.
- Covered entity. HIPAA and its accompanying regulations apply to fire and EMS organizations that “transmit any health information in an electronic form in connection with a transaction for which HHS has adopted a standard.” The term transaction refers to “an electronic exchange of information between two parties to carry out financial or administrative activities related to health care.” In firefighter-friendly lingo, we’re talking about agencies that bill electronically for providing medical care.
- Risk assessments. The Security Rule requires covered entities to perform a risk assessment to determine where protected health information (PHI) may exist and the steps that are necessary to protect it. Risk assessments often lead entities to recognize that PHI exists in places that they might not have realized, such as on memory devices that are built into photocopiers, in National Fire Incident Reporting System (NFIRS) fire reports, on medical monitoring equipment and on devices that are used to take mechanism-of-injury photos. For each risk that is identified, the covered entity must develop a risk-management solution to protect the PHI. One inevitable solution involves training personnel on HIPAA compliance. The risk assessment must be conducted periodically, with most experts recommending at least annually.
3. Unencrypted devices. HIPAA does not require PHI to be stored on encrypted devices, but the failure to do so poses an unnecessary risk. The loss, theft or unpermitted access to PHI on an unencrypted device, such as a laptop, a tablet computer or memory storage, triggers the Breach Notification Rule. Mandatory notifications must be made to those whose PHI was on the unencrypted device as well as to HHS. If 500 or more people are affected, the news media must be notified. Huge fines may be levied. This is a nightmare that fire and EMS organizations can avoid easily by ensuring that all PHI-containing devices are encrypted.
4. Video ride-alongs that capture PHI. In 2018, the HHS Office of Civil Rights issued $1 million in fines to three Boston-area hospitals that participated in an ABC TV show, “Boston Med.” The hospitals allowed patients to be filmed without first obtaining their consent. This precedent raises grave concerns about reporters and others who film on fire and EMS ride-alongs. Just to be clear, the First Amendment prohibits us from stopping reporters or citizens from filming us doing our job in public places. However, allowing anyone to accompany us into non-public places and capture PHI could result in a HIPAA violation.
5. Security incident plan. The Security Rule requires covered entities to have a plan in place for reasonably anticipated security breaches. A good example would be a ransomware attack. If a field medic notices a ransomware message on a tablet that’s used for patient care reports (PCR), the medic’s agency should have a plan to isolate the device and notify appropriate IT personnel who are capable of handling the breach. Not having a security incident plan that establishes a procedure to address reasonably expected problems, such as a ransomware attack, is a HIPAA violation.
6. Business associate agreements. HIPAA requires covered entities to have written business associate agreements with third parties that may access PHI. Some of the more common entities with which fire departments and EMS providers share information include cloud-based PCR providers and EMS billing services. However, when one thinks through this a bit more deeply, computer technicians, medical equipment repair firms and NFIRS providers also may have access to PHI.
7. 405(d) Program. HHS developed a consortium of users through an initiative that’s called the 405(d) Program. The 405(d) Program serves as a standards-making body that consists of affected users, technical experts, technology providers and HHS, who meet to develop standards for cybersecurity. Fire departments and EMS providers must be at the 405(d) table to ensure that their concerns and needs are addressed fully.
Be aware
Although firefighters and EMS personnel tend to think about HIPAA as a concern that’s related to the inappropriate sharing of PHI, the true focus of HIPAA today is squarely on cybersecurity. Covered entities need to ensure that they are compliant with the Security Rule, the Breach Notification Rule and the Privacy Rule.
