To provide guidance to management and staff concerning the privacy of medical records which involve staff members of Nodaway County Ambulance District .

Nodaway County Ambulance District will, to the extent required by law, protect medical records it receives about employees or other staff in a confidential manner. Generally, only those with a need to know the information will have access to it, and, even then, will only have access to as much information as is minimally necessary for the legitimate use of the medical records.

In accordance with laws concerning disability discrimination, all medical records of staff will be kept in separate files apart from the employee’s general employment file. These records will be secured with limited access by management.

In accordance with the Privacy Rule of HIPAA, medical records that are not considered employment records will be treated in accordance with the safeguards of the Privacy Rule with respect to their use and disclosure.

Employment records are not considered to be protected health information, or PHI, subject to HIPAA safeguards, including certain medical records of employees that are related to the job. These employment records not covered under HIPAA include, but are not limited to: information obtained to determine my suitability to perform the job duties (such as physical examination reports), drug and alcohol tests obtained in the course of employment, doctor’s excuses provided in accordance with the attendance policy, work-related injury and occupational exposure reports, and medical and laboratory reports related to such injuries or exposures, especially to the extent necessary to determine workers’ compensation coverage.

Nonetheless, despite the fact that such records are not considered HIPAA protected, Nodaway County Ambulance District will limit the use and disclosure of these records to only those with a need to have access to them, such as certain management staff, the District’s designated physician, and state agencies pursuant to state law.

With respect to staff members of Nodaway County Ambulance District , only health information that is obtained about staff in the course of providing ambulance or other medical services directly to them is considered PHI under HIPAA. In other words, if Nodaway County Ambulance District provides ambulance service to an employee, the protections typically given to such information of our ambulance service patients applies to the employee. These protections are subject to HIPAA exceptions, such as in the situation in which the staff member who used Nodaway County Ambulance District was involved in a work-related injury while on duty.

As another example, if we receive a staff member's medical record in the course of providing the employee with treatment and/or transport, it does not matter that Nodaway County Ambulance District happens to be the employer – that record is PHI. If, however, the employee submits a doctor's statement to a supervisor to document an absence or tardiness from work, Nodaway County Ambulance District does not need to treat that statement as PHI. Other health information that could be treated as employment related, and not PHI, includes medical information that is needed for Nodaway County Ambulance District to carry out its obligations under the FMLA, ADA and similar laws, as well as files or records related to occupational injury, disability insurance eligibility, drug screening results, workplace medical surveillance, and fitness-for-duty-tests of employees.

If you have any questions about how medical information about you is used and disclosed by Nodaway County Ambulance District , please contact our Privacy Officer.

To outline levels of access to Protected Health Information (PHI) for various staff members of Nodaway County Ambulance District, and to provide a policy and procedure on limiting access, disclosure, and use of PHI. To provide policies outlining patient rights and Nodaway County Ambulance District ’s responsibilities in fulfilling patient requests. Security of PHI is everyone’s responsibility.

Nodaway County Ambulance District retains strict requirements on the security, access, disclosure and use of PHI. Access, disclosure and use of PHI will be based on the role of the individual staff member in the organization, and should be only to the extent that the person needs access to PHI to complete necessary job functions.

When PHI is accessed, disclosed and used, the individuals involved will make every effort, except in patient care situations, to only access, disclose and use PHI to the extent that only the minimum necessary information is used to accomplish the intended purpose.

Patients may exercise their rights to access, amend, restrict, and request an accounting, as well as lodge a complaint with either Nodaway County Ambulance District or the Secretary of the Department of Health and Human Services.

Access to PHI will be limited to those who need access to PHI to carry out their duties. The following describes the specific categories or types of PHI to which such persons need access is defined and the conditions, as appropriate, that would apply to such access.

Access to PHI is limited to the above-identified persons only, and to the identified PHI only, based on the District’s reasonable determination of the persons or classes of persons who require PHI, and the nature of the health information they require, consistent with their job responsibilities.

Access to a patient’s entire file will not be allowed except when expressly permitted by District policy or approved by the Privacy Officer.

You are not required to limit your disclosure to the minimum amount of information necessary when disclosing PHI to other health care providers for treatment of the patient. This includes doctors, nurses, etc. at the receiving hospital, any mutual aid provider, your fellow crewmembers involved in the call, and any other person involved in the treatment of the patient who has a need to know that patient’s PHI. In addition, disclosures authorized by the patient are exempt from the minimum necessary requirements unless the authorization to disclose PHI is requested by the District.

Authorizations received directly from third parties, such as Medicare, or other insurance companies, which direct you to release PHI to those entities, are not subject to the minimum necessary standards.

For example, if we have a patient’s authorization to disclose PHI to Medicare, Medicaid or another health insurance plan for claim determination purposes, the District is permitted to disclose the PHI requested without making any minimum necessary determination.

For all other uses and disclosures of PHI, the minimum necessary rule is likely to apply. A good example of when the minimum necessary rule applies is when your District conducts quality assurance activities. In most situations it is not necessary to disclose certain patient information such as the patient’s name, address, social security number, all PHI of the treated patient, in order to conduct a call review. This sensitive information should be redacted or blacked out from the PCR being used as a Q/A example.

District Requests for PHI

If the District needs to request PHI from another health care provider on a routine or recurring basis, we must limit our requests to only the reasonably necessary information needed for the intended purpose, as described below. For requests not covered below, you must make this determination individually for each request and you should consult your supervisor for guidance. For example, if the request in non-recurring or non-routine, like making a request for documents via a subpoena, we must review the request to make sure it covers only the minimum necessary PHI to accomplish the purpose of the request.

For all other requests, determine what information is reasonably necessary for each on an individual basis.

The District understands that there will be times when there are incidental disclosures about PHI in the context of caring for a patient. The privacy laws were not intended to impede common health care practices that are essential in providing health care to the individual. Incidental disclosures are inevitable, but these will typically occur in radio or face-to-face conversation between health care providers, or when patient care information in written or computer form is left out in the open for others to access or see.

The fundamental principle is that all staff needs to be sensitive about the importance of maintaining the confidence and security of all material we create or use that contains patient care information. Coworkers and other staff members should not have access to information that is not necessary for the staff member to complete his or her job. For example, it is generally not appropriate for field personnel to have access to billing records of the patient.

However, all personnel must be sensitive to avoiding incidental disclosures to other health care providers and others who do not have a need to know the information. Pay attention to who is within earshot when you make verbal statements about a patient’s health information, and follow some of these common sense procedures for avoiding accidental or inadvertent disclosures:

Waiting or Public Areas: If patients are in waiting areas to discuss the service provided to them or to have billing questions answered, make sure that there are no other persons in the waiting area, or if so, bring the patient into a screened area before engaging in discussion.

Garage Areas: Staff members should be sensitive to that fact that members of the public and other agencies may be present in the garage and other easily accessible areas. Conversations about patients and their health care should not take place in areas where those without a need to know are present.

Other Areas: Staff members should only discuss patient care information with those who are involved in the care of the patient, regardless of your physical location. You should be sensitive to your level of voice and to the fact that others may be in the area when you are speaking. This approach is not meant to impede anyone’s ability to speak with other health care providers freely when engaged in the care of the patient. When it comes to treatment of the patient, you should be free to discuss all aspects of the patient’s medical condition, treatment provided, and any of their health information you may have in your possession with others involved in the care of the patient.

Patient Care and Other Patient or Billing Records: Patient care reports should be stored in safe and secure areas. When any paper records concerning a patient are completed, they should not be left in open bins or on desktops or other surfaces. Only those with a need to have the information for the completion of their job duties should have access to any paper records.

Billing records, including all notes, remittance advices, charge slips or claim forms should not be left out in the open and should be stored in files or boxes that are secure and in an area with access limited to those who need access to the information for the completion of their job duties.

The District takes its responsibility to safeguard patient information very seriously. There are significant legal penalties against companies and individuals that do not adhere to the laws that protect patient privacy.

Staff members who do not follow our policies on patient privacy will be subject to disciplinary action, up to and including verbal and written warnings, suspension and/or termination from the organization. The District shall make every effort to provide remedial education and training as to our policies and procedures when there is a first time violation of our policies.

The District has appointed a Privacy Officer (LaRee Lager) to oversee our policies and procedures on patient privacy and to monitor compliance. The Privacy Officer is also available to you for consultation on any issues or concerns you have about how our District deals with protected health information. You should feel free to contact the Privacy Officer at any time with your questions or concerns.

The District will not retaliate against any staff member who expresses a good concern or complaint about any policy or practice related to the safeguarding of patient information and the District’s legal obligations to protect patient privacy.

To ensure that all patients treated by Nodaway County Ambulance District are apprised of their rights with regard to PHI and that Nodaway County Ambulance District provides the necessary tools to facilitate patient requests.

Nodaway County Ambulance District field providers will furnish a copy of Nodaway County Ambulance District ’s NPP to the patient at or prior to treatment in non-emergency situations and as circumstances permit after treatment in an emergency. In non-emergency situations only, field personnel should attempt to get a signed acknowledgement from patient or note why a signature was not obtained.

1. Provide a copy of the NPP to the patient.
2. Indicate on your trip sheet that a copy has/has not been given to the patient, family member or with hospital staff.
3. Have the patient sign an Authorization/Acknowledgement form.
4. An authorized personal representative of the patient may sign on the patient’s behalf.
5. If no signature can be obtained, please explain reason.

1. Provide a copy of the NPP to the patient.
2. Indicate on your trip sheet that a copy has/has not been given to the patient, family member or with hospital staff.
3. You do not need the patient to acknowledge receipt of NPP.
4. Be sure you obtain any other necessary signatures if possible.
5. If unable to obtain patient’s signature, please provide reason.

1. Provide a copy of the NPP to the patient.
2. Indicate on your trip sheet that a copy has/has not been given to the patient, family member or with hospital staff.
3. Have the patient sign the Refusal form.

 

Only information contained in the Designated Record Set (DRS) outlined in this policy is to be provided to patients who request access, amendment and restriction on the use of their PHI in accordance with the Privacy Rule and the Privacy Practices of Nodaway County Ambulance District .

1. Upon presentation to the business office, the patient or appropriate representative will complete a Request for Access Form.
2. The District employee must verify the patient’s identity, and if the requestor is not the patient, the name of the individual and reason that the request is being made by this individual. The use of a driver’s license, social security card, or other form of government-issued identification is acceptable for this purpose.
3. The completed form will be presented to the Privacy Officer for action.
4. The Privacy Officer will act upon the request within 30 days, preferably sooner. Generally, the District must respond to requests for access to PHI within 30 days of receipt of the access request, unless the designated record set is not maintained on site, in which case the response period may be extended to 60 days.
5. If Nodaway County Ambulance District is unable to respond to the request within these time frames, the requestor must be given a written notice no later than the initial due date for a response, explaining why Nodaway County Ambulance District could not respond within the time frame and in that case Nodaway County Ambulance District may extend the response time by an additional 30 days.
6. Upon approval of access, the patient will have the right to access the PHI contained in the DRS outlined below and may make a copy of the PHI contained in the DRS upon verbal or written request.
7. The business office will establish a reasonable charge for copying PHI for the patient or appropriate representative.
8. Patient access may be denied for the reasons listed below, and in some cases the denial of access may be appealed to Nodaway County Ambulance District for review.
9. The following are reasons to deny access to PHI that are not subject to review and are final and may not be appealed by the patient:

a. If the information the patient requested was compiled in reasonable anticipation of, or use in, a civil, criminal or administrative action or proceeding;

b. If the information the patient requested was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.

10. The following reasons to deny access to PHI are subject to review and the patient may appeal the denial:

c. If a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;

d. If the protected health information makes reference to another person (other than a health care provider) and a licensed health professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to that person;

e. If the request for access is made by a requestor as a personal representative of the individual about whom the requestor is requesting the information, and a licensed health professional has determined, in the exercise of professional judgment, that access by you is reasonably likely to cause harm to the individual or another person.

f. If the denial of the request for access to PHI is for reasons a, b, or c, then the patient may request a review of the denial of access by sending a written request to the Privacy Officer.

g. Nodaway County Ambulance District will designate a licensed health professional, who was not directly involved in the denial, to review the decision to deny the patient access. Nodaway County Ambulance District will promptly refer the request to this designated review official. The review official will determine within a reasonable period of time whether the denial is appropriate. Nodaway County Ambulance District will provide the patient with written notice of the determination of the designated reviewing official.

h. The patient may also file a complaint in accordance with the Procedure for Filing Complaints About Privacy Practices if the patient is not satisfied with Nodaway County Ambulance District ’s determination.

12. Access to the actual files or computers that contain the DRS that may be accessed by the patient or requestor should not be permitted. Rather, copies of the records should be provided for the patient or requestor to view in a confidential area under the direct supervision of a designated Nodaway County Ambulance District staff member. UNDER NO CIRCUMSTANCES SHOULD ORIGINALS OF PHI LEAVE THE PREMISES.

13. If the patient or requestor would like to retain copies of the DRS provided, then Nodaway County Ambulance District may charge a reasonable fee for the cost of reproduction.
14. Whenever a patient or requestor accesses a DRS, a note should be maintained in a log book indicating the time and date of the request, the date access was provided, what specific records were provided for review, and what copies were left with the patient or requestor.
15. Following a request for access to PHI, a patient or requestor may request an amendment to his or her PHI, and request restriction on its use in some circumstances.

16. The patient or appropriate requestor may only request amendment to PHI contained in the DRS. A Request for Amendment Form must be accompanied by any request for amendment.
17. Nodaway County Ambulance District must act upon a Request for Amendment within 60 days of the request. If Nodaway County Ambulance District is unable to act upon the request within 60 days, it must provide the requestor with a written statement of the reasons for the delay, and in that case may extend the time period in which to comply by an additional 30 days.
18. All requests for amendment must be forwarded immediately to the Privacy Officer for review.

19. If the Privacy Officer grants the request for amendment, then the requestor will receive a letter indicating that the appropriate amendment to the PHI or record that was the subject of the request has been made.
20. There must be written permission provided by the patient so that Nodaway County Ambulance District may notify the persons with whom the amendments need to be shared. Nodaway County Ambulance District must provide the amended information to those individuals identified by having received the PHI that has been amended as well as those persons or business associates that have such information and who may have relied on or could be reasonably expected to rely on the amended PHI.
21. The patient must identify individuals who may need the amended PHI and sign the statement in the Request for Amendment form giving Nodaway County Ambulance District permission to provide them with the updated PHI.
22. Nodaway County Ambulance District will add the request for amendment, the denial or granting of the request, as well as any statement of disagreement by the patient and any rebuttal statement by Nodaway County Ambulance District to the designated record set.

23. Nodaway County Ambulance District may deny a request to amend PHI for the following reasons: 1) if Nodaway County Ambulance District did not create the PHI at issue; 2) if the information is not part of the DRS; or 3) the information is accurate and complete.
24. Nodaway County Ambulance District must provide a written denial, and the denial must be in plain language stating the reason for the denial; the individual’s right to submit a statement disagreeing with the denial and how the individual may file such a statement; a statement that, if the individual does not submit a statement of disagreement, the individual may request that the provider provide the request for amendment and the denial with any future disclosures of the PHI; and a description of how the individual may file a complaint with the covered entity, including the name and telephone number of an appropriate contact person, or to the Secretary of Health and Human Services.
25. If the individual submits a "statement of disagreement," the provider may prepare a written rebuttal statement to the patient’s statement of disagreement. The statement of disagreement will be appended to the PHI, or at Nodaway County Ambulance District ’s option, a summary of the disagreement will be appended, along with the rebuttal statement of Nodaway County Ambulance District .
26. If Nodaway County Ambulance District receives a notice from another covered entity, such as a hospital, that it has amended its own PHI in relation to a particular patient, the ambulance service must amend its own PHI that may be affected by the amendments.

27. The patient may request a restriction on the use and disclosure of their PHI.
28. Nodaway County Ambulance District is not required to agree to any restriction, and given the emergent nature of our operation, we generally will not agree to a restriction.
29. ALL REQUESTS FOR RESTRICTION ON USE AND DISCLOSURE OF PHI MUST BE SUBMITTED IN WRITING ON THE APPROVED District FORM. ALL REQUESTS WILL BE REVIEWED AND DENIED OR APPROVED BY THE PRIVACY OFFICER.
30. If Nodaway County Ambulance District agrees to a restriction, we may not use or disclosed PHI in violation of the agreed upon restriction, except that if the individual who requested the restriction is in need of emergency service, and the restricted PHI is needed to provide the emergency service, Nodaway County Ambulance District may use the restricted PHI or may disclose such PHI to another health care provider to provide treatment to the individual.
31. The agreement to restrict PHI will be documented to ensure that the restriction is followed.
32. A restriction may be terminated if the individual agrees to or requests the termination. Oral agreements to terminate restrictions must be documented. A current restriction may also be terminated by Nodaway County Ambulance District as long as Nodaway County Ambulance District notifies the patient that PHI created or received after the restriction is removed is no longer restricted. PHI that was restricted prior to Nodaway County Ambulance District voiding the restriction must continue to be treated as restricted PHI.

To provide guidance to management and staff concerning the patient’s right to an Accounting and the types of uses and disclosures of PHI for which Nodaway County Ambulance District is required to document.

1. All patient records will be kept by Nodaway County            Ambulance District for a period of six (6) years from the date of service.

2. All patient accounting requests should be received directly from a patient or personal representative.

3. Nodaway County Ambulance District will provide a list of uses and disclosures of the patient’s PHI, made by Nodaway County Ambulance District or by a Business Associate on Nodaway County Ambulance District ’s behalf, for the last six (6) years or to the extent that Nodaway County Ambulance District has maintained that patient’s information if less than six (6) years.

4. All uses and disclosures of a patient’s PHI, made by Nodaway County Ambulance District , must be documented for accounting purposes except:

a. Disclosures to carry out treatment, payment and health care operations;

b. For national security or intelligence purposes;

c. Uses and disclosures incident to an unaccountable use or disclosure;

d. That occurred prior to the compliance date.

5. A common use or disclosure that must be accounted for and information provided upon a request for accounting is the disclosure of PHI in response to a subpoena, summons or warrant.

Patients have the right to complain to the District about any concerns they may have concerning patient privacy. Any patient or family member who expresses a concern or complaint to you should be directed to contact the Privacy Officer. The Privacy Officer is responsible for receiving, investigating, and documenting all complaints from patients concerning patient privacy issues.