Remember that HIPAA NPP Thing?
Out of Sight, Out of Mind
EMS, like all other healthcare disciplines, has its fair share of paperwork. Unfortunately, where most healthcare providers work in an office with administrative staff, you’re expected to be clinicians AND administrators tasked with completing paperwork, distributing forms and even getting signatures – all while providing care on the go! Unlike the nice cozy doctor’s office where the forms are typically on the counter and ready to go, EMS Notice of Privacy Practices (NPPs) are more often shoved between ambulance cab seats or sticking out of the defroster vents on the dash. Maybe your NPP copies sit in a folder under a foot of dust in the office, or perhaps you’re thinking, “What NPP?”
A Copy of a Copy of a Copy…
We’ve even seen situations where the HIPAA NPP is barely readable because the original form has long been misplaced and the service is using a copy of a copy of a copy that has morphed into something nigh unreadable over the years.
Our guess is that just reading this made many of you inhale sharply and start feeling a little sweaty. In fact, if you were to go to a mirror and look at your face right now, you’d probably be a bit flushed.
Getting Back to the Basics of HIPAA
The Health Insurance and Portability and Accountability Act (HIPAA) took effect a LONG time ago in 1996 – that’s 23 years folks. Most likely that means three (3) chiefs and five (5) captains have come and gone through your ranks and one of those people forgot to tell the new person about the importance of distributing the HIPAA NPP.
Receiving a Notice of Privacy Practices from your ambulance service is one of the six (6) patient rights outlined under the HIPAA protection rules. The NPP is basically an explanation detailing how a patient’s Personal Health Information (PHI) will be used, disclosed and protected by your service.
HIPAA Rules Clearly State That:
- Any person with whom your EMS agency has a direct treatment relationship must be provided your organization’s current NPP the first time that you treat them – even if you treat, but don’t ultimately transport them.
- After that, patients must be provided a new copy anytime the policy is revised.
- There is an allowance for emergency situations whereby the NPP can be provided as soon as reasonably possible following the emergency.
- The NPP can be mailed, e-mailed or faxed.
- EMS agencies that maintain a website MUST post its NPP (or a link to it) on the homepage.
We recommend, as do others in the industry, that all EMS agencies simply get into the habit of presenting an NPP every time you interact with a patient.
How long has it been since you took a look at the Notice of Privacy Practices for your ambulance service?
If there even is an NPP in your ambulance – and we hope there is – it’s probably a worthwhile exercise to find out how long it has been since anyone reviewed the language to be certain it is up-to-date. Not only does it need to be structurally valid, it also needs to meet all the rules for how and when it is presented to your patients.
While the original rules were enacted in 1996, HIPAA has been updated several times throughout the years to accommodate changes in the healthcare industry. In February 2009, HIPAA was updated to include the HITECH Act, which added provisions around digitally sharing HIPAA-protected information. Most recently, HITECH breach notification rules were adopted in 2013.
Believe it or not, there are many EMS agencies who have still not updated their NPP language to incorporate even the 2009 changes!
Answer these quick questions to assess your HIPAA NPP strategy: | ||
Do we have an NPP? |
□ Yes | □ No |
Does it include up-to-date language that includes HITECH rules? |
□ Yes | □ No |
Is it posted on our agency’s website? |
□ Yes | □ No |
Are we presenting NPP’s in the field? |
□ Yes | □ No |
If not, are we mailing, emailing or faxing to patients within a reasonable timeframe? |
□ Yes | □ No |
If you’re answering “No” to one or more of these questions, it’s probably time to take a look at your HIPAA Notice of Privacy Practices. It’s important – don’t wait!