By Mike McEvoy, Ph.D., RN, CCRN, REMT-P and Paul Gillan, JD, EMT-B
If fire/EMS services needed one more topic to cover in required training, it wasn’t apparent to us. Between OSHA requirements, continuing education (CE), protocol updates, and plain old in-services on new equipment and policies, there’s hardly any room on the training plate for a mammoth topic like HIPAA.
Unfortunately, if your fire/EMS service is covered by HIPAA, it must conduct documented HIPAA-related training for its employees.1 This article focuses on training issues and answers some basic questions such as who must be trained and what must be covered.
Think of training requirements as a series of concentric circles, like the circles at an extrication or haz-mat scene. The closer you are to the center of the circles (the “inner circle”), the more you need to know about HIPAA. EMTs and clerical employees are in the outer circle; they should know enough about HIPAA to field basic questions. Next in are managers and lower level supervisors, who might be the first ones to receive a complaint or to get a serious inquiry about HIPAA practices. After that come directors, officers, and high-ranking administrators, who should have a fairly comprehensive knowledge of the service’s obligations and responsibilities. Finally, at the center should be your privacy officer and the officer in charge of handling HIPAA complaints (often the same person), as well as your service’s general counsel. These individuals are at the core of HIPAA compliance and should be walking experts about what your service needs to do–and doesn’t need to do–to comply with HIPAA. (We include the general counsel in this list because many lawyers, even those who practice EMS law, are still fuzzy about what HIPAA actually requires of fire/EMS services.)
Thinking about training in this manner demonstrates that not everyone in your fire/EMS service needs to know all there is to know about HIPAA. To bring all of your EMTs up to speed on the finer points of HIPAA compliance wastes everyone’s time and is a colossal waste of your fire/EMS service’s money and staffing.
EMTs and CFRs
EMTs and CFRs, and anyone else in your service who is directly involved in patient care, should have a good general understanding of HIPAA. They should be able to field general questions such as: What is HIPAA? Why is there such a law? Why are you giving me this Notice of Privacy Practices (NPP)? What does it say? Patient care providers must have a clear understanding of your service’s policies and/or operating guidelines relating to the protection of patient privacy, such as what to include or not include in radio reports,2 how to respond to questions from the media and other outsiders about a patient, and how the process for completing and processing patient care reports or run sheets protects the confidentiality of patient health information. Finally, even your front-line workers should be made to appreciate the severity of a potential HIPAA violation. No one should answer questions about your Notice of Privacy Practices by shrugging and saying, “It’s just paperwork they make us hand out.”
In nearly all circumstances, general, EMT-level HIPAA training can be credibly accomplished by in-house personnel.
Managers and Supervisors
Managers and supervisors might be the first ones to spot a HIPAA violation or the first ones to receive a complaint about one that has taken place. Accordingly, managers and supervisors should have a good overall understanding of HIPAA. They should be familiar with the particular aspects of your fire/EMS service that makes HIPAA apply to them, and they should understand what the fundamental requirements are for each of those areas of operation. For example, all managers and supervisors should know that patient care reports and billing information are the two major documents where “protected health information” will reside. They should know the functions involving protected health information that are routine (such as billing) and those that require additional authorization from a patient (such as disclosure to an attorney). As with EMTs, your managers and supervisors should understand that HIPAA compliance is a serious matter.
Note that if the managers and supervisors work in one of the covered areas of operation, their knowledge level about the HIPAA requirements for that particular area should rise a notch or two. For example, a billing supervisor should know more about HIPAA compliance for billing issues, and an operations supervisor should know more about HIPAA compliance for patient care issues.
Manager and supervisor training can be conducted in-house, but only if your service has an accomplished presenter in its ranks. If not, consider borrowing one from a neighboring service or using a consultant.
Directors, Officers, and High-Ranking Administrators
Directors and officers can’t make informed decisions about HIPAA without knowing, in detail, what HIPAA requires of the fire/EMS service. These folks are the people who will have to answer the tough questions about HIPAA practices and compliance if a complaint is filed and the Office of Civil Rights drops in to investigate. Administrators also have a fiduciary obligation to avoid fines and penalties that could quickly mount into the tens of thousands of dollars. It stands to reason, then, that directors and officers should have formal, professionally presented HIPAA training specifically geared to board members.
Privacy Officer, Complaint Officer, and General Counsel
These three individuals are the core of your fire/EMS service’s HIPAA compliance. Each should have a detailed understanding not only of the HIPAA requirements but of how those requirements apply to your service and what your service must do to comply. The people holding these three positions should, unquestionably, attend professionally sponsored HIPAA education. Your general counsel (attorney) should provide administrative guidance specifically tailored to your fire/EMS service and should have reviewed your policies and/or operating guidelines that relate to HIPAA. Anyone in this circle should know the answer to HIPAA questions off the top of their head or be able to find an answer with a quick lookup in the regulation itself. Your designated privacy officer should actively monitor HIPAA knowledge sites, including the Web site of the Office of Civil Rights3 and the Centers for Medicaid & Medicare Services,4 and should subscribe to a good HIPAA newsletter.
Train Outside In
If you are conducting all of your training in-house, considering beginning at the outer circles described above, where less training is required, and proceed inward. Many organizations go in reverse, starting with the most detailed training and then working outward. Working in reverse, however, gives up a valuable opportunity for repetition, which is one of the keys to internalizing a topic rather than learning about it superficially. If everyone in your organization attends a general training session, supervisors and managers will have already been exposed to and digested the general knowledge by the time they get more detailed training. This will help them focus on the greater level of detail instead of taking in everything at once–and should help them learn the material better. Similarly, by the time your designated privacy officer gets to the top level of training, he should know the basic material well enough to focus only on the tough nails questions facing your service.
HIPAA training is not a one-time deal. New employees must be trained to the appropriate level of competence and, ideally, your fire/EMS service would have an annual HIPAA refresher for all employees and members.
HIPAA requires covered entities to document training. We recommend keeping the documentation in two places. First, a “training course file” should contain all documentation regarding the covered entity’s training efforts, including a comprehensive list of training sessions, names and qualifications of instructors, agenda and syllabuses, copies of written materials, and attendance lists. Second, documentation of specific HIPAA-related training should be kept in each employee or member’s individual personnel file.
Remember that training is required “as necessary and appropriate” for employees and members to carry out their functions within your service. Don’t overtrain, but don’t undertrain either. If you have one seminar for everyone in your service, you will probably have overtrained the EMTs in your outer circle and undertrained your critical compliance officers. This wastes time and energy on one hand and is a serious compliance shortfall on the other. A carefully designed training regimen will ensure that HIPAA knowledge resides where it needs to be in your service, without overdoing it for those who don’t need to know everything.
Mike McEvoy, Ph.D., RN, CCRN, REMT-P, is the EMS coordinator for Saratoga County, New York. A former forensic psychologist, he now works in the Cardiac Surgical ICU at Albany Medical Center and teaches at Albany Medical College in New York. He is a paramedic for Clifton Park-Halfmoon Ambulance Corps and medical advisor for the West Crescent (NY) Fire Department. He presently serves as a member of the New York State EMS Council and the State Emergency Medical Advisory Council and is the EMS director on the Board of the New York State Association of Fire Chiefs.
Paul Gillan, JD, EMT-B, is a senior associate attorney with the regional law firm Iseman, Cunningham, Riester & Hyde, LLP, in Albany, New York. An active EMT, he devotes a substantial portion of his practice to representation of fire and EMS services, EMS councils, and individual EMTs. Most recently he gave a presentation on emergency service billing issues at Fire 2003, the annual convention of the New York State Association of Fire Chiefs in Syracuse, New York. For more information about the firm, please visit www.icrh.com.
1 45 CFR 164.530 (http://www.hhs.gov/ocr/combinedregtext.pdf)
2 We realize that this is an area of some debate in the EMS community. We think a common-sense approach best serves everyone’s interests. It’s almost never “necessary” to communicate a patient’s name over the air. The patient’s age, on the other hand, is often a critical factor in how a receiving hospital prepares for an incoming patient. In cases where identifying a patient is important (such as a patient recently discharged from inpatient care who is experiencing complications), consider reasonable alternatives to radio transmission–such as using a cell phone to call the receiving hospital– as long as doing so won’t compromise patient care.