HIPAA for EMS, or HIPAA for Emergency Medical Services, applies in the same ways in which HIPAA applies to covered entities. This is because EMS providers are involved in the treatment of patients, making EMS a covered entity. More details regarding HIPAA for EMS is discussed below.
HIPAA for EMS: Implementing an Effective Compliance Program
To ensure compliance with HIPAA, it is important to implement an effective HIPAA compliance program. There are six major components of a HIPAA compliance program as follows.
As a HIPAA covered entity, an essential component of HIPAA for EMS requires you to conduct annual self-audits. The purpose of conducting self-audits is to assess your administrative, physical, and technical safeguards. These safeguards are required by HIPAA to ensure the confidentiality, integrity and availability of patient protected health information.
Gap Identification and Remediation.
Completing self-audits identifies gaps in your organization’s safeguards. To be HIPAA compliant, you must address your gaps with remediation plans. To create remediation plans, consult your self-audits to determine where your safeguards are lacking, and create a plan, with a timeline, for how you will address your gaps.
Policies and Procedures.
Policies and procedures create a framework for how your organization will comply with the HIPAA Privacy, Security, and Breach Notification Rules. Having clear written policies and procedures allows employees to understand the proper uses and disclosures of PHI, how to protect PHI, and what to do if they discover a breach.
To ensure that employees understand their obligations to HIPAA, it is essential to conduct annual training. Employees must be trained on HIPAA basics, your organization’s policies and procedures, the proper use of social media, and cybersecurity best practices.
Business Associate Management.
Business associates are organizations that create, receive, transmit, store, or maintain PHI on your behalf. To ensure that your business associates adequately protect the PHI you share with them, you must vet them by sending them a vendor questionnaire. Vendor questionnaires are essentially self-audits that you send to your business associates to assess their safeguards. Business associate management also requires you to have signed business associate agreements with your business associates before you share PHI with them. Business associate agreements are legal documents that dictate the safeguards your business associates must have in place, and require them to be HIPAA compliant.
Incident Reporting and Response.
Part of HIPAA for EMS is reporting breaches, should you experience one. All breaches that affect PHI must be reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) and affected patients. Breaches affecting 500 or more patients must also be reported to the media.
HIPAA for EMS: Other Considerations
Other best practices to ensure HIPAA for EMS compliance include:
◈ Don’t share login credentials or passwords
◈ Don’t leave devices or documents containing PHI unattended
◈ Don’t text PHI
◈ Don’t dispose of PHI with regular trash
◈ Don’t access patient records without a specific purpose
◈ Don’t take medical records with you when you leave your job
◈ Don’t access your own medical records
◈ Don’t share PHI on social media