EMS and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule - Frequently Asked Questions

A summary of the HIPAA Privacy Rule (prepared by the Department of Heath and Human Services Office for Civil Rights) can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/ (exit DHS).

Why do we have to change the way we do things?

Concern about privacy of medical records was one of the factors that led to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Title II of that law, Administrative Simplification Standards, regulates privacy, security, and electronic transactions. The Privacy Rule deals with how a provider’s workforce and agents behave when using or disclosing data. The US Department of Health and Human Services (HHS) is the agency responsible for administering HIPAA.

Who will be affected by HIPAA?

Covered Entities include:

• All health plans
• All health care clearinghouses
• Health care providers who transmit health information electronically

Ambulance services are health care providers.  If an ambulance service transmits health information electronically, for instance as it bills Medicare or an insurance company, it is a covered entity. Its contractual business associates are also covered, if:

• they perform a function for or on behalf of a covered entity, and

• they receive protected health Information from the covered entity.

While a few services may not yet transmit any health information electronically¸ they are now in a country full of covered entities.  In practice, everyone else will be using HIPAA standards.  In order to be able to talk easily to the rest of the EMS world, they will need to use the same language.  HIPAA is the national standard for most providers now, for coding health information, and for privacy issues.

What is "protected health information" under HIPAA?

Health information is any information created or received by a health care provider which relates to:

• past, present or future physical or mental health or condition

• provision of health care, or

• past, present or future payment for health care.

Some of this health information is individually identifiable health information, if it is also:

• individually identifiable, or

• there is a reasonable basis to believe the information can be used to identify the individual

Protected health information is individually identifiable health information that is:

• transmitted by electronic media,

• maintained in any electronic medium, or

• transmitted or maintained in any other form or medium.

A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations.

Can ambulance service providers get protected health information from hospitals ?

Yes. After considering comments on the Privacy Rule (some of which were from ambulance service providers concerned about their ability to get billing and quality improvement information from hospitals) HHS published modifications to the Privacy Rule (Federal Register/Vol. 67, No. 157/ Wednesday, August 14, 2002/Rules and Regulations). These can be found at www.hhs.gov/ocr/hipaa/finalreg.html (exit DHFS).  Page 53216 reads:

"Final Modifications. In this final Rule, the Department adopts its proposal to allow covered entities to disclose protected health information for the treatment, payment, and certain health care operation purposes of another entity. Specifically, the final rule at § 164.506(c):

• states that a covered entity may use or disclose protected health information for its own treatment, payment, or health care operations.

• clarifies that a covered entity may use or disclose protected health information for the treatment activities of any health care provider.

• permits a covered entity to disclose protected health information to another covered entity or any health care provider for the payment activities of the entity that receives the information.  

• (4) Permits a covered entity to disclose protected health information to another covered entity for the health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the information, the protected health information pertains to such relationship, and the disclosure is for a purpose listed in paragraphs (1) or (2) of the definition of "health care operations," which includes quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, case management and care coordination, conducting training programs, and accreditation, licensing, or credentialing activities.......

The Department also clarifies that disclosures pursuant to the above provisions may be made to or by a business associate of a covered entity."

Any state requirements protecting medical record privacy which are more stringent than HIPAA’s, will still apply.  In other words, if state laws or regulations are stricter, they will preempt or override HIPAA requirements, and will not change.

What new privacy requirements does HIPAA impose on ambulance service providers?

These are the requirements that are most relevant to ambulance service providers. For more detail, see the HHS Fact Sheet or the complete Privacy Rule.

• A covered provider must provide patients with notice of their privacy rights and its privacy practices, but need not obtain prior consent that would inhibit patient access to health care.

• Patients must grant permission in advance for each type of non-routine use or disclosure, but providers may use one form for all of them.

• A covered entity must obtain prior written authorization to use protected health information for marketing purposes.

• Only the minimum necessary protected health information may be disclosed without authorization.

• A covered entity must account for disclosures of protected health information in the six years prior to the individual’s request, with some exceptions, such as individual authorization.

• An individual may request restriction of use and disclosure of protected health information.

• Administratively, a covered entity must implement administrative, technical and physical safeguards:

  • It must implement policies and procedures to comply with HIPAA, document all policies and procedures, written communications, required actions, and personnel designations, and maintain them for six years.

  • It must train its workforce, provide a complaint process, apply workforce sanctions for violations, mitigate harmful effects of improper use & disclosure, not retaliate, not require rights waived, designate a privacy official and contact person, and establish permitted uses and disclosures for its business associates.

What disclosures does HIPAA allow?

• Covered entities may disclose protected health information for treatment, payment, and certain health care operations of another covered entity.

• When legal ownership of a covered entity changes, protected health information may be disclosed to the new covered entity, with appropriate care.

• A covered entity may disclose protected health information to the FDA, about FDA-regulated products.

• Incidental uses or disclosures are not considered a violation of the Rule if the covered entity has met reasonable safeguards and minimum requirements.

Covered providers have up to an additional year to bring business associate contracts into compliance with the requirements, and HHS has provided sample contract provisions.

What are the exceptions to the Privacy Rule?

The following disclosures do not need an individual’s permission:

• Disclosures that are required by law
• Disclosures related to public health
• Disclosures for health oversight activities
• Disclosures for specialized government functions
• Reports to government agencies of abuse, neglect or domestic violence
• Disclosures made to law enforcement
• Disclosures made for judicial and administrative proceedings
• Disclosures made to avert imminent threat to health or safety of a person or public
• Disclosures for Worker’s Compensation
• Disclosures for organ donation or transplantation
• Disclosures to coroners and medical examiners

The final compliance date for the Privacy Rule is April 14, 2003.

There are civil penalties of $100 per violation, up to $25,000 per year for all violations of a single requirement or prohibition. Criminal penalties include up to $5,000 and/or 1 year in jail for wrongful disclosure, up to $100,000 and/or 5 years imprisonment for false pretenses, and up to $250,000 and/or 10 years imprisonment if the violation is for profit or with malice.

The Wisconsin Department of Health Services "HIPAA NOW" site (www.dhfs.state.wi.us/HIPAA/index.htm) (exit DHS)  is intended to assist governmental entities within Wisconsin with HIPAA compliance. Assistance for private individuals and organizations is available through professional organizations, consultants, and collaborative organizations like HIPAA COW.

The HIPAA – Collaborative of Wisconsin, at www.hipaacow.org (exit DHS)  has useful information and continues to work on the legal issues regarding HIPAA regulations.

There is a four-page Fact Sheet put out by the U.S. Department of Health & Human Services on August 9, 2002, titled "Modifications to the Standards for Privacy of Individually Identifiable Health Information – Final Rule," available at: www.hhs.gov/news/press/2002pres/20020809.html (exit DHS) .

The entire 93 pages of the Final Modifications to the Privacy Rule, published in the Federal Register, August 14, 2002, can be read at www.hhs.gov/ocr/hipaa/finalreg.html (exit DHS).

Last Revised: July 31, 2009