EMS: HIPAA Privacy Rule—Frequently Asked Questions

HIPAA is a law that aims to protect how and when people’s medical information is shared. The federal government signed the HIPAA Privacy Act into law in 1996. One factor that led to HIPAA was growing concern about the privacy of medical records.

The two main parts of this law include:

• Title II, Administrative Simplification Standards—Controls privacy, security, and electronic transactions.
• The Privacy Rule—Deals with how a provider’s staff behaves when using or giving out data. This rule took effect on April 14, 2003.

The U.S. Department of Health and Human Services, Office for Civil Rights, is in charge of HIPAA.

HIPAA affects these covered entities:

• All health plans.
• All health care clearinghouses.
• Health care providers who send health information electronically (for example, billing Medicare or an insurance company online). This includes ambulance services and any contracted business partners who have access to protected health information (PHI).

HIPAA is the national standard for most providers for coding health information and for privacy issues. Even if a service doesn’t send health information electronically, they likely work with many groups that do. To work together, it’s best for all providers to follow HIPAA standards.

“Health information” is any information a provider creates or receives that relates to:

• A past, present, or future physical or mental health condition.
• The act of providing health care.
• Past, present, or future payment for health care.

Some health information is also “individually identifiable health information.” This means:

It includes a person’s name.

It includes details that can be used to find out who the person is.

“Protected health information,” or PHI, is individually identifiable health information that is:

• Sent via electronic media.
• Kept in an electronic format.
• Sent or kept in any other format.

Covered entities that HIPAA applies to may use or share PHI for their own treatment, payment, or health care operations.

Covered entities (those that HIPAA applies to) may share PHI if:

• It’s for treatment, payment, or certain health care operations of another covered entity.
• It’s for the U.S. Food and Drug Administration about their regulated products.
• There are legal ownership changes, and information is shared with the new covered entity.
• The covered entity meets reasonable safeguards and minimum requirements.

Covered entities may share certain information without a person’s permission if:

• It’s required by law.
• It relates to public health.
• It’s for health oversight activities.
• It’s for specialized government functions.
• It’s a report to a government agency about abuse, neglect, or domestic violence.
• It’s for law enforcement.
• It’s for judicial and administrative proceedings.
• It’s to stop a current threat to the health and safety of a person or the public.
• It’s for worker’s compensation.
• It’s for organ donation or transplant.
• It’s for a coroner or medical examiner.

If someone goes against HIPAA, they are often required to pay money.

In January 2013, the Final Omnibus HIPAA Rule went into effect. It defines an increased, tiered structure for HIPAA penalties. The Office of Civil Rights can fine covered entities and related associates if they refuse to comply with HIPAA. Fines can range from $10,000 to $50,000 per violation. Penalties are capped at $1.5 million for the same violation in one calendar year.

HIPAA has many privacy requirements. These are the most relevant for ambulance service providers:

• A covered provider must let patients know about their privacy rights and the provider’s privacy practices. The provider doesn’t need to get prior consent that would prevent a patient from getting care.
• Patients must give permission in advance for all types of non-routine use or disclosure. Providers may use one form for all types.
• A covered entity must get prior written permission to use PHI for marketing.
• A covered provider may only share the minimum amount of essential PHI without permission.
• A covered entity must account for any time they shared a person’s PHI in the six years before the current request. There are some exceptions, such as individual authorization.
• A person may ask for restriction of use and disclosure of PHI.
• A covered entity must have administrative, technical, and physical safeguards. It must:
  • Use policies and procedures that comply with HIPAA.
  • Document all policies and procedures, written communications, required actions, and staff assignments.
  • Keep documents for six years.
  • Train its workforce.
  • Provide a complaint process.
  • Apply workforce sanctions for violations.
  • Work to reduce the harmful effects of improper use and disclosure.
  • Not retaliate or require rights waived.
  • Designate a privacy official and contact person.
  • Set up permitted uses and disclosures for its business associates.

Ambulance service providers can get PHI from hospitals. The Department of Health and Human Services updated the Privacy Rule on Aug. 14, 2022. They made updates, in part, in response to concerns from ambulance service providers about what information they can get from hospitals.

Learn more about the HIPAA Privacy Rule History.

These resources have more details about HIPAA:

• HIPAA from DHS—Get help with HIPAA compliance for government groups in Wisconsin.
• HIPAA Collaborative of Wisconsin—Get individual help with HIPAA. They also work on legal issues related to HIPAA regulations.
• 45 Code of Federal Regulations, Parts 160 and 164 (PDF)—Find the final Privacy and Security Rule published Jan. 25, 2013.