EMS and the Health Insurance Portability and Accountability Act of
1996 (HIPAA) Privacy Rule - Frequently Asked Questions
A summary of the HIPAA Privacy Rule (prepared by the Department of
Health and Human Services Office for Civil Rights) can be found at:
Why did we have to change the way we do things?
Concern about privacy of medical records was
one of the factors that led to the federal Health Insurance
Portability and Accountability Act of 1996 (HIPAA). Title II of
that law, Administrative Simplification Standards, regulates
privacy, security, and electronic transactions. The Privacy Rule
deals with how a provider’s workforce and agents behave when
using or disclosing data. The US Department of Health and Human
Services (HHS) Office for Civil Rights is the agency responsible for administering HIPAA.
Who is affected by HIPAA?
Covered entities include:
- All health plans
- All health care clearinghouses
- Health care providers who transmit health
Ambulance services are health care
providers. If an ambulance service transmits health
information electronically, for instance as it bills Medicare or
an insurance company, it is a covered entity. Its contractual
business associates are also covered, if they perform a function
or activity on behalf
of or provide services to a covered entity that involves
access by the business associate to protected health information.
While a few services may not yet transmit
any health information electronically, they are now in a country
full of covered entities. In practice, everyone else will be
using HIPAA standards. In order to be able to talk easily to
the rest of the EMS world, they will need to use the same
language. HIPAA is the national standard for most providers
now, for coding health information, and for privacy issues.
What is "protected health
information" under HIPAA?
Health information is any information
created or received by a health care provider which relates to:
past, present or future physical or
mental health or condition,
provision of health care, or
past, present or future payment for
Some of this health information is
individually identifiable health information, if it is also:
individually identifiable, or
there is a reasonable basis to believe
the information can be used to identify the individual
Protected health information
is individually identifiable health information that is:
transmitted by electronic media,
maintained in any electronic medium, or
transmitted or maintained in any other
form or medium.
A covered entity may use or disclose
protected health information for its own treatment, payment, or
health care operations.
Can ambulance service providers get
protected health information from hospitals?
Yes. After considering comments on the Privacy Rule
(some of which were from ambulance service providers concerned
about their ability to get billing and quality improvement
information from hospitals) HHS published modifications to the Privacy Rule
(Federal Register/Vol. 67, No. 157/ Wednesday, August 14,
2002/Rules and Regulations). These can be found at www.hhs.gov/ocr/hipaa/finalreg.html
Page 53216 reads:
"Final Modifications. In this
final Rule, the Department adopts its proposal to allow covered
entities to disclose protected health information for the
treatment, payment, and certain health care operation purposes of
another entity. Specifically, the final rule at § 164.506(c):
states that a covered entity may use or
disclose protected health information for its own treatment,
payment, or health care operations.
clarifies that a covered entity may use
or disclose protected health information for the treatment
activities of any health care provider.
permits a covered entity to disclose
protected health information to another covered entity or any
health care provider for the payment activities of the entity
that receives the information.
permits a covered entity to disclose
protected health information to another covered entity for the
health care operations activities of the entity that receives
the information, if each entity either has or had a
relationship with the individual who is the subject of the
information, the protected health information pertains to such
relationship, and the disclosure is for a purpose listed in
paragraphs (1) or (2) of the definition of "health care
operations," which includes quality assessment and
improvement activities, population-based activities relating
to improving health or reducing health care costs, case
management and care coordination, conducting training
programs, and accreditation, licensing, or credentialing
The Department also clarifies that disclosures
pursuant to the above provisions may be made to or by a business
associate of a covered entity."
Any state requirements protecting medical
record privacy which are more stringent than HIPAA’s will still
apply. In other words, if state laws or regulations are
stricter, they will preempt or override HIPAA requirements, and
will not change.
What privacy requirements does HIPAA
impose on ambulance service providers?
These are the requirements that are most
relevant to ambulance service providers. For more detail, see the
HHS Fact Sheet or the complete Privacy Rule.
A covered provider must provide patients
with notice of their privacy rights and its privacy practices,
but need not obtain prior consent that would inhibit patient
access to health care.
Patients must grant permission in advance
for each type of non-routine use or disclosure, but providers
may use one form for all of them.
A covered entity must obtain prior
written authorization to use protected health information for
Only the minimum necessary protected
health information may be disclosed without authorization.
A covered entity must account for
disclosures of protected health information in the six years
prior to the individual’s request, with some exceptions,
such as individual authorization.
An individual may request restriction of
use and disclosure of protected health information.
Administratively, a covered entity must
implement administrative, technical and physical safeguards:
It must implement policies and
procedures to comply with HIPAA, document all policies and
procedures, written communications, required actions, and
personnel designations, and maintain them for six years.
It must train its workforce, provide
a complaint process, apply workforce sanctions for
violations, mitigate harmful effects of improper use and
disclosure, not retaliate, not require rights waived,
designate a privacy official and contact person, and
establish permitted uses and disclosures for its business
What disclosures does HIPAA allow?
Covered entities may disclose protected
health information for treatment, payment, and certain health
care operations of another covered entity.
When legal ownership of a covered entity
changes, protected health information may be disclosed to the
new covered entity, with appropriate care.
A covered entity may disclose protected
health information to the FDA, about FDA-regulated products.
Incidental uses or disclosures are not
considered a violation of the Rule if the covered entity has
met reasonable safeguards and minimum requirements.
What are the exceptions to the Privacy
The following disclosures do not need an
- Disclosures that are required by law
- Disclosures related to public health
- Disclosures for health oversight
- Disclosures for specialized government
- Reports to government agencies of
abuse, neglect or domestic violence
- Disclosures made to law enforcement
- Disclosures made for judicial and administrative
- Disclosures made to avert imminent threat to health or
safety of a person or public
- Disclosures for Worker’s
- Disclosures for organ donation or
- Disclosures to coroners and medical
When did this take effect?
The final compliance date for the Privacy Rule
was April 14, 2003.
What happens if someone violates HIPAA
In January 2013, the final Omnibus HIPAA Rules
adopted an increased, tiered civil money penalty structure for
HIPAA violations provided by the HITECH Act. The Office of Civil
Rights has the discretion to impose penalties on covered
entities and business associates in cases of violations due to
willful neglect, instead of first attempting to resolve the
matter through informal means. Penalties for HIPAA violations
are significant. Specifically, penalties for violations caused
by willful neglect, which are corrected, range from $10,000 to
$50,000 per violation. The penalties are capped at $1.5 million
for a violation of an identical requirement in a calendar year.
What are the other changes that were made due to the Final
Omnibus HIPAA Rule that went into effect September 23, 2013?
For additional information on changes to HIPAA -
(PDF, 107 KB).
Where can I find more information on HIPAA
The Wisconsin Department of Health Services
"HIPAA NOW" site (http://www.dhs.wisconsin.gov/hipaa/index.htm)
is intended to assist governmental entities within Wisconsin with HIPAA compliance. Assistance for private individuals and
organizations is available through professional organizations,
consultants, and collaborative organizations like HIPAA COW.
The HIPAA Collaborative of Wisconsin, at www.hipaacow.org
has useful information and continues to work
on the legal issues regarding HIPAA regulations.
find the final Privacy and Security Rule, published January 25,
February 04, 2014