EMS and the Health Insurance Portability and Accountability Act of
1996 (HIPAA) Privacy Rule - Frequently Asked Questions
A summary of the HIPAA Privacy Rule (prepared by the Department of
Heath and Human Services Office for Civil Rights) can be found at:
Why do we have to change the way we do things?
Concern about privacy of medical records was
one of the factors that led to the federal Health Insurance
Portability and Accountability Act of 1996 (HIPAA). Title II of
that law, Administrative Simplification Standards, regulates
privacy, security, and electronic transactions. The Privacy Rule
deals with how a provider’s workforce and agents behave when
using or disclosing data. The US Department of Health and Human
Services (HHS) is the agency responsible for administering HIPAA.
Who will be affected by HIPAA?
Covered Entities include:
- All health plans
- All health care clearinghouses
- Health care providers who transmit health
Ambulance services are health care
providers. If an ambulance service transmits health
information electronically, for instance as it bills Medicare or
an insurance company, it is a covered entity. Its contractual
business associates are also covered, if:
they perform a function for or on behalf
of a covered entity, and
they receive protected health Information
from the covered entity.
While a few services may not yet transmit
any health information electronically¸ they are now in a country
full of covered entities. In practice, everyone else will be
using HIPAA standards. In order to be able to talk easily to
the rest of the EMS world, they will need to use the same
language. HIPAA is the national standard for most providers
now, for coding health information, and for privacy issues.
What is "protected health
information" under HIPAA?
Health information is any information
created or received by a health care provider which relates to:
past, present or future physical or
mental health or condition
provision of health care, or
past, present or future payment for
Some of this health information is
individually identifiable health information, if it is also:
individually identifiable, or
there is a reasonable basis to believe
the information can be used to identify the individual
Protected health information
is individually identifiable health information that is:
transmitted by electronic media,
maintained in any electronic medium, or
transmitted or maintained in any other
form or medium.
A covered entity may use or disclose
protected health information for its own treatment, payment, or
health care operations.
Can ambulance service providers get
protected health information from hospitals ?
Yes. After considering comments on the Privacy Rule
(some of which were from ambulance service providers concerned
about their ability to get billing and quality improvement
information from hospitals) HHS published modifications to the Privacy Rule
(Federal Register/Vol. 67, No. 157/ Wednesday, August 14,
2002/Rules and Regulations). These can be found at www.hhs.gov/ocr/hipaa/finalreg.html
Page 53216 reads:
"Final Modifications. In this
final Rule, the Department adopts its proposal to allow covered
entities to disclose protected health information for the
treatment, payment, and certain health care operation purposes of
another entity. Specifically, the final rule at § 164.506(c):
states that a covered entity may use or
disclose protected health information for its own treatment,
payment, or health care operations.
clarifies that a covered entity may use
or disclose protected health information for the treatment
activities of any health care provider.
permits a covered entity to disclose
protected health information to another covered entity or any
health care provider for the payment activities of the entity
that receives the information.
(4) Permits a covered entity to disclose
protected health information to another covered entity for the
health care operations activities of the entity that receives
the information, if each entity either has or had a
relationship with the individual who is the subject of the
information, the protected health information pertains to such
relationship, and the disclosure is for a purpose listed in
paragraphs (1) or (2) of the definition of "health care
operations," which includes quality assessment and
improvement activities, population-based activities relating
to improving health or reducing health care costs, case
management and care coordination, conducting training
programs, and accreditation, licensing, or credentialing
The Department also clarifies that disclosures
pursuant to the above provisions may be made to or by a business
associate of a covered entity."
Any state requirements protecting medical
record privacy which are more stringent than HIPAA’s, will still
apply. In other words, if state laws or regulations are
stricter, they will preempt or override HIPAA requirements, and
will not change.
What new privacy requirements does HIPAA
impose on ambulance service providers?
These are the requirements that are most
relevant to ambulance service providers. For more detail, see the
HHS Fact Sheet or the complete Privacy Rule.
A covered provider must provide patients
with notice of their privacy rights and its privacy practices,
but need not obtain prior consent that would inhibit patient
access to health care.
Patients must grant permission in advance
for each type of non-routine use or disclosure, but providers
may use one form for all of them.
A covered entity must obtain prior
written authorization to use protected health information for
Only the minimum necessary protected
health information may be disclosed without authorization.
A covered entity must account for
disclosures of protected health information in the six years
prior to the individual’s request, with some exceptions,
such as individual authorization.
An individual may request restriction of
use and disclosure of protected health information.
Administratively, a covered entity must
implement administrative, technical and physical safeguards:
It must implement policies and
procedures to comply with HIPAA, document all policies and
procedures, written communications, required actions, and
personnel designations, and maintain them for six years.
It must train its workforce, provide
a complaint process, apply workforce sanctions for
violations, mitigate harmful effects of improper use &
disclosure, not retaliate, not require rights waived,
designate a privacy official and contact person, and
establish permitted uses and disclosures for its business
What disclosures does HIPAA allow?
Covered entities may disclose protected
health information for treatment, payment, and certain health
care operations of another covered entity.
When legal ownership of a covered entity
changes, protected health information may be disclosed to the
new covered entity, with appropriate care.
A covered entity may disclose protected
health information to the FDA, about FDA-regulated products.
Incidental uses or disclosures are not
considered a violation of the Rule if the covered entity has
met reasonable safeguards and minimum requirements.
Covered providers have up to an additional
year to bring business associate contracts into compliance with
the requirements, and HHS has provided sample contract provisions.
What are the exceptions to the Privacy
The following disclosures do not need an
- Disclosures that are required by law
- Disclosures related to public health
- Disclosures for health oversight
- Disclosures for specialized government
- Reports to government agencies of
abuse, neglect or domestic violence
- Disclosures made to law enforcement
- Disclosures made for judicial and administrative
- Disclosures made to avert imminent threat to health or
safety of a person or public
- Disclosures for Worker’s
- Disclosures for organ donation or
- Disclosures to coroners and medical
When does this take effect?
The final compliance date for the Privacy Rule
is April 14, 2003.
What happens If someone violates HIPAA
There are civil penalties of $100 per
violation, up to $25,000 per year for all violations of a single
requirement or prohibition. Criminal penalties include up to
$5,000 and/or 1 year in jail for wrongful disclosure, up to
$100,000 and/or 5 years imprisonment for false pretenses, and up
to $250,000 and/or 10 years imprisonment if the violation is for
profit or with malice.
Where can I find more information on HIPAA
The Wisconsin Department of Health Services
"HIPAA NOW" site (http://www.dhs.wisconsin.gov/hipaa/index.htm)
is intended to assist governmental entities within Wisconsin with
HIPAA compliance. Assistance for private individuals and
organizations is available through professional organizations,
consultants, and collaborative organizations like HIPAA COW.
The HIPAA – Collaborative of Wisconsin, at www.hipaacow.org
has useful information and continues to work
on the legal issues regarding HIPAA regulations.
There is a four-page Fact Sheet put out by
the U.S. Department of Health & Human Services on August 9,
2002, titled "Modifications to the Standards for Privacy of
Individually Identifiable Health Information – Final Rule,"
available at: http://archive.hhs.gov/news/press/2002pres/20020809.html
The entire 93 pages of the Final
Modifications to the Privacy Rule, published in the Federal
Register, August 14, 2002, can be read at www.hhs.gov/ocr/hipaa/finalreg.html
The free Adobe
Reader® software is needed to view and print portable
document format (PDF) files. Learn
Last Revised: October 21, 2011