EMS and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule - Frequently Asked Questions
A summary of the HIPAA Privacy Rule (prepared by the Department of Health and Human Services Office for Civil Rights) can be found at: http://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
Why did we have to change the way we do things?
Concern about privacy of medical records was one of the factors that led to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Title II of that law, Administrative Simplification Standards, regulates privacy, security, and electronic transactions. The Privacy Rule deals with how a providers workforce and agents behave when using or disclosing data. The US Department of Health and Human Services (HHS) Office for Civil Rights is the agency responsible for administering HIPAA.
Why did we have to change the way we do things?
Concern about privacy of medical records was one of the factors that led to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Title II of that law, Administrative Simplification Standards, regulates privacy, security, and electronic transactions. The Privacy Rule deals with how a provider's workforce and agents behave when using or disclosing data. The US Department of Health and Human Services (HHS) Office for Civil Rights is the agency responsible for administering HIPAA.
Who is affected by HIPAA?
Covered entities include:
- All health plans
- All health care clearinghouses
- Health care providers who transmit health information electronically
Ambulance services are health care providers. If an ambulance service transmits health information electronically, for instance as it bills Medicare or an insurance company, it is a covered entity. Its contractual business associates are also covered, if they perform a function or activity on behalf of or provide services to a covered entity that involves access by the business associate to protected health information.
While a few services may not yet transmit any health information electronically, they are now in a country full of covered entities. In practice, everyone else will be using HIPAA standards. In order to be able to talk easily to the rest of the EMS world, they will need to use the same language. HIPAA is the national standard for most providers now, for coding health information, and for privacy issues.
What is "protected health information" under HIPAA?
Health information is any information created or received by a health care provider which relates to:
- past, present or future physical or mental health or condition,
- provision of health care, or
- past, present or future payment for health care.
Some of this health information is individually identifiable health information, if it is also:
- individually identifiable, or
- there is a reasonable basis to believe the information can be used to identify the individual
Protected health information is individually identifiable health information that is:
- transmitted by electronic media
- maintained in any electronic medium, or
- transmitted or maintained in any other form or medium.
A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations.
Can ambulance service providers get protected health information from hospitals?
Yes. After considering comments on the Privacy Rule (some of which were from ambulance service providers concerned about their ability to get billing and quality improvement information from hospitals) HHS published modifications to the Privacy Rule (Federal Register/Vol. 67, No. 157/ Wednesday, August 14, 2002/Rules and Regulations). These can be found at http://www.hhs.gov/hipaa/for-professionals/privacy/index.html# Page 53216 reads:
Final Modifications. In this final Rule, the Department adopts its proposal to allow covered entities to disclose protected health information for the treatment, payment, and certain health care operation purposes of another entity. Specifically, the final rule at § 164.506(c):
- states that a covered entity may use or disclose protected health information for its own treatment, payment, or health care operations.
- clarifies that a covered entity may use or disclose protected health information for the treatment activities of any health care provider.
- permits a covered entity to disclose protected health information to another covered entity or any health care provider for the payment activities of the entity that receives the information.
- permits a covered entity to disclose protected health information to another covered entity for the health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the information, the protected health information pertains to such relationship, and the disclosure is for a purpose listed in paragraphs (1) or (2) of the definition of "health care operations," which includes quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, case management and care coordination, conducting training programs, and accreditation, licensing, or credentialing activities.......
The Department also clarifies that disclosures pursuant to the above provisions may be made to or by a business associate of a covered entity.
Any state requirements protecting medical record privacy which are more stringent than HIPAAs will still apply. In other words, if state laws or regulations are stricter, they will preempt or override HIPAA requirements, and will not change.
What privacy requirements does HIPAA impose on ambulance service providers?
These are the requirements that are most relevant to ambulance service providers. For more detail, see the HHS Fact Sheet or the complete Privacy Rule.
- A covered provider must provide patients with notice of their privacy rights and its privacy practices, but need not obtain prior consent that would inhibit patient access to health care.
- Patients must grant permission in advance for each type of non-routine use or disclosure, but providers may use one form for all of them.
- A covered entity must obtain prior written authorization to use protected health information for marketing purposes.
- Only the minimum necessary protected health information may be disclosed without authorization.
- A covered entity must account for disclosures of protected health information in the six years prior to the individual's request, with some exceptions, such as individual authorization.
- An individual may request restriction of use and disclosure of protected health information.
- Administratively, a covered entity must implement administrative, technical and physical safeguards:
- It must implement policies and procedures to comply with HIPAA, document all policies and procedures, written communications, required actions, and personnel designations, and maintain them for six years.
- It must train its workforce, provide a complaint process, apply workforce sanctions for violations, mitigate harmful effects of improper use and disclosure, not retaliate, not require rights waived, designate a privacy official and contact person, and establish permitted uses and disclosures for its business associates.
What disclosures does HIPAA allow?
- Covered entities may disclose protected health information for treatment, payment, and certain health care operations of another covered entity.
- When legal ownership of a covered entity changes, protected health information may be disclosed to the new covered entity, with appropriate care.
- A covered entity may disclose protected health information to the FDA, about FDA-regulated products.
- Incidental uses or disclosures are not considered a violation of the Rule if the covered entity has met reasonable safeguards and minimum requirements.
What are the exceptions to the Privacy Rule?
The following disclosures do not need an individual's permission:
- Disclosures that are required by law
- Disclosures related to public health
- Disclosures for health oversight activities
- Disclosures for specialized government functions
- Reports to government agencies of abuse, neglect or domestic violence
- Disclosures made to law enforcement
- Disclosures made for judicial and administrative proceedings
- Disclosures made to avert imminent threat to health or safety of a person or public
- Disclosures for Worker's Compensation
- Disclosures for organ donation or transplantation
- Disclosures to coroners and medical examiners
When did this take effect?
The final compliance date for the Privacy Rule was April 14, 2003.
What happens if someone violates HIPAA regulations?
In January 2013, the final Omnibus HIPAA Rules adopted an increased, tiered civil money penalty structure for HIPAA violations provided by the HITECH Act. The Office of Civil Rights has the discretion to impose penalties on covered entities and business associates in cases of violations due to willful neglect, instead of first attempting to resolve the matter through informal means. Penalties for HIPAA violations are significant. Specifically, penalties for violations caused by willful neglect, which are corrected, range from $10,000 to $50,000 per violation. The penalties are capped at $1.5 million for a violation of an identical requirement in a calendar year.
What are the other changes that were made due to the Final Omnibus HIPAA Rule that went into effect September 23, 2013?
Additional information on changes to HIPAA
Where can I find Amore information on HIPAA regulations?
The Wisconsin Department of Health Services "HIPAA NOW" site: http://www.dhs.wisconsin.gov/hipaa/index.htm, is intended to assist governmental entities within Wisconsin with HIPAA compliance. Assistance for private individuals and organizations is available through professional organizations, consultants, and collaborative organizations like HIPAA COW.
The HIPAA Collaborative of Wisconsin, at www.hipaacow.org, has useful information and continues to work on the legal issues regarding HIPAA regulations.
You can find the final Privacy and Security Rule, published January 25, 2013 at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf (PDF, 885 KB)