FAQs for HIPAA Compliance

The following frequently asked questions (FAQs) and answers were compiled based on an interview with Doug Wolfberg, an attorney with Page, Wolfberg & Wirth, a leading EMS, ambulance and medical transportation industry law firm, and co-author of "The Ambulance Service Guide to HIPAA Compliance."

Is my fire department (or EMS or rescue organization) a covered entity under HIPAA?

That's a specific inquiry that each fire and EMS organization needs to make. There are basically three types of covered entities: health-care clearing houses, health plans and health-care providers who engage in certain electronic transactions. Most EMS providers fall into the third category because they conduct such transactions as claim filing. Moreover, nearly all EMS providers will be covered entities by Oct. 16, 2003, when a new law that requires all organizations to bill Medicare electronically will take effect. There are exemptions in the law, but basically it says if you want money from Medicare, you have to bill electronically, and if you bill electronically that's one of the covered transactions that, as a health care provider, makes you a covered entity.

In other words, if you have a fire department that provides EMS and bills Medicare on paper, they would not be a covered entity under HIPAA, but come Oct. 16, they will very likely have to start billing Medicare electronically and would be a covered entity-and if they start billing electronically sooner, then they would be a covered entity as of that date. But if a fire/rescue department is trying to determine if they're a covered entity, they need to look at all three prongs of the definition; most would not be a health-care clearinghouse, but some fire departments are part of municipal government entities that may be a covered entity by because they qualify as a health plan. If they have a health plan as part of their benefits package, that may make the county, the city or municipality a covered entity in all respects-the fire department then becomes a covered entity as well.

Consult HHS's Covered Entity Decision Tools at the HIPAA Web site to make this important determination.

We've run into problems getting information about patients once they enter hospital doors. The hospital says it can't release the information because of HIPAA rules. Is this correct? It's making completing our billing process a nightmare and we're having trouble following up on patient outcomes, etc.

We hear that a lot and it's a complete misread by hospitals of the privacy rule. These hospitals are acting inappropriately because the privacy rule specifically allows health-care providers to share information between them if they're both treating the patient. That works in both directions. The fact is, under the privacy rule those disclosures work BOTH ways and they are expressly permitted under the privacy rule.

Hospitals need to read the rule before they tell ambulance services what they think it says, because they're absolutely incorrect if they tell you that can't give information back to the ambulance service. In fact, they can give it not only under the treatment exceptions, but they can give it under the payment exception. They're allowed to give them face sheets, billing information and responsible-payer information. They're allowed to share medical information if the ambulance service is transporting a patient out of the facility.

Hospitals are also allowed to share information on patient outcomes with an ambulance service for quality assurance or quality improvement purposes, as long as that ambulance service also treated the patient. HIPAA doesn't prohibit any of these disclosures. Ambulance providers are treatment providers just the same as they are, and it's time that hospitals start treating them that way.

How does HIPAA apply to dispatch information and information discussed over the radio?

Generally, these communications are treatment-related disclosures. As long as they're related to treatment, those are generally permissible disclosures under HIPAA. Communications between field units and transporting entities communicating by radio to the hospital-these are all necessary for treatment so those are permitted disclosures. A lot of responders sort of assume they can no longer talk on the radio, which is not at all the case under HIPAA, but they should use discretion. It doesn't require that you build new towers and implement new technology, or that your transmissions be encrypted. There are no such requirements. If it's not necessary to give a name over the radio, just don't give a name. You can still transmit information to field responders and between field responders and other necessary entities when it's necessary for treatment. There really are no restrictions on that.

What information can EMS providers give to law enforcement?

There are about eight "discreet exceptions" for when a patient's medical information can be shared with law enforcement. The bottom line: These are very specific instances and unless the disclosure fits into one of these specific exceptions, the disclosure should not be made. Examples of these instances include disclosures that are required by law (and you have to look at state law as well), disclosures related to a decedent where the cause of death may be suspicious or may be related to a crime, disclosures about crime victims in limited circumstances, disclosures about a crime that occurs on a health-care provider's premises, disclosures to identify or locate a missing person or suspect, disclosures to alert the public about an imminent danger. You can find more information about these exceptions in the regulation (see 164.512F

How will HIPAA affect Critical Incident Stress Debriefing (CISD)? Do we need to limit what we say about a difficult call in CISD?

It's not a specific exception, but we think that falls under the definition of health-care operations, and, as such, these are permitted disclosures. But you have to look at who else is in the room. If an ambulance service is participating in a debriefing and firefighters, police officers and other public safety personnel are in the room, depending on the structure of the CISD organization, there may need to be "business associate" agreements, which are basically just confidentiality agreements, in place between the parties. The discussions would not be prohibited, but if it's a covered entity, the ambulance service or fire department would need to take steps to make sure that all the parties in the room will respect the confidentiality of the information, which is what CISD is all about anyway. That's one of the principles of CISD-that what you happens there stays there-so signing a confidentiality agreement shouldn't present a problem to anyone participating.

Isn't this really just a management or an administration issue? Could individual fire/EMS crew members in the field be at risk for prosecution of HIPAA violations?

It is an administrative and management responsibility to be in compliance with HIPAA, but there can be individual concerns as well. Because the HHS Office of Civil Rights is the enforcement entity, you're looking at the possibility of exclusion from federal health care programs. The government has large, interwoven menu of sanctions that it can choose from. Individuals shouldnot assume they're beyond reach, particularly for willful violations because there are criminal penalties. (For civil violations of the privacy rule, the Office of Civil Rights can levy fines up to $100 per violation and up to $25,000 per year. Criminal penalties include fines of up to $250,000 and up to 10 years of imprisonment.)