The following frequently asked questions (FAQs) and answers were compiled based on an interview with Doug Wolfberg, an attorney with Page, Wolfberg & Wirth, a leading EMS, ambulance and medical transportation industry law firm, and co-author of "The Ambulance Service Guide to HIPAA Compliance."
Is my fire department (or EMS or rescue organization) a covered entity under HIPAA?
That's a specific inquiry that each fire and EMS organization needs to make. There are basically three types of covered entities: health-care clearing houses, health plans and health-care providers who engage in certain electronic transactions. Most EMS providers fall into the third category because they conduct such transactions as claim filing. Moreover, nearly all EMS providers will be covered entities by Oct. 16, 2003, when a new law that requires all organizations to bill Medicare electronically will take effect. There are exemptions in the law, but basically it says if you want money from Medicare, you have to bill electronically, and if you bill electronically that's one of the covered transactions that, as a health care provider, makes you a covered entity.
In other words, if you have a fire department that provides EMS and bills Medicare on paper, they would not be a covered entity under HIPAA, but come Oct. 16, they will very likely have to start billing Medicare electronically and would be a covered entity-and if they start billing electronically sooner, then they would be a covered entity as of that date. But if a fire/rescue department is trying to determine if they're a covered entity, they need to look at all three prongs of the definition; most would not be a health-care clearinghouse, but some fire departments are part of municipal government entities that may be a covered entity by because they qualify as a health plan. If they have a health plan as part of their benefits package, that may make the county, the city or municipality a covered entity in all respects-the fire department then becomes a covered entity as well.
Consult HHS's Covered Entity Decision Tools at the HIPAA Web site to make this important determination.
We've run into problems getting information about patients once they enter hospital doors. The hospital says it can't release the information because of HIPAA rules. Is this correct? It's making completing our billing process a nightmare and we're having trouble following up on patient outcomes, etc.
We hear that a lot and it's a complete misread by hospitals of the privacy rule. These hospitals are acting inappropriately because the privacy rule specifically allows health-care providers to share information between them if they're both treating the patient. That works in both directions. The fact is, under the privacy rule those disclosures work BOTH ways and they are expressly permitted under the privacy rule.
Hospitals need to read the rule before they tell ambulance services what they think it says, because they're absolutely incorrect if they tell you that can't give information back to the ambulance service. In fact, they can give it not only under the treatment exceptions, but they can give it under the payment exception. They're allowed to give them face sheets, billing information and responsible-payer information. They're allowed to share medical information if the ambulance service is transporting a patient out of the facility.
Hospitals are also allowed to share information on patient outcomes with an ambulance service for quality assurance or quality improvement purposes, as long as that ambulance service also treated the patient. HIPAA doesn't prohibit any of these disclosures. Ambulance providers are treatment providers just the same as they are, and it's time that hospitals start treating them that way.
How does HIPAA apply to dispatch information and information discussed over the radio?