FAQs for HIPAA Compliance

FAQs for HIPAA Compliance

News Apr 23, 2003

The following frequently asked questions (FAQs) and answers were compiled based on an interview with Doug Wolfberg, an attorney with Page, Wolfberg & Wirth, a leading EMS, ambulance and medical transportation industry law firm, and co-author of "The Ambulance Service Guide to HIPAA Compliance."

Is my fire department (or EMS or rescue organization) a covered entity under HIPAA?

That's a specific inquiry that each fire and EMS organization needs to make. There are basically three types of covered entities: health-care clearing houses, health plans and health-care providers who engage in certain electronic transactions. Most EMS providers fall into the third category because they conduct such transactions as claim filing. Moreover, nearly all EMS providers will be covered entities by Oct. 16, 2003, when a new law that requires all organizations to bill Medicare electronically will take effect. There are exemptions in the law, but basically it says if you want money from Medicare, you have to bill electronically, and if you bill electronically that's one of the covered transactions that, as a health care provider, makes you a covered entity.

In other words, if you have a fire department that provides EMS and bills Medicare on paper, they would not be a covered entity under HIPAA, but come Oct. 16, they will very likely have to start billing Medicare electronically and would be a covered entity-and if they start billing electronically sooner, then they would be a covered entity as of that date. But if a fire/rescue department is trying to determine if they're a covered entity, they need to look at all three prongs of the definition; most would not be a health-care clearinghouse, but some fire departments are part of municipal government entities that may be a covered entity by because they qualify as a health plan. If they have a health plan as part of their benefits package, that may make the county, the city or municipality a covered entity in all respects-the fire department then becomes a covered entity as well.

Consult HHS's Covered Entity Decision Tools at the HIPAA Web site to make this important determination.

We've run into problems getting information about patients once they enter hospital doors. The hospital says it can't release the information because of HIPAA rules. Is this correct? It's making completing our billing process a nightmare and we're having trouble following up on patient outcomes, etc.

We hear that a lot and it's a complete misread by hospitals of the privacy rule. These hospitals are acting inappropriately because the privacy rule specifically allows health-care providers to share information between them if they're both treating the patient. That works in both directions. The fact is, under the privacy rule those disclosures work BOTH ways and they are expressly permitted under the privacy rule.

Hospitals need to read the rule before they tell ambulance services what they think it says, because they're absolutely incorrect if they tell you that can't give information back to the ambulance service. In fact, they can give it not only under the treatment exceptions, but they can give it under the payment exception. They're allowed to give them face sheets, billing information and responsible-payer information. They're allowed to share medical information if the ambulance service is transporting a patient out of the facility.

Hospitals are also allowed to share information on patient outcomes with an ambulance service for quality assurance or quality improvement purposes, as long as that ambulance service also treated the patient. HIPAA doesn't prohibit any of these disclosures. Ambulance providers are treatment providers just the same as they are, and it's time that hospitals start treating them that way.

How does HIPAA apply to dispatch information and information discussed over the radio?

Generally, these communications are treatment-related disclosures. As long as they're related to treatment, those are generally permissible disclosures under HIPAA. Communications between field units and transporting entities communicating by radio to the hospital-these are all necessary for treatment so those are permitted disclosures. A lot of responders sort of assume they can no longer talk on the radio, which is not at all the case under HIPAA, but they should use discretion. It doesn't require that you build new towers and implement new technology, or that your transmissions be encrypted. There are no such requirements. If it's not necessary to give a name over the radio, just don't give a name. You can still transmit information to field responders and between field responders and other necessary entities when it's necessary for treatment. There really are no restrictions on that.

What information can EMS providers give to law enforcement?

There are about eight "discreet exceptions" for when a patient's medical information can be shared with law enforcement. The bottom line: These are very specific instances and unless the disclosure fits into one of these specific exceptions, the disclosure should not be made. Examples of these instances include disclosures that are required by law (and you have to look at state law as well), disclosures related to a decedent where the cause of death may be suspicious or may be related to a crime, disclosures about crime victims in limited circumstances, disclosures about a crime that occurs on a health-care provider's premises, disclosures to identify or locate a missing person or suspect, disclosures to alert the public about an imminent danger. You can find more information about these exceptions in the regulation (see 164.512F

How will HIPAA affect Critical Incident Stress Debriefing (CISD)? Do we need to limit what we say about a difficult call in CISD?

It's not a specific exception, but we think that falls under the definition of health-care operations, and, as such, these are permitted disclosures. But you have to look at who else is in the room. If an ambulance service is participating in a debriefing and firefighters, police officers and other public safety personnel are in the room, depending on the structure of the CISD organization, there may need to be "business associate" agreements, which are basically just confidentiality agreements, in place between the parties. The discussions would not be prohibited, but if it's a covered entity, the ambulance service or fire department would need to take steps to make sure that all the parties in the room will respect the confidentiality of the information, which is what CISD is all about anyway. That's one of the principles of CISD-that what you happens there stays there-so signing a confidentiality agreement shouldn't present a problem to anyone participating.

Isn't this really just a management or an administration issue? Could individual fire/EMS crew members in the field be at risk for prosecution of HIPAA violations?

It is an administrative and management responsibility to be in compliance with HIPAA, but there can be individual concerns as well. Because the HHS Office of Civil Rights is the enforcement entity, you're looking at the possibility of exclusion from federal health care programs. The government has large, interwoven menu of sanctions that it can choose from. Individuals shouldnot assume they're beyond reach, particularly for willful violations because there are criminal penalties. (For civil violations of the privacy rule, the Office of Civil Rights can levy fines up to $100 per violation and up to $25,000 per year. Criminal penalties include fines of up to $250,000 and up to 10 years of imprisonment.)

Special to Firehouse.com
The budget cut allowed the department to cross-staff, using firefighters to staff ambulances due to medical calls outnumbering fire calls.
Starting next year, the insurer will reimburse treatment that doesn’t require the emergency department.
One of the two Northern California wildfires have been fully contained due to cooler temperatures and light rain.
Kenneth Scheppke challenged longstanding traditions in patient care that have not withstood current scrutiny.

EMTs and other first responders who treated the wounded on scene of the Vegas shooting could be at risk for post-traumatic stress.

All EMS, fire, and law enforcement agencies in the county will participate in the drill along with 100 volunteers portraying victims of the shooting.
As the state begins facing the effects of the opioid crisis, medical professionals, law enforcement and prosecutors join the national discussion on possible solutions to the epidemic.
Only one of three in the country, the "rapid extrication team" assists in rescuing injured firefighters while local crews battle the forest fires.
The paramedic-staffed chase car would respond to ALS calls in a timelier manner and help alleviate several local fire departments' calls.
Las Vegas and Orlando massacres set a solemn tone for the normally festive event.
In a project to raise grant funding that began a year ago, the Richmond Ambulance Authority and VCU Health teamed up to provide 35 of Richmond’s Public Schools with Bleeding Control (BCON) equipment. 
Mercy Health's new two-story, 29,000 square foot center features a Level 1 trauma center, an expanded surgical area, and more comfortable patient and visitor access.
Luigi Daberdaku has made 1,500 sandwiches so far for the North Bay first responders managing the wildfires in California.
The Vegas Strong Resiliency Center dedicated to providing resources to those affected by the mass shooting will open on Monday at 1523 Pinto Lane.
A community of nearly 500 deaf people were the last to be notified and evacuated during the wildfires in Sonoma County, calling for better emergency alert systems.