The Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, is a federal law that outlines how an individual’s health information is protected.  EMS is one of the entities that is covered under HIPAA.

What is Covered

There is certain information, called protected health information (PHI) that is protected under HIPAA.  This information can help identity an individual, thus disclosing an individual’s medical information to a third party.  PHI includes all of the following:

  • Demographic Data relating to an individual’s past, present or future physical or mental health or condition
  • Demographic Data relating to the provision of health care to an individual
  • Demographic Data relating to the past, present or future payment for the provision of health care
  • Demographic Data that can identify an individual

This could include an individual’s name, address, date of birth, social security number, and more.

Permitted Uses

According to the U.S. Department of Health & Human Services, there are a number of permitted uses of PHI that does not require an individual’s consent  This includes:

  1. Any information distributed to the individual
    The department can provide PHI to the individual who is the subject of the information.  For example, if you perform a procedure (such as establishing IV access), the patient has the right to ask what was performed, why it was performed, and information regarding the procedure.
  2. Treatment, payment and health care operations
    1. Treatment includes the provision, coordination and management of health care or related services
      For example, when transferring patient care, the EMS squad will deliver PHI to the receiving physician, nurse or transfer unit for the continuance of patient care.
    2. Payment includes the ability to bill the patient for our services
       For example, after transporting a patient to the hospital, the department can use PHI such as the patient’s name, date of birth and social security number to send a bill to the patient. This can even be done if we use a third-party billing company.
    3. Health Care Operations includes any of the following activities
      For example, in items a and b, a mentor or EMS officer could review a call to provide additional feedback on how a call went, as well as provide feedback on the report that was written.  For item c, medical control could review calls in a similar manner as items a or b, and provide feedback on protocols or skills.  For item d, the department can de-identify PHI to provide a review of services provided.  For example, the department could create a report outlining the types of services provided, the types of injury in the area, or other information, so long as the information does not identify a particular individual.

      1. Quality Assessment/Quality Improvement
      2. Competency Activities/Performance Review
      3. Conducting Medical Reviews/Audits
      4. Creating a de-identified limited data set
  3. The opportunity to agree or object
    For example, if the patient requests that her husband or his girlfriend be present in the ambulance, the patient waives his or her right to some of the protections of HIPAA.
  4. Incident to an otherwise permitted use and disclosure
    When providing reasonable safeguards, such as speaking quietly to a patient on scene, isolating and locking file cabinets and providing additional security such as passwords to personal information, the department is able to minimize risk of disclosure of PHI.  In addition, the department restricts access to PHI to only those members that require routine access to that data.
  5. Public interest and benefit activities
    For example, the department is required by law to report specific information, such as on the suspicion of abuse or neglect, information used to prevent or control disease, injury and disability, judicial or administrative proceedings, law enforcement purpose (to identify or locate a suspect, fugitive, material witness or missing person), alert law enforcement to the death of an individual, tissue donation, serious threat to health or safety, and workers’ comp.
  6. Limited data set for the purposes of research, public health, or health care operations
    See item 2.d.


Whitewater Fire Department, Inc EMS Division requires that all patients receive a copy of our Privacy Practices form.  This is on our Ambulance Signature Form.  This form is required to be signed by every patient, unless the patient is unable to do so, and a copy is left with the patient that explains the patient’s rights under HIPAA.


So, what are the penalties for a HIPAA violation?  According to TrueVault.com, a HIPAA penalty is based on the level of neglect of the Covered Entity (CE).  In addition to the financial penalty, a HIPAA violation can result in jail time as well.

Violation Amount/Violation Possible Jail Time
Did not know $100-$50,000 Up to 1 Year
Reasonable Cause $1,000-$50,000 Up to 1 Year
Willful Neglect – Corrected $10,000-$50,000 Up to 5 Years
Willful Neglect – Not Corrected $50,000 Up to 10 Years

A description of those four categories can be found from hipaajournal.com:

  • Category 1: A violation that the CE was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
  • Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
  • Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
  • Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation

So, where does this leave us.  Assume that you take home a patient care report but you forgot it in your car.  A few days later, you are filling up the gas tank and getting something out of the back seat and the patient care report falls out of the car.  You drive away and don’t think about it.  Which violation category do you think it falls under?



Think about some common scenarios and decide whether you think there is a HIPAA violation.  If it is not a HIPAA violation, could it turn into one?

  1. You are in the back of the ambulance treating a 16 year old female when she informs you that she is pregnant when you ask.  When you get to the hospital, the parents are already waiting in the ER room.  You transfer the patient to the bed and deliver give the nurse and doctor a patient update, which includes the fact that she is pregnant.
  2. You arrive on scene of a bad car wreck and begin providing patient care.  Prior to leaving the scene, you take a couple of quick photos of the scene to show to the doc.
  3. The captain of the department is reviewing a particular call.  She emails all involved EMTs as well as the officer staff requesting additional details on the incident.  You answer the questions with a reply all to the email.
  4. You are sitting in the break room after running a call.  It was a particularly tough call, so you talk with some of the other members that are down at the station about the call.  None of them were on the call you were just on.
  5. While returning from the hospital from a particularly bad accident, you see on facebook that a news agency is already reporting about the incident.  You decide to chime in and add to the conversation.