By Douglas M. Wolfberg, Stephen R. Wirth & Ryan S. Stark
The dawn of the age of HIPAA did not mark the demise of emergency medical dispatch (EMD) as we knew it. Nonetheless, the Health Insurance Portability and Accountability Act (HIPAA) did create some confusion regarding our traditional practices of communicating patient information over the radio airwaves. Our law firm still gets regular inquiries about dispatch-related issues, ranging from whether you can say the patient’s name over the radio to whether ambulance services have to use encrypted radio transmissions for dispatch communications. Most often, these questions are motivated by legitimate concerns about patient privacy, but they are often fueled by overzealous—and ultimately unfounded—interpretations of what HIPAA actually requires. Fortunately, much of the debate concerning HIPAA and EMD transmissions can be easily resolved, because HIPAA broadly permits ambulance services and dispatch agencies to communicate any treatment-related information over the airwaves.
Are You Covered?
When resolving privacy issues related to emergency dispatch, there are two primary things to determine: 1) whether the organization doing the communicating is a “covered entity” under HIPAA and 2) the purpose of the communication. If the organization doing the communicating is not a “covered entity” under HIPAA, then the organization is not subject to any restrictions under HIPAA, and the organization may freely disseminate and receive patient information. If the organization doing the communicating is a HIPAA-covered entity, then HIPAA applies to any communication of protected health information (PHI) made or received by the organization, and the entity may only use or disclose PHI as permitted by HIPAA. However, as we’ll discuss below, HIPAA is simply not an obstacle to any communications that are necessary for patient care, which includes locating the patient.
In determining whether the organization is a “covered entity” under HIPAA, the general rules of thumb are: 1) nearly all ambulance services and other health-care providers (facilities, physicians, etc.) are covered entities, and 2) most dispatch agencies are not covered entities.
Generally, for a dispatch agency to be a covered entity under HIPAA, the agency must provide health-care services and engage in certain types of “covered” electronic transactions, such as billing Medicare or other insurers for health-care services. Because 9-1-1 centers and other dispatch agencies usually don’t bill for any health-care services, they don’t engage in the type of electronic transactions covered by HIPAA, and they are, therefore, not “covered entities” under HIPAA. Thus, these organizations may freely communicate PHI, through any means and to any party without violating the privacy regulations.
But watch out, some dispatch entities are part of ambulance services, hospitals or other health-care providers that do satisfy the covered entity test, and these types of entities can only use and disclose PHI in accordance with HIPAA.
If you’re unsure about whether the dispatch agency is a HIPAA-covered entity, you should look at the second part of the equation: the purpose of the communication. If the communication is permitted under HIPAA, it will alleviate any HIPAA concerns—regardless of the type of entity doing the communicating.
Fortunately, HIPAA permits any disclosures of PHI that are necessary for patient treatment purposes. This covers most types of transmissions that covered entities need to make during dispatch and EMS communications. HIPAA permits covered entities to use and disclose any PHI for the purposes of patient care and for health-care “operations” purposes. Nearly all EMS operational dispatch transmissions relate either to health-care operations (e.g., summoning the appropriate resources to an emergency scene) or directly to patient care (e.g., an initial dispatch with a patient’s address or location, or providing a verbal patient report to the hospital over the radio). HIPAA permits these types of communications between an ambulance service and any other party who has a legitimate need for the information including: dispatch centers, hospitals or other facilities, an online medical control physician, or between ambulance crews and police, fire or other responding EMS agencies. Further, HIPAA does not state that the disclosures must be in any particular form. Thus, HIPAA does not prohibit ambulance providers from communicating PHI to necessary parties via normal channels of communications, including over standard radio frequencies.
So dispatch agencies can transmit identifiable information to ambulance services, including the patient’s name and address, if necessary to enable the ambulance service to locate and identify the patient. Ambulance services may transmit patient information to other health-care providers over the radio if that information is needed for the purpose of treatment. Further, dispatch centers and ambulance services are not required to encrypt radio communications, or institute new privacy technologies so that people with scanners can no longer hear radio dispatches. HIPAA permits “incidental disclosures” of PHI to occur when the covered entity simply cannot help the fact that another party might legitimately overhear the information.
But there are still some remaining HIPAA requirements to look out for. Covered entities should take reasonable steps—wherever possible—to minimize the chances of the “incidental disclosures” we discussed above. For example, when communicating a patient report to a hospital, if a cell phone is available, it may be preferable to communicate patient information over the phone rather than transmit that information over a public radio frequency. However, this is not required, it’s simply a good “common sense” and courteous way to reduce unnecessary disclosures of patient information over public airwaves. But if the use of the radio is necessary, then HIPAA permits it whenever a disclosure of patient information by a covered entity is necessary for treatment purposes.
Patient Care Before Privacy
Remember, HIPAA was written so it wouldn’t impede the provision of high-quality patient care. If a communication is necessary for a treatment-related purpose, the communication should be made by the most efficient, secure means available at that time.
Hardly any 9-1-1 centers or municipal dispatch agencies are even covered by HIPAA, and even for those ambulance services that are covered, HIPAA doesn’t stand in the way of using patient information for treatment purposes. Quite simply, finding, accessing and treating a patient should never be delayed or impeded because of HIPAA concerns.
About the Authors
Douglas M. Wolfberg, Stephen R. Wirth and Ryan S. Stark are attorneys with Page, Wolfberg & Wirth, a leading EMS law firm. They are also the principal authors of the industry’s leading HIPAA publication, The Ambulance Service Guide to HIPAA Compliance. More information on HIPAA and other EMS law topics is available on the firm’s Web site at www.pwwemslaw.com.
Originally published in Public Safety Communications, 76(8):46-47, August 2010.