ADVISORY

TO: All Massachusetts Ambulance Services

FROM: Tracy A. Miller, J.D., MDPH Privacy Officer

DATE: May 12, 2004

RE: HIPAA authorizes a covered entity to disclose patient protected health information for treatment purposes without patient authorization

A year after the implementation of the HIPAA Privacy Rule (implementing the Health Insurance Portability and Accountability Act of 1996), there continues to be confusion regarding whether an EMT providing pre-hospital care can disclose protected health information (PHI) about a patient upon arrival at the hospital. This advisory is sent to remind all ambulance services that are covered entities under HIPAA, their EMTs and their dispatch personnel that HIPAA does not prohibit the disclosure of such information for the purpose of treating and facilitating the continuity of treatment of a patient. Indeed, the Privacy Rule authorizes health care providers to disclose such information for treatment purposes without patient authorization.

While HIPAA is a federal statute, and the regulations implementing this statute are those of the U.S. Department of Health and Human Services (HHS), the Department of Public Health (DPH) is providing this guidance since it is aware of some confusion about HIPAA and its implications for EMS. DPH is informed that some ambulance services are mistakenly citing HIPAA as a basis for not providing hospitals with the patient’s name, medical status, and details of treatment upon delivery of patients. We understand that this has delayed appropriate treatment of some patients upon their arrival at the hospital.

The Office for Civil Rights, U.S. Department of HHS, which implements and enforces the Privacy Rule, provides the following question and answer on its website:

• When an ambulance service delivers a patient to a hospital, is it permitted to report its treatment of the patient and patient’s medical history, without the patient’s authorization?

• Yes. The HIPAA Privacy Rule permits an ambulance service or other health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider, such as a hospital, for the provider’s treatment of the individual. See 45 CFR 164.506 and the definition o f “treatment” at 45 CFR 164.501.

It is important to remember that HIPAA permits ambulance services and other health care providers, which are covered entities under HIPAA, to disclose a patient’s protected health information (PHI) for treatment purposes. Treatment includes the disclosure of PHI to other health care providers, such as doctors and nurses at hospitals, and also includes the disclosure of PHI via radio or telephone to a hospital or dispatch center for purposes of insuring the appropriate treatment and continuity of care for the patient, provided appropriate privacy and security precautions are taken.

Consequently, ambulance services and their EMS personnel are authorized and need to provide receiving hospitals with all patient information necessary to ensure appropriate and timely care. HIPAA has done nothing to change this requirement.

Please share this information with all your dispatch and EMS personnel.

Not all ambulance services are covered entities and subject to HIPAA. If the service does not engage in any HIPAA covered electronic transactions (the most common one for an ambulance service is electronic billing of Medicare, Medicaid, or other insurance companies, either in-house or through a third-party) then the service is not a covered entity and the requirements of HIPAA do not apply.