The U.S. Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and provides confidential status to citizens’ medical information, among other things. The Act covers the handling of paper and electronic medical records, and even how information can be verbally passed between people and entities. In general, your personal medical information belongs to you, and you must consent in order for it to be shared.
Since first responders are frequently involved in incidents that include medical conditions, a frequent question is whether HIPAA applies to public safety communications centers, dispatchers, computer-aided dispatch (CAD), radio communications and mobile data systems, allowing them to ask and record medical information, relay it to first responders on the radio and otherwise document it.
The answer is NO. Public safety communications centers operated by government entities such law enforcement, fire, rescue or stand-alone 9-1-1 agencies are not covered by HIPAA regulations. Therefore, dispatchers can use their normal procedures for obtaining incident information, recording it in CAD or other systems, and relaying that information to first responders.
The reason that public safety dispatchers are able to provide this information is simple: HIPAA applies to only to “covered entities,” specifically companies or agencies that handle medical information, such as insurance and direct medical providers. HIPAA does not consider government public safety agencies as covered entities. As a result, the Act does not apply to commonly-configured public safety comm centers that field 911 calls and dispatch first-responders via radio or other means. Therefore, HIPAA privacy requirements do not apply to public safety comm centers.
Nevertheless, the Act does set a generally-accepted community standard for medical information privacy in the United States. Citizens expect their personal medical information to remain private, except when it’s being directly used to provide a prompt emergency response to their needs. As a result, to be a trusted and respected partner in the community, each public safety comm center must have an overall information privacy policy (usually related to law enforcement information, but also covering fire and medical information), and have established routines for gathering, recording, distributing and protecting this information.
In addition, some states have medical privacy laws that might apply—you should check to see what regulations your state may have.
Over the years, various people and groups have issued opinions on the subject of HIPAA privacy, all confirming the above information. Some of them are posted and linked below.
NENA Opinion
The following information was posted by the National Emergency Number Association (NENA) in 2003:
One of the issues raised by the NENA listserver membership and to which I committed the Operations Committee to research was to determine the applicability of HIPAA to PSAPs and under what conditions might it apply. The list server had a number of inquiries about HIPAA, its applicability to PSAP operations, and other issues.
Norm Forshee, Wireless Committee Co-Chair, advised that (his) staff attorneys were looking into the matter for his shop and would make that information available to the Operations Committee. I’ve since communicated with John Kelly, the attorney, and his comments are as follows. I’ve also included information pertinent to the initial inquiry and append the completed results to this email.
Finally, regardless of this feedback to the membership, each PSAP is urged to consult their respective city/county or state attorney for an interpretation of HIPAA and how it applies to their specific jurisdiction’s operations.
Key Definitions: HIPAA is a law mandating that anyone belonging to a group health insurance plan must be allowed to purchase health insurance within an interval of time beginning when the previous coverage is lost. The law protects employees, especially those with long term health conditions who may be reluctant to leave jobs because they are afraid pre-existing condition clauses will limit coverage of any such conditions under a new insurance plan, from losing health insurance due to a change in employment status.
HIPAA makes specific mention to a “covered entity,” the definition of which is:
Under HIPAA, this is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction. Unless I am missing something, nothing a PSAP does in day-to-day business would make it a covered entity, as defined.
In John Kelly’s opinion: “…. HIPAA does not impose any additional burdens on PSAPS, generally. This is based on the fact that the definition of “healthcare provider” in the HIPAA regulations would not include PSAPS or Communication Centers, unless they are a communication center solely for an ambulance service or they do record storage or processing which includes medical records (e.g., EMS run reports).
PSAPS would have to comply with the HIPAA regulations as they apply to health insurance records of their employees, but this usually is handled by the Human Resources Department or the contracted health insurance provider.
PSAPS ARE restricted by many federal and state medical information privacy laws, but most of these existed pre-HIPAA and were not changed by the advent of the HIPAA regulations.”
Again, each PSAP is urged to consult their respective city/county or state attorney for an interpretation of HIPAA’s applicability to their their specific operations.
Thanks,
Bill Weaver
911 Center Operations Committee Liaison
281-861-7304 Off
Links
- U.S. Department of Health & Human Services’ Web page on HIPAA
- Guide to HIIPAA Law, book for sale on Amazon.com
- World Privacy Forum on HIPAA
- HIPAA position by Louisiana appeals court, 2006
- Attorney’s opinion (pdf), as posted by the Association of Public Safety Communications Officials (APCO)
- Attorney’s opinion, as posted in a law bulletin
- Attorney’s opinion, July 2014