Note: This message is displayed if (1) your browser is not standards-compliant or (2) you have you disabled CSS. Read our Policies for more information.
This information is offered as an introduction to HIPAA and is NOT offered as legal advice or as a substitute for legal advice. Specific questions regarding HIPAA or any other legal matters should be directed to an attorney.
Further, this web site offers links to both governmental and commercial web sites. The State of Indiana neither endorses the products offered on these sites nor guarantees the accuracy of the information offered by these sites.
The Health Insurance Portability and Accountability Act ("HIPAA") has four primary components. HIPAA’s Four Components Are:
HIPAA’s most immediate concern is its Privacy Rule, which becomes enforceable on April 14, 2003. The Privacy Rule creates a minimum national standard for how Protected Health Information ("PHI") may be handled and released. The good news is that HIPAA takes a common-sense approach to many of its privacy requirements. The bad news is that HIPAA has many privacy requirements that must be carefully read, fully understood, and immediately implemented.
While HIPAA provides a national baseline for the protection of Protected Health Information, HIPAA does not affect state laws that grant greater protection to Protected Health Information. For an overview of privacy laws please see: http://www.healthprivacy.org/
Further, all Indiana certified emergency medical services personnel, under 836 IAC 1-1-2(a)(8), risk being subject to fines and suspension or revocation of their Indiana Certification for the "Unauthorized disclosure of medical records or other confidential patient information." Please see: http://www.in.gov/legislative/iac/t08360/a00010.pdf
Indiana Code 16-31-2-11 states that the following information, if contained in a pre-hospital ambulance rescue or report record regarding an emergency patient, is public information and must be made available for inspection and copying under IC 5-14-3:
This page will address issues related to the Privacy of Health Information, which becomes enforceable Monday April 14, 2003. The Department of Health and Human Services ("DHHS") Office of Civil Rights ("OCR") is charged with enforcing HIPAA and is a great source of information. For your convenience a link to their web site is included at the bottom of this page.
As a group, EMS providers are not exempt from HIPAA. The gateway question for providers is whether their service is a "covered entity" under HIPAA’s privacy requirements. The term "covered entity" is defined in 45 CFR § 160.103. OCR has created an interactive tool to help answer the question of who is a covered entity: http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp
Covered entities must familiarize themselves with and abide by HIPAA’s requirements. Links to an article that addresses some of HIPAA’s requirements in relation to an EMS provider follow. This two-part article first appeared on-line at MERGINET.News on January 2003 and March 2003. http://www.merginet.com/.
To comply with HIPAA, a covered entity MUST:
The OCR has provided guidance concerning Business Associate Contracts, which can be found at: http://www.hhs.gov/ocr/hipaa/contractprov.html
While HIPAA prohibits some disclosures of Protected Health Information, it does NOT relieve a covered entity of the requirement to make certain disclosures that are required under Indiana State Law.
IC 16-31-2-11 states that the Commission shall develop procedures for ongoing review of all emergency ambulance services. The Commission may review any prehospital report record regarding an emergency patient… However, those records shall remain confidential and may be used solely for the purpose of compiling data and statistics.
Please see: http://www.ai.org/legislative/ic/code/title16/ar31/ch2.html
836 IAC 1-2-3 states that all ambulance service providers shall participate in the emergency medical service system review by collecting all data elements prescribed by the commission and reporting that information according to procedures and schedules prescribed by the commission.
Please see: http://www.in.gov/legislative/iac/t08360/a00010.pdf
FOR MORE INFORMATION ON HIPAA PLEASE SEE:
OCR’s web site:
The full text of the final regulation is available at: http://www.hhs.gov/ocr/hipaa/privrulepd.pdf
OCR compiled a collection of Frequently Asked Questions (FAQs).
This tremendous resource is available at : http://www.hhs.gov/ocr/hipaa/guidelines/guidanceallsections.pdf
Centers for Medicare and Medicaid Services ("CMS"):
CMS has Created a Compliance Checklist and Information Page:
CMS Ambulance Services Web Page:
Indiana HIPAA Workgroup:
Phoenix Health Systems HIPAA page:
The American Medical Association’s HIPAA site:
(Look for the document "How to HIPAA: Top 10 Tips)