IN.gov - Skip Navigation

Note: This message is displayed if (1) your browser is not standards-compliant or (2) you have you disabled CSS. Read our Policies for more information.

Amber Alert
Amber Alert - TEST
  • NTAS_widget
  • map_widget
  • state-that-works_widget

Indiana Department of Homeland Security

Health Insurance, Privacy and Accountability Act (HIPAA) for EMS Health Insurance, Privacy and Accountability Act (HIPAA) for EMS

HIPAA for EMS

This information is offered as an introduction to HIPAA and is NOT offered as legal advice or as a substitute for legal advice. Specific questions regarding HIPAA or any other legal matters should be directed to an attorney.
Further, this web site offers links to both governmental and commercial web sites. The State of Indiana neither endorses the products offered on these sites nor guarantees the accuracy of the information offered by these sites.

The Health Insurance Portability and Accountability Act ("HIPAA") has four primary components. HIPAA’s Four Components Are:

  1. Standardization of Transactions and Code Sets (Final rule adopted)
  2. Privacy of Health Information (Final rule adopted)
  3. Security of Health Information (Final rule adopted)
  4. Identifiers (No rule proposed)

HIPAA’s most immediate concern is its Privacy Rule, which becomes enforceable on April 14, 2003. The Privacy Rule creates a minimum national standard for how Protected Health Information ("PHI") may be handled and released. The good news is that HIPAA takes a common-sense approach to many of its privacy requirements. The bad news is that HIPAA has many privacy requirements that must be carefully read, fully understood, and immediately implemented.

While HIPAA provides a national baseline for the protection of Protected Health Information, HIPAA does not affect state laws that grant greater protection to Protected Health Information. For an overview of privacy laws please see: http://www.healthprivacy.org/

Further, all Indiana certified emergency medical services personnel, under 836 IAC 1-1-2(a)(8), risk being subject to fines and suspension or revocation of their Indiana Certification for the "Unauthorized disclosure of medical records or other confidential patient information." Please see: http://www.in.gov/legislative/iac/t08360/a00010.pdf

Indiana Code 16-31-2-11 states that the following information, if contained in a pre-hospital ambulance rescue or report record regarding an emergency patient, is public information and must be made available for inspection and copying under IC 5-14-3:

  1. The date and time of the request for ambulance services.
  2. The reason for the request for assistance.
  3. The time and nature of the response to the request for ambulance services.
  4. The time of arrival at the scene where the patient was located.
  5. The time of departure from the scene where the patient was located.
  6. The name of the facility, if any, to which the patient was delivered for further treatment and the time of arrival at that facility.

Please see: http://www.ai.org/legislative/ic/code/title16/ar31/ch2.html

This page will address issues related to the Privacy of Health Information, which becomes enforceable Monday April 14, 2003. The Department of Health and Human Services ("DHHS") Office of Civil Rights ("OCR") is charged with enforcing HIPAA and is a great source of information. For your convenience a link to their web site is included at the bottom of this page.

As a group, EMS providers are not exempt from HIPAA. The gateway question for providers is whether their service is a "covered entity" under HIPAA’s privacy requirements. The term "covered entity" is defined in 45 CFR § 160.103. OCR has created an interactive tool to help answer the question of who is a covered entity: http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp

Covered entities must familiarize themselves with and abide by HIPAA’s requirements. Links to an article that addresses some of HIPAA’s requirements in relation to an EMS provider follow. This two-part article first appeared on-line at MERGINET.News on January 2003 and March 2003. http://www.merginet.com/.

Article Part 1: http://www.merginet.com/emsnewsfiles/416_17.shtml
Article Part 2: http://www.merginet.com/emsnewsfiles/454_17.shtml

To comply with HIPAA, a covered entity MUST:

  1. Designate a Privacy Official
  2. Conduct and documented privacy training for your workforce
  3. Develop an authorization form for the release of Protected Health Information
  4. Develop a Notice of Privacy Practices
  5. Develop and put into place Business Associate Contracts

The OCR has provided guidance concerning Business Associate Contracts, which can be found at: http://www.hhs.gov/ocr/hipaa/contractprov.html

While HIPAA prohibits some disclosures of Protected Health Information, it does NOT relieve a covered entity of the requirement to make certain disclosures that are required under Indiana State Law.

  1. 45 CFR 160.203, in part, exempts from preemption a state law that "provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention."
  2. 45 CFR 164.512, in part, allows disclosures of protected health information by a covered entity to a "Health" oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of the health care system."

All Indiana EMS providers MUST continue to submit information from
Their run reports to the Indiana Emergency Medical Services
Under IC 16-31-2-11 and 836 IAC 1-2-3 (Please see below)
Please direct all inquiries concerning these reporting requirements to Mark Nelson: mnelson@sema.state.in.us

IC 16-31-2-11 states that the Commission shall develop procedures for ongoing review of all emergency ambulance services. The Commission may review any prehospital report record regarding an emergency patient… However, those records shall remain confidential and may be used solely for the purpose of compiling data and statistics.
Please see: http://www.ai.org/legislative/ic/code/title16/ar31/ch2.html

836 IAC 1-2-3 states that all ambulance service providers shall participate in the emergency medical service system review by collecting all data elements prescribed by the commission and reporting that information according to procedures and schedules prescribed by the commission.
Please see: http://www.in.gov/legislative/iac/t08360/a00010.pdf

FOR MORE INFORMATION ON HIPAA PLEASE SEE:

OCR’s web site:
http://www.hhs.gov/ocr/index.html

The full text of the final regulation is available at: http://www.hhs.gov/ocr/hipaa/privrulepd.pdf

OCR compiled a collection of Frequently Asked Questions (FAQs).
This tremendous resource is available at : http://www.hhs.gov/ocr/hipaa/guidelines/guidanceallsections.pdf

Centers for Medicare and Medicaid Services ("CMS"):
http://www.cms.hhs.gov/hipaa/

CMS has Created a Compliance Checklist and Information Page:
http://www.hipaa.org/

CMS Ambulance Services Web Page:
http://www.cms.hhs.gov/suppliers/ambulance/default.asp
Indiana HIPAA Workgroup:
http://www.indianahipaa.org/main.asp?page=Home

Phoenix Health Systems HIPAA page:
http://www.hipaadvisory.com/

The American Medical Association’s HIPAA site:
(Look for the document "How to HIPAA: Top 10 Tips)
http://www.ama-assn.org/ama/pub/category/4234.html