No. An EMS service operated by a fire department that does not electronically submit one of the HIPAA standard transactions is not a covered entity.

Last Updated: 10/6/2003

No. Human resource departments are not directly regulated by HIPAA. The health plan itself is regulated. If the health plan is self-insured, there will be HIPAA obligations that will fall to the employer. We generally advise human resource departments to obtain patient authorizations whenever possible, primarily to facilitate disclosures from covered entities such as providers to the employer.

The HIPAA rule does not cover employers per se. However, virtually any employer with a health plan will feel the effects of HIPAA. While HIPAA does not directly regulate the employer, including the human resource department, the HIPAA regulations do directly apply to virtually all employer-sponsored health plans. The regulations therefore treat the health plan as an entity separate from the employer. That distinction becomes blurred because the employer is the plan sponsor for the health plan. While the employer/plan sponsor is not covered, the health plan must comply with HIPAA.
Fully insured plans are relieved of many of the HIPAA compliance burdens. For example, fully insured employee health plans need not distribute a notice of privacy practices, amend plan documents, or comply with many of the administrative requirements. The only administrative requirements with which fully insured plans must comply are the duties to mitigate damages from improper disclosures of information, refrain from retaliation and prohibit waivers of individual rights. On the other hand, self-insured health plans must comply with most of the HIPAA obligations.

Last Updated: 10/6/2003

No. An EMS service operated by a fire department that does not electronically submit one of the HIPAA standard transactions is not a covered entity.

Last Updated: 10/6/2003

Whether or not an EMS service is covered will depend on whether that service bills electronically in one of the standard transactions. If not, they are not covered entities.

Last Updated: 10/6/2003

No. Because police departments do not use any of the HIPAA standard electronic transactions for providing First Responder Services, they are not covered entities.

Last Updated: 10/6/2003

No. Because police departments do not use any of the HIPAA standard electronic transactions for providing First Responder Services, they are not covered entities.

Last Updated: 10/6/2003

Whether or not an EMS service is covered will depend on whether that service bills electronically in one of the standard transactions. If not, they are not covered entities.

Last Updated: 10/6/2003

Only if the health department uses any of the standard electronic transactions.

The federal government gives the following guidance: A local health department will be required to comply with the HIPAA privacy rule if it performs functions that make it a covered entity or otherwise meets the definition of a “covered entity.” For example, a state Medicaid program is a covered entity (i.e., a health plan) as defined in the privacy rule. Some health departments operate health care clinics and thus are health care providers. If these health care providers transmit information electronically in connection with the transaction covered in the HIPAA transactions rule, they are covered entities.

There is a tool designed to help entities figure out if they are covered at http:\\www.cms.gov\hipaa\hipaa\support\tools\decisionsupport\default.asp.

Therefore, if the health departments that charge for the flu shots submit these charges to insurers or clearinghouses or any other recipient in one of the standard electronic HIPAA transactions, they will be covered entities required to comply with the HIPAA regulations.

Last Updated: 10/6/2003

No. If the health departments do not charge for their services, they are not covered entities because they will not be submitting any of the electronic standard transactions.

Last Updated: 10/6/2003

No.

Last Updated: 10/6/2003

Regardless of whether the EMS service is a covered entity, Wisconsin law is more restrictive and will thus control to allow only limited disclosures to police without authorization or a court order. Those disclosures are delineated below (child abuse, deceased patients etc.) There is a general duty to cooperate with police under Wisconsin law, and in certain circumstances where it is in the patient's best interest, we can justify disclosure. But the general rule is to get the patient's consent or require a court order. If the EMS service is a covered entity (bills electronically using standard transactions), the only difference is that HIPAA restricts the content of the disclosure where a patient has died.

Explanation:
As a preliminary matter, you were correctly informed that police departments are not providers. However, this fact does not affect whether the EMS staff may disclose to the police. HIPAA does not govern receipt of information. HIPAA governs use or disclosure of information.

EMS services that are not covered entities may use or disclose information without violating HIPAA but must still comply with Wisconsin law. EMS services that are covered entities must comply with HIPAA and Wisconsin law, whichever is more stringent (where they are contrary). As you will see, Wisconsin is generally more stringent on the issue of disclosures to police.

HIPAA allows covered entities to disclose to law enforcement in the following situations:

Where required by law (including court order).

Limited information for identification and location purposes (including name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury, date and time of treatment, date and time of death if applicable, and a description of distinguishing physical characteristics.

Information about victims of a crime in response to a law enforcement official¡¦s request if the individual agrees to the disclosure or the covered entity is unable to obtain the agreement because of incapacity or other emergency circumstance, provided that the law enforcement official certifies that the information is necessary and cannot wait and the covered entity determines that the disclosure is in the best interests of the individual.

About patients who have died, if the covered entity suspects that the death may have resulted from crime (note that this is more restrictive than the Wisconsin law provision and thus HIPAA will control disclosures of information about people who have died).

Where the covered entity believes that there was a crime that occurred on the ¡§premises.¡¨

In emergencies if the disclosure is necessary to alert law enforcement to the commission and nature of a crime, the location of the crime or of the victims of the crime, or the identity, description and location of the perpetrator of the crime

About abuse, neglect or domestic violence.
Wisconsin law contemplates a general duty to cooperate with the police and sometimes disclosures that are not explicitly authorized by the statute can be justified on this basis. However, in general, Wisconsin law allows only very limited disclosures to law enforcement without patient consent or a court order, including:

Reporting child abuse or neglect.

For investigation of a death in certain circumstances (although HIPAA controls on this issue because it is more restrictive).

When required by law (including court order)

The information allowed by Wis. Stat. ¡± 146.50(12)(b) as discussed in the next question.
Disclosures that are not authorized under Wisconsin law can subject the discloser to fines as well as liability to the patient.

Last Updated: 10/6/2003

If the EMS service is not a covered entity under HIPAA (does not bill electronically), the answer is no. If the EMS service is a covered entity, and the patient does not authorize release, the EMS service may release the name, location and condition in general terms, as long as the patient has had the opportunity to object. If the patient is too incapacitated to object, , the EMS service may make that limited disclosure if the patient has previously expressed this as a preference and it is in the patient’s best interest. Practically speaking, in the EMS context, if you can give the patient the opportunity to object, you can get the patient’s consent to full disclosure of everything the requester wants to know.

Explanation:
As you know, Wis. Stat. § 146.50(12)(b) allows ambulance service providers to make available to any requester information contained on a record of an ambulance run which identifies the ambulance service provider and emergency technicians involved, date of call, dispatch and response times of the ambulance, reason for the dispatch, location to which the ambulance was dispatched, destination, if any, to which the patient was being transported by ambulance and name, age and gender of the patient. This section prohibits disclosure of information containing details of the medical history, condition or emergency treatment of any patient. If the ambulance service provider is a covered entity under HIPAA, disclosure of such identifiable information is a disclosure of PHI and should not occur without a release with the following exception.

42 C.F.R. § 164.510 allows covered entities to use or disclose protected health information where the individual has had the opportunity to agree or object. This information is for the purposes of a “facility directory.” This provision allows disclosure of the individual’s location and condition in general terms to a requester who knows the patient’s name. These disclosures may be made for “directory purposes” in emergency circumstances without an opportunity to agree or object if such disclosure is consistent with a prior expressed preference of the individual that is known to the health care provider and in the individual’s best interest. The covered health care provider must then inform the individual and provide an opportunity to object to uses or disclosures for directory purposes when it becomes practicable to do so.
As with all aspects of HIPAA, the meaning of “facility directory” is uncharted territory. However we do not believe that this provision will be interpreted literally to mean a compiled list of patient information. In the EMS context, it is probable that disclosures to requesters (who know the patient’s name) about location and condition are permissible, regardless of the fact that there will be no actual “facility directory.” The federal government guidance states simply that directory information (location and general condition) may be disclosed to those who ask for the patient by name.

If the ambulance service provider is not a covered entity, the opportunity to object is not a factor and the information may be disclosed as contemplated by Wis. Stat. § 146.50.

Last Updated: 10/6/2003

If the disclosing entity is not a covered entity, HIPAA will not affect the release, although Wisconsin law might, as discussed above. Whether Wisconsin law allows disclosure will depend on the content of the report. A helpful resource is the preemption grid available at www.hipaacow.org. Notably, a recent Wisconsin case upheld a jury verdict finding an EMT liable to a patient for invasion of privacy, where the EMT disclosed information to the patient’s co-worker. If the ambulance service provider is a covered entity, it will depend what is contained in the report, to whom it is being disclosed, and for what purpose.

If the disclosing entity is a covered entity, general release of protected health information to the public will typically not be acceptable under HIPAA. Again, however, it may depend on what is in the report.

Last Updated: 10/6/2003

HIPAA will not affect an employer’s rights under the Family and Medical Leave Act to verify eligibility or conduct a fitness for duty evaluation. Employers may wish to routinely obtain authorizations to facilitate the process.

Last Updated: 10/6/2003

If the fire department is not a covered entity (which it almost certainly will not be), HIPAA will not affect the disclosures. However, Wisconsin law will affect the disclosures as discussed above.

Last Updated: 10/6/2003