Note: This notice is designed to provide EMS with information that may be used in situations where HIPAA confusion exists.

Background: The HIPAA Privacy Rule establishes a foundation of Federal protection for personal health information, carefully balanced to avoid unnecessary barriers to the delivery of quality health care. The Privacy Rule permits a covered entity to use and disclose protected health information for treatment, payment and health care operations.

45 CFR 164.501 of the Privacy Rule defines treatment as the provision, coordination or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient or the referral of a patient for health care from one health care provider to another. 45 CFR 164.506 specifically states that a covered entity may disclose protected health information for treatment activities of a health care provider.

Therefore, 45 CFR 164.501 and 45 CFR 164.506 provides EMS personnel with the authority to receive protected health information for purposes of transport and subsequently permits EMS personnel to disclose protected health information to another health care provider such as a hospital for continued patient treatment.

The HIPAA Privacy Rule also requires that covered entities must provide patients with a Notice of Privacy Practices. However, 45 CFR 164.520 provides specific direction related to the administration of notice. 45 CFR 164.520 (i) (B) states that a covered health care provider that has a direct treatment relationship with an individual must provide the notice in an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation.

Therefore, 45 CFR 164.520 would not require EMS personnel to administer the Notice of Privacy Practices to a patient in transport. That can be done by the treating facility when it is practical to do so.