This is a legal opinion from the Portland City Attorney's Office explaining why HIPAA does not apply to the Portland Fire Bureau. In sum, it says that because the fire bureau is not engaged in a transaction involving fees and health care service, it is not a covered entity. This is important because some fire departments have decided that because they are EMTs they potentially are health care providers. But HIPAA only applies to certain entities and according to this opinion does not apply to the Portland Fire Bureau.
Courtesy of Therese Bottomly, The Oregonian
March 30, 2004
Portland Fire Bureau, EMS Coordinator
Portland Fire Bureau, EMS Deputy ChiefEditRegion3
Linda Hockett Portland Fire Bureau
FROM: David L. Jorling
Senior Deputy City Attorney
SUBJECT: HIPAA Privacy Regulations and the Portland Fire Bureau
QUESTION PRESENTED: You have asked whether new federal privacy regulations issued under the Health Insurance Portability and Accountability Act (HIPAA) apply to the Portland Fire Bureau.
FACTS: My understanding of the Bureau's involvement with medical treatment and medical records is, in general, as follows: The Bureau, as part of its daily emergency operations, responds to medical emergencies throughout the City. Bureau responders include Emergency Medical Technician Paramedics and Emergency Medical Technician Basics (EMT-Ps and EMT-Bs) that provide emergency medical care. This care, of which I won't go into detail here, includes the administration of critical lifesaving medical treatment. Medical records of these encounters are kept electronically by the entry of "patient care reports," which contain medical histories, medication history and use, allergy histories, notes on previous medical conditions, and the care that was administered. These records are on the Bureau's computer system on Bureau forms contained in the system. Technologically advanced medical equipment automatically records some of the medical records of treatment directly into the equipment used, which is kept as part of the medical record as well. After a medical response, one or more of the responders involved will prepare and complete the "patient care report" of an emergency response on computer generated forms, which constitute the medical records of the Bureau.
Typically, Fire Bureau paramedics administer the care outlined above until the arrival of ambulances operated by American Medical Response (AMR). When AMR arrives on-scene, the first responders give the AMR responders medical information gathered before they arrived. After a medical response, one or more of the Fire Bureau responders involved will prepare and complete the patient care report of an emergency response on computer generated forms. The Fire Bureau does not request copies of any information from AMR to complete these patient care reports and they do not give a completed copy directly to AMR.
Multnomah County Emergency Medical System (EMS) contracts with American Medical Response (AMR) to provide ambulance services in Multnomah County . Multnomah County EMS has an Agreement with the Portland Fire Bureau which stipulates that they are entitled to reimbursement from Multnomah County EMS for disposable medical supplies used in the course of their First Responder duties. On a quarterly basis, Portland Fire provides Multnomah County EMS with a bill listing the total supplies used over a given time period.
Medical Records are occasionally shared between representatives of the Fire Bureau and AMR. The Fire Bureau may hold a Critical Incident Stress Debriefing (CISD) session with AMR personnel involved where additional Protected Health Information (PHI) may be disclosed from AMR personnel. These reviews are conducted through Multnomah County EMS . The records are shared with the Medical Director, currently Dr. John Jui, a physician who is a County Employee assigned to EMS . In some cases, completion of the record is delayed 72 hours if the record cannot be finished on a particular responder's shift. Currently the Bureau generates approximately 35,000 records of individuals per year. These records concern those who have been provided medical services from the Bureau, and anyone having access to a Bureau computer can access these records within the 72-hour period. The records are catalogued and are accessed by the "run number" assigned to the response by the Bureau of Emergency Communications. There is no catalogue or search of records available by patient name.
After 72 hours, the only individuals that can access these records are Bureau personnel at the EMS office. These records are kept forever in the EMS database. The records are accessed and copied so that they can be provided to entities and individuals outside the Bureau pursuant to a court order, patient authorization or subpoena. They are also used internally for quality assurance, research and statistics. The records are also shared with the Medical Director who is a County employee and physician with a M.D. degree. The Bureau contracts with Multnomah County that provides the Medical Director service to the Bureau. The Medical Director's duties include providing advice and training to the Bureau EMS personnel. It is my understanding that the Medical Director considers patients treated by Bureau EMS personnel to be patients of the Medical Director.
DISCUSSION: The HIPAA privacy regulations are applicable to any "Covered Entity." There are three types of covered entities that are identified as follows:
(1) A health plan;
(2) A health care clearinghouse;
(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. (Emphasis added) (footnote: 45 CFR 160.102)
I am certain that the Bureau is neither a Health Plan nor a Health Care Clearinghouse as those terms are defined by HIPAA. 45 CFR § (section symbol) 160.103. Whether the Bureau is a "health care provider" depends not only on whether the Bureau's medical operations fall within this definition, but also a second definition of "health care provider" contained further on in the regulations. I will deal with this second definition first.
"Health care provider means a provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business." 45 CFR §(section symbol) 160.103.
The cross-references to other laws in this second definition include by those references certain activities within the definition of heath care provider (through reference to 42 U.S.C. 1861(u)). Entities such as hospitals, critical access hospitals, skilled nursing facilities, comprehensive outpatient rehabilitation facilities, home health agencies, hospice programs, and certain "funds" that are not relevant to this inquiry are in this way included within the definition of health care provider. The second statutory reference (42 U.S.C. 1395x) includes by reference under the HIPAA definition of health care provider those "medical and other health services" that are set forth in detail in this particular statute. It is too long and not relevant enough to repeat in its entirety here. Simply stated, this referenced statute makes the provision of virtually all physician services and supplies (from antigens to colorectal screening tests) within the definition of health care provider under HIPAA. While this section also references "nurse practitioners" and "physician assistants," (which therefore specifically makes them fall within the definition of a health care provider under HIPAA), no mention is made of paramedics. So an inference may be drawn that paramedics were not intended to be deemed medical providers for purposes of HIPAA.
It is clear that the medical operatio ns of the Fire Bureau as set forth in the facts above fall within this definition. The clause "any other person or organization who furnishes, bills, or is paid for health care in the normal course of business" is expansive and all-inclusive. It appears that as long as any one of the qualifiers are met ("furnishes, bills, or is paid"), a medical provider is encompassed by this definition. Clearly the work of the Bureau constitutes the "furnishing" of medical care.
Fortunately for our analysis, the definition of "health care provider" must be read in conjunction with the description of "health care provider" in the identifications of "Covered Entities" mentioned at the outset of this discussion. That is, does the Bureau transmit health information in connection with a transaction covered by this subchapter? To determine this we must look at what HIPAA considers a "transaction."
Only health care providers that conduct any "standard transaction" electronically, or that engage third parties (such as billing services) to process such transactions electronically, are subject to the rules.° The "Standard Transaction" that may apply to the First Responders is "Health care claims or equivalent encounter information."
Health Care Claims or equivalent encounter information transaction is either of the following:
a) A request to obtain payment, and necessary accompanying information, from a health care provider to a health plan, for health care.
b) If there is no direct claim, because the reimbursement contract is based on a mechanism other than charges or reimbursement rates for specific services, the transaction is the transmission of encounter information for the purpose of reporting health care.±
There is no reference to the care of any specific patient when the Bureau bills Multnomah County . Further, the Bureau does not bill anyone for the care provided to any individual. Multnomah County is reimbursed by AMR for Portland Fire's expense as part of their franchise fee. There is no direct claim because the reimbursement contract is based on a mechanism other than charges or reimbursement rates for specific services to specific individuals. Therefore, the Bureau does not engage in transactions covered by HIPAA.
We have not found anything in the laws or regulations that specifically mentions Fire Bureau operations, particularly the EMT aspects of those operations. This includes the official comments accompanying the regulations, the legislative history, the "Q and A's" issued by the Department of Health and Human Services (HHS), the numerous commentaries, educational materials, or legal summaries that have been published regarding the regulations. There is no direct answer to the question of whether the medical work of a Fire Bureau is included within the scope of HIPAA.
The Office of Civil Rights has been designated as the agency that will enforce the Privacy regulations. Their guidance² provided no definition or further clarification for "Emergency Medical Provider," "Ambulance," "First Responder," or "First Aid." All references to "encounter information" were under the Final Transaction and Code Sets Rule for standardization and appear to relate to the codes for administrative simplification.
Steve Wirth and Doug Wolfberg of Page, Wolfberg & Wirth, LLC are widely recognized and the leading authority on the EMS industry. In an online article dated June 2003, they offer examples of covered and non-covered entities. Their example of a non-covered entity is:
A municipal fire department provides a First Response service in its community. While the department initiates patient care (thereby providing direct treatment to the patient), the department neither transports nor bills the patient's insurance or Medicare for services rendered. The First Response service is not a covered entity.³
Research of Fire Departments acting in accordance with HIPAA regulations across the country yielded many. However, they all indicated that the HIPAA "hook" was their billing for services.µ
CONCLUSION: We emphatically believe that the HIPAA regulations do not apply to the Fire Bureau. However, we may not have a definitive answer until such time as the regulations are further clarified by Congress or the Department of Health and Human services, or case law develops from the imposition of a fine or a criminal prosecution.
1) Until the federal agencies involved with HIPAA issue clarifying guidance on the applicability of the Privacy regulations to first responders, we believe it would be prudent for the Bureau to develop a uniform and consistent policy regarding patient confidentiality. First of all, there are significant civil fines (up to $25,000 per person per year for each type of violation) and even criminal penalties (up to 10 years in prison and a $250,000 fine) that can result from non-compliance. Secondly, recent word from Health and Human Services indicates that enforcement of the HIPAA regulations will be complaint driven. The Bureau (and the City) will have to defend itself on compliance issues on a case by case basis.
2) Create the computer and physical firewalls that will assure that no one other than those determined above have any access to the medical records.
3) Establish policies and procedures so that these records are handled and disclosed in a consistent manner.
c: Julie Kennedy
Chief Ed Wilson
Health plan means an individual or group plan that provides, or pays the cost of, medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)).
(1) Health plan includes the following, singly or in combination:
(i) A group health plan, as defined in this section.
(ii) A health insurance issuer, as defined in this section.
(iii) An HMO, as defined in this section.
(iv) Part A or Part B of the Medicare program under title XVIII of the Act.
(v) The Medicaid program under title XIX of the Act, 42 U.S.C. 1396, et seq.
(vi) An issuer of a Medicare supplemental policy (as defined in section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1)).
(vii) An issuer of a long-term care policy, excluding a nursing home fixed-indemnity policy.
(viii) An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers.
(ix) The health care program for active military personnel under title 10 of the United States Code.
(x) The veterans health care program under 38 U.S.C. chapter 17.
(xi) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS)(as defined in 10 U.S.C. 1072(4)).
(xii) The Indian Health Service program under the Indian Health Care Improvement Act, 25 U.S.C. 1601, et seq.
(xiii) The Federal Employees Health Benefits Program under 5 U.S.C. 8902, et seq.
(xiv) An approved State child health plan under title XXI of the Act, providing benefits for child health assistance that meet the requirements of section 2103 of the Act, 42 U.S.C. 1397, et seq.
(xv) The Medicare + Choice program under Part C of title XVIII of the Act, 42 U.S.C. 1395w-21 through 1395w-28.
(xvi) A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals.
(xvii) Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)).
(2) Health plan excludes:
(i) Any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in section 2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1); and
(ii) A government-funded program (other than one listed in paragraph (1)(i)-(xvi)of this definition):
(A) Whose principal purpose is other than providing, or paying the cost of, health care; or
(B) Whose principal activity is:
(1) The direct provision of health care to persons; or
(2) The making of grants to fund the direct provision of health care to persons.
Health care clearinghouse means a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and "value-added" networks and switches, that does either of the following functions:
(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.
(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
° 45 CFR § section symbol 160.103 (defining "covered entity")
± 45 CFR § section symbol 162.1101
µ Lincoln , Massachusetts , St. Joseph Township , Fort Wayne , Indiana , Austin/Travis County Emergency Medical Services, Shiller Park , Illinois , Charleston County South Carolina, Tualitin <cm+NT[thomas-m]: ? spelling? -NT>Valley Fire & Rescue, Beaufort County South Carolina , Munson , Ohio , Andover , Connecticut , Miami Florida Department of Fire-Rescue, Pewaukee Fire Department Waukesha , Wisconsin , Tampa Fire Rescue, Tampa , Florida ;