Emergency Medical Dispatches and HIPAA: Are You HIPAA Compliant?

Since unencrypted land mobile radio communications can be intercepted by scanners, there is some question as to whether unencrypted radio properly protects patients’ privacy rights under HIPAA.

July 23, 2014

3 Min Read
Urgent Comms logo in a gray background | Urgent Comms

During a recent National Public Safety Telecommunications Council (NPSTC) conference call, a question was raised as to the applicability of the Health Insurance Portability and Accountability Act (HIPAA) to emergency medical dispatchers, as to whether traditional means of transmitting patient information over unencrypted airways is permissible. Since unencrypted land mobile radio communications can be intercepted by scanners, there is some question as to whether unencrypted radio properly protects patients’ privacy rights under HIPAA. Although for non-lawyers HIPAA’s requirements can seem daunting, the answer to this question is surprisingly simple: yes, transmitting information over unencrypted radio is allowed.

First, it bears mentioning that the HIPAA privacy regulations were intended to give patients more control over their own health information; to set boundaries on the release and use of health records by others; and to create certain safeguards that health care providers and others must put in place to protect patient information. The law was never intended to be an impediment to patient health or to the receipt of proper health care. With that framework in mind, the HIPAA privacy regulations and how they bear on unencrypted radio transmissions make more sense.

Second, HIPAA applies only to communications made by “covered entities.”  If the organization making the communications is not a covered entity pursuant to HIPAA’s definition, then the organization does not have to abide by HIPAA’s requirements and can freely transmit patient information, provided, however, that the transmitter does not disclose more information than necessary to effectuate medical treatment. Covered entities include: health care clearing houses; health plans; and health care providers who transmit any health information electronically in connection with certain transactions.  Although this definition can be somewhat difficult to apply, generally speaking, ambulance services are covered entities.  However, most dispatchers, such as 911 dispatchers, are not because they do not engage in covered electronic transactions, such as directly billing insurers for services or transmitting healthcare enrollment information. If the dispatch agency, however, is part of an ambulance service or hospital, for example an ambulance service’s own dispatch center, or a dispatch center that is located within a hospital, then it likely would be considered a covered entity, and therefore it would have to comply with HIPAA’s privacy requirements.

Finally, even if you are a covered entity, HIPAA only applies to certain communications. HIPAA does not apply to communications required to treat patients or to information shared for operations purposes. 45 C.F.R. § 164.501 Since information shared by a dispatch agency is shared to treat patients and to operate effectively as a dispatch service, HIPAA most often does not apply to the communication. These are considered incidental disclosures, which HIPAA’s provisions specifically permit. However, if it is not necessary to transmit a patient’s name or certain information for the purpose of treatment or service, it is best to omit that information from the unencrypted transmission. In large part, though, these communications pose no concern under HIPAA.

One final word of caution is necessary, however. HIPAA was intended as a floor for patient protections, not a ceiling, so each provider should be sure to check individual state law to see if state requirements are more stringent.

HIPAA was created in an effort to strike a balance between protecting private patient health information and allowing disclosure of some information when it would be necessary for health reasons. Permitting this information to be transmitted over unencrypted radio squarely fits within this balance.

During the upcoming APCO national conference in New Orleans, we’ll be hosting a session on another issue facing dispatchers and emergency responders, traps for the unwary in using social media while on the job.  We hope to see you there.

Campbell is a partner and co-chair of the Employment and Labor practice group at Shulman, Rogers, Gandal, Pordy & Ecker, P.A. Einstein is an associate with the firm's Employment and Labor practice group. This article is for informational purposes only and does not constitute legal advice.

Subscribe to receive Urgent Communications Newsletters
Catch up on the latest tech, media, and telecoms news from across the critical communications community