Does HIPAA Allow Hospitals to Share Patient Data with EMS?

During time-sensitive emergencies, sharing data between EMS and the hospital is a vital part of patient care. EMS contacts the hospital via radio report to share information about the patient’s condition and vital signs, letting hospital staff know what to expect when the patient arrives on their doorstep. EMS and the hospital both comply with HIPAA guidelines, and sharing details about the patient’s condition is simply considered an essential part of providing the best possible care for that patient.

But once the patient has been admitted and EMS needs outcome data from the hospital, suddenly the information sharing process isn’t quite as clear. Many hospitals get nervous about the thought of sharing patient data or PHI with EMS agencies.

Why?

HIPAA.

The Health Insurance Portability and Accountability Act clearly instructs that patients’ PHI can only be shared with individuals who are authorized to receive the information for treatment purposes. When you’re further down the stream in the care continuum, the waters get a little murky, and it’s not always clear whether it’s okay to pass information back upstream.

So the question is: Does HIPAA allow hospitals to share data with EMS agencies?

The short answer: YES.

HIPAA not only allows but encourages bi-directional data sharing between EMS and the hospital.

In a 2020 whitepaper, the National EMS Information System and EMS industry law firm Page, Wolfberg & Wirth addressed the topic in depth. Their research digs into the details of HIPAA policies, explores why bi-directional data sharing with EMS is essential, clarifies how HIPAA’s Security and Breach Notification Rules should calm any fears about the security of shared data, and ultimately affirms that HIPAA and federal agencies endorse bi-directional data sharing.

According to PWW, “Having access to hospital discharge, summary or diagnoses, outcome, and inpatient treatment information also significantly enhances continuous quality improvement, leading to better patient outcomes in both the prehospital and the hospital setting. Outcome data is the taproot for evidence-based EMS care. Without access to this information, EMS agencies are denied a meaningful opportunity to improve care, outcomes, and the prehospital experience for their patients.”

While it’s not always immediately evident how passing along this information can help benefit patients, it makes a huge difference in EMS’ ability to treat patients. It’s not merely a situation of the information being “good-to-know” for EMS providers; in many cases, it’s absolutely crucial for EMS to have access to this information.

Here’s why.

1. Having access to PHI greatly improves patient safety and care quality.

Having information about the patient’s health history helps medics make better treatment decisions on the front end of the patient’s journey. Empowering medics with the context of the patient’s medical history, medications, allergies, and recent hospitalizations will inform their decisions as they care for the patient, helping them make the best possible choices for the patient. 

Knowing patient outcomes is critical to helping EMS providers hone their response. As the system currently stands, EMS has little to no involvement in the patient’s case once they drop them at the door. They don’t get to know what happened to the patient, what their outcome was, or how they impacted the patient’s overall care journey. Without feedback, EMS providers have no frame of reference for how to improve their response. Having access to data on the patient’s ultimate outcome could greatly help EMS evaluate their response and improve on their process. Access to data also advances the development of evidence-based practices for prehospital care.

2. COVID-19 has created new circumstances that make it vital for EMS to receive PHI from hospitals. 

COVID-19 has introduced many new and unfamiliar circumstances over the last year. As providers respond to new situations, any additional information they have at their disposal can help orient and inform their decisions.

The U.S. Department of Health and Human Services released a statement detailing essential situations for hospitals to share PHI with EMS:

“The HIPAA Privacy Rule permits a covered entity to disclose the protected health information (PHI) of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities without the individual’s HIPAA authorization, in certain circumstances, including the following:

• • When the disclosure is needed to provide treatment. For example, HIPAA permits a covered skilled nursing facility to disclose PHI about an individual who has COVID-19 to emergency medical transport personnel who will provide treatment while transporting the individual to a hospital’s emergency department.
  • When first responders may be at risk of infection. A covered entity may disclose PHI to a first responder who may have been exposed to COVID-19, or may otherwise be at risk of contracting or spreading COVID-19.”

(To access the full guidelines, click here.)

It’s absolutely essential for hospitals to communicate patient information pertaining to COVID-19 with EMS. It impacts everything from choosing the appropriate transport destination to decontamination and notifying providers who may have been exposed to the virus.

With all of these things being the case, it is absolutely essential for EMS to receive data back from the hospital.

But what about data breaches? Should hospital staff be concerned about the possibility of inadvertently exposing patients’ PHI?

No more so than in any other communication with EMS. Just like hospitals, EMS agencies are held responsible for the PHI that they collect and have access to. They’re subject to the same rules and are required to have the same safeguards in place to avoid data breaches. EMS agencies are accountable to the HHS to ensure they have the following safeguards in place to protect PHI: Role-based access; workforce authorization, training, and sanctions; workstation and device security; access control; audit controls; integrity controls; and transmission security.

After all, EMS agencies constantly handle patient data on the front end of the patient’s care journey, when they share it with the hospital upon or before the patient’s arrival. Even though the process is reversed when the hospital shares data with EMS, all the same privacy practices and safeguards still apply.

But will hospitals be held responsible for data breaches by EMS agencies?

Nope. Once the hospital has securely transmitted PHI to the EMS agency, the hospital is not responsible for what happens to the data on the EMS agency’s watch.

According to Page, Wolfberg & Wirth:

“If a hospital provisioned secure access to its patient database or securely transmitted PHI to an EMS agency for treatment or quality assurance activities of the EMS practitioner, the hospital would generally not be responsible for any improper uses and disclosures – including any breaches – of the PHI. After the receiving EMS agency received the PHI in compliance with HIPAA, the receiving EMS agency, as a covered entity, is responsible for safeguarding the PHI and otherwise complying with HIPAA, including with respect to subsequent uses or disclosures or any breaches that occur. Any breach would be the responsibility of the EMS agency that received the PHI, just as a breach by a hospital of its PHI – including an EMS patient care report that becomes part of the hospital’s records – would be the responsibility of the hospital.”

So even if information sharing does result in a breach on the EMS agency’s end, the hospital will not be held responsible. As such, hospitals don’t need to worry about liability for sharing this information with EMS. HIPAA fully endorses the practice, and even in the event of an EMS data breach, the hospital will not be penalized.

As we move into the future, the sharing of information will become more and more essential to the growth and development of EMS’ role in the patient care journey. Hospitals can rest assured that HIPAA not only allows but encourages bi-directional data sharing with EMS. 

For a more detailed explanation of how HIPAA endorses bi-directional data sharing between EMS and the hospital, check out Page, Wolfberg & Wirth’s whitepaper: "An Imaginary Barrier: How HIPAA Promotes Bi-directional Patient Data Exchange With Emergency Medical Services."

Telehealth and communication platforms are becoming more and more important for smooth, efficient information exchanges between providers. Curious how to find a solution that's HIPAA compliant? Check out the Top 5 Reasons Why HIPAA Compliance Matters in Telehealth.