Last-minute HIPAA: Still clueless about CE’s and NPP’s? Here’s what to do.

By Mike McEvoy, PhD, REMT-P, RN, CCRN, and Paul Gillan, J.D., EMT

The HIPAA compliance deadline is looming, yet many fire and EMS services haven’t taken the first steps toward determining what they need to do (if anything) to comply. If that’s your department, the first thing you should do is start worrying. Despite widespread apathy about HIPAA in the fire and EMS industries, HIPAA compliance is a big deal. Failing to comply can cost you and/or your department or service big bucks, and could also land you in jail.

The next thing you should do is harness your worrying energy and focus it on achieving HIPAA compliance. It’s not likely you’ll be able to do everything necessary by the April 14, 2003 deadline. However, with a little diligence and no small amount of luck, you can get close. Here are some suggestions:

1. Determine if you are a “Covered Entity.” If you are a Covered Entity (or “CE” for short), you have a lot of work to do. If not, your work is done. Be cautious here; the answer is not as clear as some would have you believe. Each EMS service brings a different set of facts and circumstances that may yield different answers, even for organizations that appear very similarly situated. Consider engaging a professional to determine whether you are a covered entity or not. The professional’s experience with HIPAA in other contexts makes it more likely that you will get the right answer. Plus, if things go wrong, your department’s reliance on independent professional advice (instead of self assessment) demonstrates a good faith effort to comply, which can go a long way in mitigating any enforcement penalties.

2. Find a good shoulder person. A shoulder person is a motivated individual in your department who has a track record of getting things done. Even if it means turning to a more junior leader, you need someone who can handle a large number of tasks simultaneously and deal easily with a rather complex topic. Once you find this person, get him or her some help by way of a committee. Two others besides the committee chairperson should be enough.

3. Hire a professional. “Wait a minute,” you say, “I can order one of those ‘Complete Guides to HIPAA’ and learn everything I need to know.” Well, maybe so, if you had enough time to do it. But if your schedule is like that of the fire and EMS providers we know, trying to read and understand a three hundred page book about a topic as complex as HIPAA could take you weeks-weeks you don’t have. Besides, knowing what HIPAA says is only half the battle thanks to a provision referred to as the Preemption Clause. This says, generally, that whichever is stricter between state law and HIPAA is going to prevail. It normally takes a person familiar with a state’s specific laws to figure that out. When purchasing outside knowledge and experience, a consultant should probably be your first pick. While lawyers are an important component of any compliance effort, they tend to be too expensive for general management of an implementation effort. There are many consultants that specialize both in EMS work and in HIPAA work. Preferably, you want one with experience in both areas. Whatever you do, don’t buy a book and think you have everything you need.

4. Get some reference material. Don’t pay for anything that includes a copy of the HIPAA law, rules, and “guidance” from CMS. All of that is available free on the Internet. Spend some time on the Office of Civil Rights of the U.S. Department of Health and Human Services’ Web site. The URL is Download whatever you can handle.

5. Look for Business Associates. Business Associates (BA) are people or businesses that perform a function on behalf of a Covered Entity. For example, your billing service provider is a business associate (if it has told you otherwise, it is wrong). If you contract with an outside service for QA or QI, that outside service is a business associate as well. HIPAA requires agreements between a Covered Entity and its Business Associates; they govern what the BA can and can’t do with patient information. The agreements also have to meet about thirty different requirements outlined in the HIPAA rules. Because the BA agreement creates a legal obligation for your department or service, a lawyer with HIPAA and EMS experience should review it.

6. Write a Notice of Privacy Practices. The “Notice of Privacy Practices,” also called an NPP, is a document HIPAA requires of every Covered Entity. It describes your privacy practices and includes information HIPAA requires you tell paitents, which they already know, including that you will use the patient’s health information to provide services to the patient and to get paid for it. Ideally, the Covered Entity gives out the NPP before rendering services. For EMS and ambulance services, doing so will not work unless the job is a non-emergency transport. You need a workable way to get the NPP to the patient in a reasonable manner after providing services. Before beginning to use your NPP, have a lawyer or consultant review it. Do not simply lift a form from a book or borrow someone else’s NPP and put your department’s name on it. NPP’s are specific to each department or service.

7. Appoint a Privacy Officer. Yes, you need to have one. The Privacy Officer is responsible, from a department’standpoint, for ensuring that HIPAA is implemented correctly. The shoulder person you picked in suggestion 2 above is a likely candidate, since he or she will know the most about HIPAA once the implementation process is complete. If this person does not already hold a leadership office or position in your organization, amend your bylaws to make a position for him or her.

8. Develop a Complaint Process. There are two steps here: develop a complaint process and put someone in charge of it. That someone doesn’t have to be the Privacy Officer although in smaller services it may well be. The complaint process must be designed to credibly handle complaints from patients about how the EMS service handles patient privacy. The process must comply with detailed notice and appeal requirements in HIPAA. If you have paid staff, the complaint process should dovetail with your employee grievance process. Be careful not to create conflicts between the two. Having someone familiar with employment issues helps if you’re not dead sure that you are doing it right.

9. Walk around your station. HIPAA requires Covered Entities to take reasonable measures that ensure the physical safeguarding of patient information. What’s reasonable depends on many different factors including, for example, the size of the EMS service. What’s reasonable for a department with 60 members and an annual budget exceeding $1 million may not necessarily be reasonable for a service with 11 members and an annual budget of $10,000. One of the biggest vulnerabilities is how services handle run reports. Departments that are cavalier about physically securing run reports need to rethink the process.

10. Review and Revise Policies and Procedures. P&P’s (or SOG’s) are required. One comprehensive policy is not sufficient. To the extent that existing policies reflect non-compliant practices, both the practice and the policy need to be revised. Advise your administration that you are going to need a few special meetings between now and April 14, 2003 to get the policies in place. Finalized policies should be reviewed by legal counsel to ensure they do not create problems in other areas.

11. Fill in the cracks. It is likely that during the first pass you either did something wrong or forgot something altogether. Go back through the Privacy Rule from beginning to end and make sure what you have is what you need. Then do it again. And then do it one more time.

Mike McEvoy, PhD, RN, CCRN, REMT-P is the EMS Coordinator for Saratoga County, New York. A former forensic psychologist, he now works in the Cardiac Surgical ICU at Albany Medical Center and teaches at Albany Medical College in NY. He is a paramedic for Clifton Park-Halfmoon Ambulance Corps and medical advisor for West Crescent Fire Department. He presently serves as a member of the New York State EMS Council and the State Emergency Medical Advisory Council and is the EMS Director on the Board of the New York State Association of Fire Chiefs.

Paul Gillan, J.D., EMT-B is a senior associate attorney with the Albany, NY law firm of Iseman, Cunningham, Riester & Hyde, LLP. An EMT since 1996, he devotes a substantial portion of his practice to representing fire and EMS services, regional EMS councils, and individual EMTs. For more information, please visit

No posts to display