Administration and Leadership, Columns, Operations

Pro Bono: Can You Really Protect All Patient Information?

Issue 1 and Volume 43.

Patient privacy can only go so far

Many communication practices play an important role in ensuring that a patient receives prompt and effective prehospital healthcare. Due to the nature of these practices, as well as the unique environment of EMS field medicine, the potential exists for the patient’s protected health information (PHI) to be disclosed “incidentally.” Incidental disclosure is part of the normal course of providing care to the patient, or, put another way, is “incident to” that care.

A bystander may overhear an EMS provider’s conversation with another provider about the patient, see the care that’s being provided on scene, or overhear patient information being communicated to the hospital. These would be considered incidental disclosures.

The Health Insurance Portability and Accountability Act (HIPAA) isn’t intended to impede these customary and essential communications and practices. The regulations don’t require that all risks of incidental disclosure of patient information be eliminated. Instead, HIPAA adopts a common-sense approach, and permits certain incidental uses and disclosures of PHI to occur—as long as your agency has reasonable safeguards in place to minimize disclosures and protect the patient’s privacy.

REDUCE Incidental Disclosures

Pay attention to who may be within earshot when making verbal statements about a patient’s health information, and follow common- sense procedures for avoiding accidental or inadvertent disclosures. Here are five areas where incidental disclosures are likely to occur in the field, and suggestions for reasonable safeguards to reduce their impact:

1. Verbal patient information. Regardless of physical location, only discuss PHI with those who are involved in the care of the patient. When discussing PHI with patients, take reasonable steps to make sure that only those involved in the care of the patient are within earshot. If it doesn’t interfere with patient care, EMS providers should try to remove those not engaged in patient care before discussing.

2. Bystanders seeing a patient. This may be unavoidable in the uncontrolled environment of EMS field medicine. The priority should always be caring for the patient. If you’re at the scene of an extended extrication and the patient is visible to the public, particularly the news media, it would be reasonable to use a tarp to shield the public and media from viewing the patient.

Should you have curtains or screens that cover the patient compartment windows? There are real safety concerns for the crew and the patient if you can’t adequately see out the window. You shouldn’t do things to protect patient privacy if they interfere with your ability to safely provide care. Each situation needs to be evaluated independently. If you can shade the windows easily while still maintaining visibility, then do so. Newer technologies, such as mirrored windows and windows that can go from clear to opaque, are becoming more common and should be used if you have them.

3. Paper patient care reports (PCRs). All paper PCRs should be stored in secure areas when not in use. No paper records concerning a patient should be left in open bins or on desktops or other surfaces. Additionally, billing records, including notes, remittance advices, charge slips or claim forms shouldn’t be left out in the open. They should be stored in an area with access limited only to those who need the information for the completion of their duties.

4. Electronic PCRs (ePCRs). Computer terminals and other mobile devices should be secure, and staff members must be sensitive to who may be in viewing range of a monitor. All mobile devices such as laptops, toughbooks, tablets and cellphones should always remain in the physical possession of the individual to whom they are assigned.

5. Multiple patients. Just as hospitals aren’t required to give every patient a private room, neither are ambulances limited to transporting only one patient at a time. In such a case, HIPAA requires that you take reasonable precautions to minimize the chance of an incidental disclosure of PHI. It wouldn’t be a HIPAA violation to communicate information about multiple patients while a patient can overhear; those are simply unavoidable incidental disclosures. Reasonable precautions might include making the radio transmission from the front of the ambulance and closing the door between the cab and the patient compartment.


Reasonable safeguards to limit incidental disclosures of PHI will vary, and depend on many factors. Agencies must analyze their own needs and circumstances, and assess the potential risks to patient privacy. EMS agencies should also consider the potential effects on patient care and other issues, such as the financial and administrative burden of implementing safeguards. The bottom line: All EMS providers and staff should be sensitive to the possibility of incidental disclosures of patient information and should avoid incidental disclosures to others who don’t need to know the information.


1. Wolfberg D, Wirth S, editors. The ambulance service guide to HIPAA compliance, fourth edition. Page, Wolfberg & Wirth, LLC: Mechanicsburg, Pa., 2013.

2. U.S. Department of Health and Human Services. (2002.) 45 CFR 164.502(a)(1)(iii). Fact Sheet: incidental uses and disclosures. Retrieved Dec. 4, 2017, from