HIPAA and EMS: Navigating Information Sharing and Quality Improvement

By Larry K. McMillan, MHA, CHC

When we think of emergency medical services (EMS), we picture paramedics and EMTs responding quickly to save lives. But there’s more to the job than just providing care in emergencies. EMS professionals also need to handle and share sensitive information about the people they help, and they must do it under specific rules set by the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA applies to EMS agencies because of our unique status as a covered entity. There are three types of “covered entities,” but in this context, a covered entity defined as “a healthcare provider who transmits any health information in electronic form in connection with a transaction.”¹ Because most EMS agencies provide healthcare and bill electronically, most EMS agencies are covered entities under HIPAA. 

While the HIPAA Privacy Rule is designed to protect patient privacy, it also allows for certain types of information sharing when necessary for treatment, payment, and operations.² For EMS providers, balancing these rules with quality improvement (QI) goals is challenging but critical for better patient outcomes. In this article, we’ll explore how HIPAA works in EMS, what the treatment, payment, and operations (TPO) rule means, and why QI is so important.

HIPAA Basics: What Does It Mean for EMS?

HIPAA, short for the Health Insurance Portability and Accountability Act, is a federal law passed in 1996 including provisions meant to protect patient information and establish standards for privacy.³ For EMS providers, HIPAA requires that any medical information about their patients—from details on medical history to treatments given during an emergency—be protected. HIPAA compliance helps ensure patient data remains confidential while allowing for some necessary information sharing.

Treatment, Payment and Operations: A Closer Look

The “treatment, payment, and operations” (TPO) exception is a key part of HIPAA. It allows EMS providers to share certain patient information without needing patient consent every time, making it possible for EMS to function efficiently. The TPO exception covers three main purposes:

1. Treatment: EMS providers can share information with other healthcare providers involved in a patient’s care. For example, when an EMS crew brings a patient to a hospital, they need to pass along relevant details so the hospital staff can provide the right care.

2. Payment: Regardless of whether an EMS agency handles their reimbursement processes in-house or through an outside vendor, the EMS agency has to share patient information to receive payment for services. Of note, the information shared should be limited to what is necessary for processing the claim.

3. Operations: This includes internal administrative tasks, staff training, and quality improvement efforts. For EMS, quality improvement (QI) falls under this category, allowing agencies to review cases and find ways to enhance future care.

Quality Improvement in EMS: Why It Matters

Simply put, quality improvement (QI) is a process that helps organizations evaluate and improve their internal processes and practices with the goal of improving the value of the end-product. Specific in application to an EMS agency, QI generally involves looking back on practices or cases to see what went well, what could be better, and how to improve moving forward.

This could include a variety of data points from analyzing response times and patient outcomes to even communication practices (structure and content) during the patient handoff process.

In the context of HIPAA, QI in EMS is considered part of the “operations” category under the TPO exception. Further, HIPAA allows EMS agencies to share patient data internally for the purposes of QI, as long as the minimum necessary standard is followed—meaning only necessary information should be shared.⁴ By focusing on QI, EMS agencies can refine their protocols, improve emergency responses, and ultimately provide better patient care.

How can EMS agencies implement compliant Quality Improvement practices?

Quality improvement (QI) in EMS can be conducted at both the institutional and individual levels, each serving different purposes and presenting unique challenges:

1. Institutional-Level QI:
At the institutional level, QI involves evaluating the overall performance of an EMS agency. This can include examining data across multiple cases to identify trends, response times, equipment issues, or common challenges faced by EMS teams. Institutional QI typically looks at the big picture and uses data to find improvements that benefit the entire organization, such as refining protocols, upgrading equipment, or implementing new training programs.

Institutional QI is useful for making systemic changes, as it helps EMS agencies identify patterns and variations that affect the agency as a whole. By addressing these global, systemic issues, institutional QI can lead to substantial improvements in service delivery and patient outcomes.

For example, if the data reveals a consistent delay in response times during certain hours, an agency might consider adjusting staffing levels or updating route planning. Institutional QI is HIPAA-compliant as long as it adheres to the minimum necessary standard, ensuring that only essential data is used in reviews.⁵

2. Individual-Level QI:
QI can also be performed at the individual level, where it focuses on the performance of specific EMS personnel or individual case reviews. This type of QI might involve reviewing an EMT’s actions during a specific call to provide feedback and identify areas for personal growth. Individual-level QI allows for personalized feedback and training to help EMS professionals develop their skills and improve patient care on a case-by-case basis.

However, it is important to note when providers share details about specific cases that might risk identifying a patient, they should be mindful to only share information that is necessary for the QI discussion. EMS agencies must also ensure that all personnel are appropriately trained to avoid impermissibly disclosing protected health information to individuals that are not part of the QI process.⁶

For example, providers should debrief about calls or critique specific cases in private areas, such as in the ambulance or at the station, and avoid conducting QI in places where the conversation could be overheard.

As long as precautions are taken, HIPAA permits individual-level QI, which can lead to significant improvements in patient care by helping EMS personnel refine their responses and adhere to best practices. It can also reinforce accountability and support professional growth.

Challenges of Applying the TPO Exception and Quality Improvement

While the TPO exception provides EMS with the ability to conduct QI, there are still challenges in applying it effectively, especially when balancing institutional and individual QI goals. Some of these challenges include:

1. Determining “Need-to-Know” Information for QI
Under HIPAA, EMS providers are required to follow HIPAA’s minimum necessary standard, which limits the information they can share in QI initiatives to only what is necessary for QI. For institutional QI, this may mean using aggregated data instead of detailed case information, when aggregated data would suffice for the review.

For individual QI, identifying what details to share and how to avoid unnecessary information can be complex, but it boils down to training providers to always be focused on sharing information needed for the review and being mindful of their surroundings.

2. Documentation and Record-Keeping
During emergencies, EMS crews are trained to prioritize patient care, which can make documenting every detail of the encounter difficult. However, proper documentation is essential for effective QI and HIPAA compliance. Without it, EMS agencies may struggle to evaluate cases and justify their actions under the TPO exception.

3. Patient Privacy and Data Security
The HIPAA Security Rule contains guidance on safeguarding electronic protected health information.⁷ Specifically, the HIPAA Security Rule provides for three categories of safeguards which must be satisfactorily met: (1) Administrative Safeguards, (2) Physical Safeguards, and (3) Technical Safeguards. 

The Security Rule also contains “Organizational Requirements” concerning policies, procedures, and documentation requirements for EMS agencies. QI data must be kept secure to protect patient privacy, especially when detailed case information is involved in individual-level QI. Using secure storage systems and limiting data access can help EMS agencies comply with HIPAA while using patient data for QI.

4. Coordination with Other Providers for QI
EMS agencies work closely with hospitals, but each hospital may have its own HIPAA practices and risk profile. Working with external partners to share data for QI purposes can be challenging, especially if each organization interprets HIPAA differently.

For example, EMS agencies may want to follow up with hospitals on patient outcomes as part of institutional QI, but they must ensure information is shared in a HIPAA-compliant manner.

The Benefits of Quality Improvement in EMS

When performed in accordance with HIPAA, quality improvement at both institutional and individual levels brings important benefits to EMS agencies and the patients they serve:

• Enhanced Patient Care: QI helps identify the best practices that can lead to better patient outcomes.
• More Efficient Response Times: QI initiatives that target response times can improve EMS arrival times in emergencies.
• Improved Documentation: Case reviews encourage EMS crews to maintain detailed records, aiding both QI and HIPAA compliance.
• Smoother Handoffs: QI can also address communication issues with hospitals, reducing delays in care.
• Staff Development: Individual QI supports personal growth and helps EMS staff refine their skills in specific scenarios.

Moving Forward with HIPAA-Compliant QI Practices

EMS agencies can improve their quality improvement efforts and remain HIPAA-compliant by adopting some key practices:

1. Develop Clear QI Guidelines: Set clear guidelines for institutional and individual QI efforts, ensuring compliance with HIPAA’s minimum necessary standard.

2. Secure QI Data: Use encryption and secure storage systems for all QI data to protect patient privacy.

3. Collaborate with Healthcare Partners: Establish shared QI goals with hospitals to ensure HIPAA-compliant data sharing that benefits patient outcomes.

4. Provide HIPAA Training: Regular training on HIPAA and QI helps EMS staff understand their roles in both compliance and improvement initiatives.

5. Monitor and Adjust: A feedback loop for QI processes enables EMS teams to continuously evaluate the effectiveness of their practices and compliance measures.

Conclusion

EMS agencies and their personnel are responsible for delivering high-quality emergency care while also protecting patient information. HIPAA’s TPO exceptions allow EMS to share essential data for treatment, payment, and operations, including QI. By conducting QI at both institutional and individual levels, EMS agencies can refine their practices, improve response times, and ensure compliance with HIPAA. With ongoing training, clear protocols, and secure data practices, EMS personnel can navigate HIPAA’s complexities while enhancing the care they provide.

About the Author

Larry K. McMillan, MHA, CHC, serves as the compliance officer for Wake County EMS in Raleigh, NC. With over five years of experience navigating federal, state and local regulations applicable to EMS agencies, he leads compliance initiatives addressing Medicare/Medicaid, OSHA, DEA, OCR regulatory requirements.

Larry is a candidate for a Juris Doctor from the University of North Carolina School of Law in May 2025; he also holds a Master of Health Administration from George Washington University, and a Bachelor of Science in Environmental Health from North Carolina A&T State University. His leadership and contributions have resulted in significant cost savings, program innovations, and impactful contributions to public health operations within EMS.

References

1. General Administrative Requirements – Definitions, 45 C.F.R. § 160.103 (2024), https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103

2. Security and Privacy – Applicability, 45 C.F.R. § 164(a) (2013), https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164#p-164(a)

3. Health Insurance Portability and Accountability Act, Pub. L. No. 104-191 (1996).

4. Minimum Necessary Provision – 45 CFR § 164.514 (2024), https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.514

5. Uses and Disclosures of Protected Health Information 45 C.F.R. 164.502(b) (2024), https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502.

6. Other Requirements Relating to Uses and Disclosures of Protected Health Information 45 C.F.R. 164.514(a) (2013), https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.514#p-164.514(a).

7. Security and Privacy – Applicability 45 C.F.R. § 164.304 (2013), https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.304.