REGISTER MY ACCOUNT
Trending Topics
20221024-AMX-US-NEWS-KCFD-FIREFIGHTER-MADE-BLATANTLY-FALSE-1-KC.jpg
Mo. city moves to stop reinstatement of firefighter involved in fatal crash following protest
Albert_Lea_Fire_Rescue.jpg
Minn. FD program aims to reduce 911 calls, connect residents with resources
hqdefault.jpg
Mo. protesters oppose firefighter’s return to work after fatal crash
hqdefault.jpg
7 firefighters hurt battling 4-alarm NYC blaze
drone.jpg
Conn. legislators look to ban Chinese-made drones used by fire, police departments
Bluewell_Fire_Department.jpg
W.Va. firefighter injured when collision sends apparatus into building
Concord_NH_Fire_Department.jpg
Former N.H. firefighter files lawsuit claiming years of sexual harassment
New_Albany_Fire_Department.jpg
Ind. firefighters honored for VES rescue during heavy fire conditions
City_of_Live_Oak_training_center.webp
Calif. council unanimously approves new firefighter training center
hqdefault.jpg
14 rescued in Miami apartment fire
Legal Issues

N.Y. case illuminates HIPAA basics for fire departments

Who can sue, which fire departments are “covered entities,” and how agency policies impact confidentiality breach cases

October 06, 2021 06:47 PM • 
Lexipol Content Development Team
GettyImages-611858678.jpg

HIPAA governs how covered entities protect and secure Protected Health Information (PHI).

Photo/Getty

A lawsuit recently filed in New York State alleges that a member of a fire department that responded to a medical call breached the confidentiality requirement of HIPAA by disclosing private patient health information at a party. The lawsuit names as defendants the volunteer firefighter accused of disclosing the information as well as the town and the fire department. It is important to note that the fire department provides BLS level of care and does not provide ambulance services.

In addition to violating HIPAA, the plaintiff alleged that, among other things, the defendant firefighter negligently violated the fire department’s internal confidentiality policy, and by disclosing the plaintiff’s private health information, he intentionally caused the plaintiff emotional distress.

Before we dive in too deep, let’s address some basics regarding who can file a lawsuit for violation of HIPAA, which agencies are considered “covered entities,” and how state or department policies apply.

HIPAA basics for fire departments

HIPAA – the Health Insurance Portability and Accountability Act – is a law that protects a patient’s privacy rights regarding their personal health information. HIPAA governs how covered entities protect and secure Protected Health Information (PHI).

It’s important that fire service professionals understand HIPAA’s basic confidentiality and privacy rules. First things first, we turn to whether an individual can file a lawsuit for a violation of HIPAA. The short answer: They can’t. Only the Department of Health and Human Services and state attorneys general have the authority to enforce HIPAA, per Alexander v. Sandoval (532 U.S. 275), and then only against covered entities.

You may be asking, “Are we a covered entity?” The answer for emergency services tends to be, “It depends.” Fortunately, you can use this online decision tool to determine whether your agency is a covered entity under HIPAA.

In the case of the New York agency, the fire department is not a covered entity because it does not electronically transmit private health information. Additionally, in New York, fire districts and independent fire companies are not allowed to bill for EMS.

Further, while a patient cannot sue your agency for a HIPAA privacy violation, there is a caveat – the 14th Amendment. A recent 4th Circuit case, Payne v. Taslimi (998 F.3d 648), leaves open the question of whether a cause of action based on privacy exists under the 14th Amendment.

Why is this important to the fire service? The Constitution provides privacy protections under the 4th Amendment, and the 14th Amendment extends those federal protections to the states. The question then becomes: Does an individual have a cause of action based on a reasonable expectation of privacy in the information that is constitutionally protected? If yes, the next question is whether there exists a compelling government interest in the disclosure and whether the act of disclosure outweighs personal privacy.

Remember, HIPAA is a federal law. Every state has or is crafting healthcare and medical confidentiality regulations. In all reality, your state regulatory system is more likely than HIPAA to trip you up. Why? Although your agency may not be considered a covered entity under HIPAA, state regulations regarding the release of protected health information may apply. In other words, simply complying with HIPAA may not be sufficient to protect you or your agency.

Going back to the New York case, the plaintiff relies on the fire department’s policy governing confidentiality to establish liability. Internal policies may not be admissible as evidence if the policies exceed what is traditionally considered a reasonable standard of care under the circumstances.

The lesson here: Each state has different common law notions of reasonable standard of care. Therefore, our agencies should be aware of what our state considers a reasonable standard of care for privacy issues. For example, in New York, there is no common-law action for violation of privacy. That means any lawsuit for violating a person’s privacy must arise out of a statute. Except for using a person’s likeness for monetary gain, most of New York’s privacy statutes involve physicians, hospitals, schools and the like.

Key takeaways

An individual cannot sue for breach of the HIPAA privacy laws. A person may sue for violating their 4th Amendment rights under the 14th Amendment with respect to private health information. But there are no federal decisions that address that issue. A fire department that does not bill for EMS is not likely to be a covered entity, as defined by HIPAA.

Further, privacy laws vary by state in terms of what is protected information. Be careful when discussing emergency incidents – and extra cautious when discussing medical calls. There is world of difference in saying, “I responded to a medical call where things were intense” and “I responded to Tony Smith’s house, and we treated Tony for [fill in your favorite trauma],” without Tony’s permission.

GettyImages-1165188027.jpg

Read next

How firefighters unintentionally violate HIPAA and similar policies

Confidentiality as a professional standard is the goal, but firefighters may not realize how simple it is to cross the line

Billing and Administration EMS Fire-based EMS Lawsuit Legal Issues Legislation & Funding
Lexipol Content Development Team

Lexipol’s Content Development staff consists of current and former public safety professionals including lawyers and others who have served as chief, deputy chief, captain, lieutenant, sergeant, officer, deputy, jail manager, PREA auditor, prosecutor, agency counsel, civil litigator, writer, subject matter expert instructor within public safety agencies, as well as college and university adjunct professor. Learn more about Lexipol’s public safety solutions.

RECOMMENDED FOR YOU