Patient Privacy, HIPAA, and Amateur Radio Communications


The issue of patient confidentiality is not new.  Hospitals, physicians, insurance companies and all other entities that have access to patient records have always faced an ethical responsibility to protect their privacy and confidentiality.  Around the turn of the millenium, federal legislators became convinced that a law was needed to provide greater assurance that records would be kept private, especially by third-party data management entities that were not directly involved in patient care and thus did not necessarily embrace such ethical obligations.

The Health Insurance Portability and Accountability Act (HIPAA) went into effect April 2003.  It includes a section titled Standards for Privacy of Individually Identifiable Health Information, intended to help guarantee privacy and confidentiality of patient medical records.  Included are stringent regulations on who can see a patient's medical records, whether in written form, a computer database, or even visible on a computer screen. 

HIPAA regulations do not forbid the emergency transmission of patient information via Amateur Radio.  The rest of this page will help you understand the role of Amateur Radio in protecting patient privacy while helping hospitals to provide urgent patient care.

KE6IPY at Command Center

Abbreviated HIPAA Definitions

Protected Health Information (PHI) includes any individually identifiable health information.  It can be explicitly linked to a particular individual or include data items that could reasonably be expected to allow individual identification.

Health Information relates to the physical or mental or condition of an individual.  It also includes information about the provision of health care and payment for such healthcare to an individual.  It may be oral or recorded in any form.  Besides details of diagnosis and medications, it includes such data as Social Security numbers, insurance numbers, date of birth, provider names, etc.

Covered Entities include health care providers, health plans, and health care clearinghouses that routinely handle protected health information.

Health Care Providers furnish medical or health services.  This includes any persons or organizations that furnish, bill, or are paid for health care in the normal course of business.

Business Associates are persons or organizations that are not on the covered entity's workforce but perform, on behalf of Covered Entities, functions involving the use or disclosure of protected health information (PHI).

HIPAA Privacy at a Glance

HIPAA regulations govern how Covered Entities, Business Associates and their workforces handle PHI.

The HIPAA Security Rule requires Covered Entities that collect, maintain, use or transmit PHI in electronic form to construct reasonable and appropriate administrative, physical and technical safeguards to ensure integrity, availability and confidentiality.  These measures must protect against any reasonably anticipated threats or hazards.

The HIPAA Privacy Rule requires Covered Entities to provide patients with a Notice of Privacy Practices that describes how health information will be protected.  The notice must also explain the patient's right to gain access and copies of health records, correct errors, get an accounting of how information has been used, request limits on access, request confidential communications, and file complaints with the Privacy Officer or federal authorities.

A covered entity may disclose PHI to facilitate treatment, payment, or health care operations.  Disclosure beyond this requires authorization from the individual.  Covered entities must take reasonable steps to ensure the confidentiality of communications with individuals.

The Minimum Necessary Standard applies to anyone who deals with the collection, use and disclosure of PHI.  Simply put, any disclosure should be no greater than necessary to complete a work-related task.  However, to avoid any possible interference in the daily practice of delivering health care, the minimum necessary standard does not apply to disclosures between and among medical practitioners.

Because HIPAA gives patients the right to an accounting of disclosures of their PHI, many hospitals maintain an Accounting of Disclosures Log.  Hospitals don't have to reveal disclosures of PHI for a number of specific reasons including treatment, payment and health care operations, but any other deliberate or inadvertent disclosure that staff considers to be "unusual" might be logged.

How Hospitals Have Complied

Hospitals have presented training sessions to their workforces about the circumstances under which patient information may be disclosed, what information may be given, and to whom.  Staff members are cautioned to avoid inadvertent disclosure of PHI, overhearing by visitors, access to charts, computer screens, and leaving patient information unattended.

In compliance with HIPAA, pharmacies, hospitals, and physician's offices now present handouts on privacy issues to their incoming patients.  Besides stating what patient information might be legally disclosed on a day-to-day basis, and how, they also give examples of how this information may be legally transmitted by Amateur Radio when normal transmission methods are not available.  Here are some statements from one Orange County hospital's handout:

As you can see from this disclosure, an Amateur Radio operator transmitting a name on the air in an emergency at the request of hospital staff for any of these purposes doesn't violate HIPAA/Privacy concerns.  The radio operator is just the communications resource.  Anything transmitted via Amateur Radio referencing any patient care is at the request of, and authorized by hospital staff.

Some hospitals have become creative at increasing privacy by using "record numbers" instead of names to identify patients when passing information from one unit to another.

In preparation for the implementation of the law, Risk Management and HIPAA managers at one hospital here in Orange County, California reviewed Amateur Radio involvement extensively.  The conclusion was that "HDSCS would be exempt from HIPAA for disaster purposes, as long as there is no post-incident publishing of patient-identifiable information."  Of course, HDSCS doesn't disclose any PHI after an incident.

How HDSCS Has Complied

HDSCS has not furnished, billed or received payment for health care in the normal course of operations.  HDSCS has not received protected information for the purpose of carrying out its regular activities.  Therefore, we believe that HDSCS is neither a Covered Entity nor a Business Associate, and is thus not directly bound by the provisions of HIPAA.  However, we believe in the importance of privacy and security for PHI, and we safeguard it to the best of our ability.  Our ethical obligation to do this wherever possible is no less than that of the hospitals we serve.

Our training about the hospital environment has helped us to become advisors as well as communicators.  For example, if asked by a hospital employee to transmit on-air a patient name with medical orders, our operators have been trained to alert the employee that absolute privacy cannot be guaranteed.  It is the responsibility of hospital staff to make the decision to release names and patient information.  The tradeoff is medical urgency versus the objective of confidentiality.

To minimize the chance of PHI-related transmissions being overheard, HDSCS communicators have been trained to use the lowest transmit power that is practical, and they choose radio frequencies with minimal activity, when available.

In over 35 years of service, HDSCS has transmitted patient orders, medication requests and laboratory results on many occasions.  In one instance, we had to contact an insurance company to get authorization for a patient's admission and treatment.  After the Placentia Metrolink train crash of 2002, we used our radios to help families locate two victims by inter-hospital messaging.  In every case, the decision to send the message by radio was made by the hospital on the basis of urgency versus confidentiality.  Hospital staff decided that urgency ruled in most, but not all cases.

HIPAA in Disasters

In the aftermath of Hurrincane Katrina, some hospitals and agencies were reluctant to exchange patient information, fearing HIPAA-related repercussions.  Upon learning this, the federal Health and Human Services Agency's Office of Civil Rights issued two bulletins clarifying the legality of hospitals sharing patient information in emergencies.  These HHS bulletins made it clear that patient information may be shared:

The bulletins also reiterated that:

Other Privacy Laws

States may also have statutes limiting the disclosure of PHI.  For instance, the California Confidentiality of Medical Information Act (CMIA) went into effect in 2003.  Some provisions are similar to HIPAA, requiring an authorization for release of personal medical information and setting minimum requirements for such an consent and the patient's signing of it.

CMIA specifically states that basic information such as name and general condition may be disclosed without pre-authorization to recognized disaster relief organizations for response to disaster welfare inquiries.  It also specifically allows the radio transmission of patient information to health facilities by personnel in ambulances and at the scene.  The reason for these two exclusions are presumably because the victims in such instances are incapable of giving consent.

The Bottom Line

In any communications failure, when a hospital or other must rely on other-than-normal means of communications to relay information for treatment and other covered purposes, HIPAA and other government regulations are not a hindrance.  Indeed, to not make use of special communications resources such as Amateur Radio, when available, might ultimately cause even greater problems for the hospital and the patients that it cares for.


Disclaimer:  Every effort has been made to accurately describe the HIPAA statute and its application to Amateur Radio communications.  However, the information on this web page is not legal advice and should not be construed as such.  Specific legal matters pertaining to privacy law compliance by you or your agency should be discussed with a knowledgeable attorney.

In the Photo:  HDSCS members have set up their equipment and operated shoulder-to-shoulder with staff members at emergency Command Centers and other units within hospitals.  Before sending any patient information over the air, our operators (including David Curlee KE6IPY shown here) have gotten approval from the Incident Commander, the House Supervisor or other person in charge.

Copyright ©2008 Joseph and April Moell.  All rights reserved.  Republication without permission is prohibited.

HDSCS logo

Back to the HDSCS home page

This page updated 12 July 2016