Sharing Patient Health Outcomes Information between Hospitals and EMS Agencies for Quality Improvement

This information sheet provides clarification as to the circumstances when a hospital and/or emergency department (ED) may share patient outcome information with the Emergency Medical Service (EMS) for quality improvement. The information provided is based on the requirements of the Federal Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule that apply to the disclosure of patient information for quality improvement. It does not address applicable requirements for the disclosure of patient information for generalized research purposes. Further, additional consideration should be given to state, local, or other (e.g., facility-adopted) privacy standards and rules that may provide restrictions on the sharing of patient information that exceed the Federal HIPAA Privacy Rule standards.​​

If both the hospital and EMS provider are HIPAA covered entities1, the hospital may share patient health outcome information with the EMS provider for certain health care operations2 activities of the EMS provider, such as quality improvement activities, as long as both entities have (or have had in the past) a relationship3 with the patient in question. The hospital may share the information without the patient’s authorization, but must make reasonable efforts to disclose only the minimum amount of individually identifiable health information needed for the activity.

Definitions and Examples

1 Covered entity: Includes a healthcare provider who transmits health information in electronic form in connection with a financial or administrative health care transaction for which the Department of Health and Human Services has developed HIPAA standards. If the EMS provider does not submit electronic claims to a health plan or government payer (such as Medicare or Medicaid) it may not be considered a “covered entity.”

Example: EMS and EDs are considered covered entities if they transmit health care claims to a health plan via electronic transactions for payment purposes.

Source: HIPAA Rules at 45 CFR 160.103, and at 45 CFR Part 162.

2 Health care operations: Encompasses a number of activities to support health care treatment and payment functions, including quality assessment and improvement activities, (including outcomes evaluation and development of clinical guidelines), provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities.

Source: HIPAA Privacy Rule at 45 CFR 164.501.

3 Relationship: Includes a current or prior relationship between a patient and each covered entity.

Example: EMS rendered treatment to and transported patient X to an ED for health incident Y. The EMS and ED therefore both have a relationship with patient X for health incident Y.

Source: HIPAA Privacy Rule at 45 CFR 164.506(c)(4).