The Health Insurance Portability and Accountability Act (HIPAA), is a recently enacted piece of federal legislation that places legal regulatory requirements on health care providers in all arenas of care, including tactical emergency medicine care. As a result, an intimate knowledge of its content, regulations, requirements, and potential consequences are mandatory for all health care providers.

HIPAA was passed into law in 1996 but, due to administrative obstacles and legal concerns, was not implemented fully until 2003. This legislation created legal obligations regarding “protected health information” (PHI), which up until this point had been addressed only in the oaths of health care providers and declarations/standards of national and international medical professional organizations. Creation of electronic health care transactions, especially involving third-party payer organizations such as medical insurance corporations, provided the impetus to provide legal protection for PHI.

Tactical emergency medicine operations are not exempt from these provisions. Health care provided in the course of health maintenance for tactical law enforcement personnel, as well as in the operational arena, falls under the auspices of HIPAA. Given the specialized nature of these health care situations, there exist special provisions under the law for health maintenance of both team members and subjects of law enforcement actions that are discussed here.

Privacy has been defined as the “right to be let alone,” further described as freedom from exposure to, or intrusion by, others. There are three major categories described under the term privacy: physical privacy, informational privacy, and decisional privacy. Physical privacy describes the right to freedom from contact with others or exposure of one’s body to others. Informational privacy relates to the prevention of disclosure of personal information, and decisional privacy reflects an ability to make and act on one’s personal choices without interference from others or the state (1).

Confidentiality, while on the surface appearing to be nearly identical to privacy in meaning, specifically relates to informational privacy in that when information is deemed confidential, it is indicated that those who receive said information have a duty to protect it from disclosure to others who have no right to the information (1).

The principles of privacy and confidentiality are grounded in the fundamental moral principles of biomedical ethics: human dignity, autonomy, and beneficence. As it is commonly held that human beings are capable of making moral choices and acting on them, they are provided special status and, as such, demand dignity. The principle of autonomy follows in that without the ability to make choices independently, privacy and confidentiality are not
possible. Beneficence, the dictum to “do good and avoid evil,” provides the reasoning for institution of privacy and confidentiality in respect for the special status accorded human beings.

There exist four basic types of invasion of privacy (1).

If a health care provider releases PHI without appropriate justification that results in harm to an individual, the provider is likely to be held accountable for damages. It is also possible that such an act could be deemed a malpractice offense, for it breaches the accepted professional standard of care.

The main tenet of HIPAA requires health care providers and others with access to PHI to protect the confidentiality, integrity, and availability of PHI in any form, including written, oral, or electronic. These regulations apply to any person or entity that “furnishes, bills or is paid for health care in the normal course of business.” This is commonly interpreted to include health care providers, hospitals, physicians’ offices, employers, public health authorities, life insurers, and any other individual or organization with access to PHI. HIPAA mandates a “written notice of privacy practices” when practical to be provided to subjects before initiating evaluation and treatment (1). While this is not always practical in the operational environment, attempts to provide this outside the acute setting should be made.

Family members may be provided PHI with the “informal permission” of the patient, given to the health care provider. There exist exclusions to HIPAA, of which several are particularly germane to the tactical emergency medicine environment. There are 12 “national priority purposes” for which PHI may be released without the subject’s prior written permission (2).