Skip to content
Tailboard
SOP-150EMSSOP

HIPAA & PHI Handling

Privacy, security, and breach notification for patient information.

Read before using

This is a template. It is not your department's policy.

Tailboard templates are drafted as generic starting points aligned to national standards. They are nota substitute for your department's own review or for adoption through your Authority Having Jurisdiction (AHJ). For topics carrying significant exposure (use of force, medical scope, civil rights), route through qualified counsel before adoption.

Every placeholder marked [BRACKETED] must be completed before adoption. Every section must be reviewed against your department's staffing, apparatus, water supply, EMS scope, geography, and the specific laws of your state. What applies to a career department in a city may not apply to a volunteer department in a rural jurisdiction, and vice versa.

Standards, regulations, and best practices are updated regularly. Verify the current edition of every standard cited before adopting this document. Once adopted, this document becomes your department's responsibility — not Tailboard's.

Want this tailored to your department?

Open it in the Policy Builder. Answer a few questions about your staffing, apparatus, and conditions — we'll adapt every section to match.

Number

SOP-150

Version

1.0

Last reviewed

2026-05-01

Next review

2027-05-01

Summary

This SOP governs how [DEPARTMENT NAME] handles Protected Health Information (PHI) under the federal Health Insurance Portability and Accountability Act (HIPAA). Compliance protects patients, the department, and individual members from civil and criminal penalties.

Definitions

PHI (Protected Health Information)
Individually identifiable health information transmitted or maintained in any form. Includes patient name, address, date of birth, medical condition, and any identifier that could connect health information to a specific person.
Covered Entity
Under HIPAA, a health care provider, health plan, or health care clearinghouse. [DEPARTMENT NAME] is a covered entity when providing EMS services.
Business Associate
A third party that performs functions involving PHI on behalf of a covered entity (e.g., billing service, ePCR vendor). Requires a Business Associate Agreement (BAA).
Minimum Necessary
Disclose only the PHI required to accomplish the purpose. Default rule for all uses and disclosures.

Purpose

To establish how members protect Protected Health Information during patient care, documentation, billing, and any disclosure — meeting HIPAA Privacy Rule and Security Rule requirements while supporting legitimate operational needs.

Scope

Applies to all members, volunteers, employees, and contractors who may encounter PHI — including paramedics, EMTs, drivers, billing staff, training officers, and supervisors. Applies on duty and off duty.

Permitted Uses & Disclosures

  • Treatment — to provide care to the patient or coordinate with receiving facility.
  • Payment — for billing, insurance, or reimbursement.
  • Operations — for quality improvement, training (de-identified or with authorization), credentialing.
  • Required by law — court order, subpoena, mandatory reporting (abuse, gunshot, infectious disease).
  • Public health activities — disease surveillance, exposure reports.
  • Threats to safety — to prevent serious imminent harm.

Disclosures That Require Patient Authorization

  • Marketing, fundraising, or media use of patient stories or images.
  • Disclosure to employers (other than worker's compensation).
  • Disclosure to family members beyond what the patient permits.
  • Use in research (with limited exceptions).

Verbal Communication

  • Do not discuss patient information in public areas (hallways, elevators, restaurants, parking lots).
  • Use minimum necessary information when reporting on the radio — patient initials or age/gender are usually sufficient.
  • Refer media or public inquiries to the public information officer; never confirm a patient's presence or condition without explicit authorization.

Documentation & Electronic PHI

  1. ePCR access is by individual login. Do not share credentials.
  2. Log out before leaving a workstation. Workstations auto-lock per IT policy.
  3. Mobile devices used for ePCR completion must be password-protected and encrypted; report a lost or stolen device immediately.
  4. Do not text, email, or photograph PHI on personal devices. Use only approved encrypted channels.
  5. Paper PCRs are stored in locked cabinets and shredded when retention period ends.

Social Media

Members shall not post any information that could identify a patient — including photos of scenes that could be linked to a call. Even a pickup truck license plate or distinctive house could re-identify a patient. When in doubt, do not post.

Breach Notification

A breach is the acquisition, access, use, or disclosure of unprotected PHI not permitted by HIPAA, that compromises the security or privacy of the information.

  1. Any suspected breach is reported to the Privacy Officer within 24 hours.
  2. Privacy Officer documents: who accessed PHI, what information, when, how, and what mitigation occurred.
  3. Risk assessment determines notification requirements.
  4. If a breach affects 500+ individuals, notification to HHS, affected patients, and prominent media outlets is required within 60 days.
  5. Smaller breaches are logged and reported annually to HHS.

Patient Rights

  • Patients may request access to their PHI (ePCRs, billing records).
  • Patients may request amendments to incorrect PHI.
  • Patients may request an accounting of disclosures.
  • Patients may request restrictions on disclosures (department may decline if not practicable).
  • The Privacy Officer handles all patient requests within 30 days.

Business Associate Agreements

Any vendor that handles PHI on behalf of [DEPARTMENT NAME] — billing services, ePCR platforms, IT contractors, document destruction vendors — must have a signed BAA before access. The Privacy Officer maintains the BAA inventory.

Training

  • Initial HIPAA training at onboarding.
  • Annual refresher for all members.
  • Targeted training after any breach or near-miss.
  • Documentation of training kept in personnel files for the duration of employment plus 6 years.

Responsibilities

Privacy Officer

  • Maintains the department's HIPAA program.
  • Investigates suspected breaches.
  • Manages patient requests for access, amendment, and accounting.
  • Maintains the BAA inventory and Notice of Privacy Practices.
  • Conducts and documents annual training.

All Members

  • Use minimum necessary PHI.
  • Report suspected breaches within 24 hours.
  • Complete annual training.
  • Follow social media rules on and off duty.

Penalties

HIPAA violations carry civil penalties of up to $50,000 per violation (up to $1.5M annual cap per category) and criminal penalties of up to 10 years imprisonment for malicious disclosure. The department will impose internal discipline consistent with the Discipline & Grievance SOP up to and including termination.

References

  • HIPAA Privacy Rule45 CFR Part 164, Subpart E
  • HIPAA Security Rule45 CFR Part 164, Subpart C
  • Breach Notification Rule45 CFR Part 164, Subpart D
  • HHS Guidance for Covered Entitieshhs.gov/hipaa

Adapt this template

Before this template becomes your department's policy, review the following items and adjust accordingly. Anything else that does not match your operation should be updated as well.

  • Name the Privacy Officer (typically the EMS chief or designee).
  • Attach your Notice of Privacy Practices.
  • List your ePCR vendor and confirm a current BAA is on file.
  • Cross-reference Recordkeeping & Retention and Social Media SOPs.

Adoption signature

Adopted by (Name, Rank)
Signature
Effective date
Next scheduled review

Before adoption checklist

  • Replace [DEPARTMENT NAME] throughout the document.
  • Complete every [BRACKETED] placeholder.
  • Confirm the current edition of every cited standard.
  • Check against your state statutes and state fire marshal rules.
  • Route for chief review. Topics with significant exposure (use of force, medical scope) also go through qualified counsel.
  • Confirm alignment with any mutual-aid agreements.
  • Schedule a training plan for the new policy before effective date.
  • Announce adoption in writing to all members. Archive the prior version.
  • Set the next review date — annually at minimum.