Ohio Attorney General Opinion No. 2017-006

March 1, 2017

The Honorable Brigham M. Anderson
Lawrence County Prosecuting Attorney
111 South 4th Street Ironton, Ohio 45638

SYLLABUS: 2017-006

1. A county emergency medical service (“EMS”) organization, as defined in R.C. 4765.01(H), may disclose to a county drug task force the number of times EMS personnel administer naloxone to a person experiencing an actual or suspected opioid overdose. If the county EMS organization is a “covered entity,” as that term is defined in 45 C.F.R. § 160.103, and if the number of times EMS personnel administer naloxone is “health information,” as that term is defined in 45 C.F.R. § 160.103, the county EMS organization shall determine that the information “is not individually identifiable health information” in accordance with 45 C.F.R. § 164.514(b) prior to the information’s disclosure.
2. If a “law enforcement agency,” as defined in R.C. 2925.61(A)(1), requests the name and address of a person to whom emergency medical service (“EMS”) personnel administered naloxone in response to an actual or suspected drug overdose, R.C. 4765.44(B)(1) requires EMS personnel to disclose the information to the law enforcement agency unless the EMS personnel reasonably believe that the law enforcement agency making the request does not have jurisdiction over the place where the naloxone was administered.

 

March 1, 2017

OPINION NO. 2017-006

The Honorable Brigham M. Anderson

Lawrence County Prosecuting Attorney

111 South 4th Street Ironton, Ohio 45638

 

Dear Prosecutor Anderson:

You have requested an opinion whether a county emergency medical service (“EMS”) organization may disclose information to a county drug task force about persons that “have experienced a drug overdose.” Numerous federal and state laws regulate the disclosure of records created or maintained by private and public entities and the personal and medical information contained in those records. The application of these laws depends upon many factors, including the specific types of records or information being disclosed and the circumstances in which the disclosure occurs.

In this instance, Lawrence County EMS desires to share information with the Lawrence County Drug & Major Crime Task Force to assist the task force in “tracking” the number of opioid overdoses occurring in Lawrence County.^[1] Specifically, Lawrence County EMS desires to disclose to the task force the number of times naloxone is administered to a person suffering an actual or suspected opioid overdose.^[2] Lawrence County EMS will not disclose any identifiable information about the person to whom the naloxone is administered, such as the person’s name, address, or social security number.^[3]

Whether Lawrence County EMS may disclose this information to the Lawrence County Drug & Major Crime Task Force depends upon whether the information is prohibited from disclosure under federal or state law. We shall begin our analysis by discussing the application of federal privacy regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified primarily in Titles 18, 26, 29, and 42 of the United States Code).

Pursuant to HIPAA, the Secretary of the Department of Health and Human Services (“HHS”) promulgated privacy standards to protect personal health information. See 42 U.S.C.A. § 1320d-2. The Department of HHS published the HIPAA Standards for Privacy of Individually Identifiable Health Information, or the “Privacy Rule,” on December 28, 2000. See Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Pts. 160, 164; see also U.S. Dep’t of Health & Human Servs. Website, Introduction to the HIPAA Privacy Rule, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/introduction/index.ht ml (last visited, Feb. 27, 2017). Modifications to the Privacy Rule were adopted in August 2002. See U.S. Dep’t of Health & Human Servs. Website, Introduction to the HIPAA Privacy Rule, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/introduction/index.ht ml (last visited, Feb. 27, 2017).

The Privacy Rule prohibits a “covered entity” from disclosing “protected health information,” except in specific, delineated circumstances. See 45 C.F.R. § 164.500(a); OhioHealth Corp. v. Ryan, Franklin App. No. 10AP-937, 2012-Ohio-60, at ¶14 (“‘[t]he privacy rule prohibits ‘covered entities’ (generally health care providers who transmit health information in electronic form …) from using or disclosing an individual’s ‘protected health information’ except where there is patient consent or the use or disclosure is for ‘treatment, payment, or health care operations[.]’’”). A “covered entity” is defined, among other things, as “[a] health care provider who transmits any health information in electronic form in connection with a transaction covered” by HIPAA. 45 C.F.R. § 160.103. The terms “health care provider,” “health care,” “health information,” and “transaction” are defined in 45 C.F.R. § 160.103. “Health care provider” includes any “organization [that] furnishes, bills, or is paid for health care in the normal course of business.” Id. “Health care means care, services, or supplies related to the health of an individual.” Id.

Health information means any information … whether oral or recorded … that:

1. Is created or received by a health care provider …; and
2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Id. “Transaction means the transmission of information between two parties to carry out financial or administrative activities related to health care,” including a “[f]irst report of injury.” Id.

Lawrence County EMS may be a “covered entity” under the Privacy Rule if the organization furnishes, bills, or is paid for care, services, or supplies related to the health of an individual in the normal course of business and transmits any health information in electronic form to carry out financial or administrative activities related to health care. See, e.g., Tex. Att’y Gen. Op. No. OR2003-8500, 2003 WL 22902422 (Nov. 25, 2003) (finding that an EMS department was a covered entity under HIPAA). Nevertheless, even if Lawrence County EMS is a covered entity under HIPAA, the Privacy Rule authorizes a covered entity to disclose health information that “is not individually identifiable.”^[4] See 45 C.F.R. § 164.514(a)-(b).

The Privacy Rule prohibits a covered entity from disclosing “protected health information.” 45 C.F.R. § 164.500(a) (emphasis added). “Protected health information means individually identifiable health information” transmitted by, or maintained in, electronic media or “[t]ransmitted or maintained in any other form or medium.” 45 C.F.R. § 160.103; see also State v. Neely, Lake App. No. 2004-L-197, 2005-Ohio-7045, at ¶38. Health information is not “individually identifiable health information,” and therefore not “protected health information,” if the health information “does not identify an individual and … there is no reasonable basis to believe that the information can be used to identify an individual.” 45 C.F.R. § 164.514(a).

“A covered entity may determine that health information is not individually identifiable health information” in one of two ways. 45 C.F.R. § 164.514(b). First, health information is “not individually identifiable” if “[a] person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable” determines that is unlikely “that the information could be used, alone or in combination with other reasonably available information … to identify an individual who is a subject of the information.” 45 C.F.R. § 164.514(b)(1)(i)-(ii). Second, health information is “not individually identifiable” if certain pieces of information known as “identifiers” are removed⁵ and “[t]he covered entity does not have actual knowledge that the information” being disclosed “could be used alone or in combination with other information to identify an individual who is a subject of the information.” 45 C.F.R. § 164.514(b)(2)(i)-(ii).

It is our understanding that Lawrence County EMS will remove all personally identifiable information from the information it shares with the Lawrence County Drug & Major Crime Task Force. We presume for the purpose of this opinion that this means Lawrence County EMS will determine that any information about the administration of naloxone “is not individually identifiable health information” in accordance with 45 C.F.R. § 164.514(b) prior to the

1. Title 45 C.F.R. § 164.514(b)(2)(i) lists the following “identifiers of the individual or of relatives, employers, or household members of the individual” as having to be removed:
   1. Names;
   2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
      1. The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
      2. The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
   3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
   4. Telephone numbers;
   5. Fax numbers;
   6. Electronic mail addresses; (G) Social security numbers;
   7. Medical record numbers;
   8. Health plan beneficiary numbers;
   9. Account numbers;
   10. Certificate/license numbers;
   11. Vehicle identifiers and serial numbers, including license plate numbers;
   12. Device identifiers and serial numbers;
   13. Web Universal Resource Locators (URLs);
   14. Internet Protocol (IP) address numbers;
   15. Biometric identifiers, including finger and voice prints;
   16. Full face photographic images and any comparable images; and
   17. Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section.

information’s disclosure. Under these circumstances, the HIPAA Privacy Rule does not prohibit Lawrence County EMS from disclosing to the Lawrence County Drug & Major Crime Task Force the number of times naloxone is administered to persons experiencing an actual or suspected opioid overdose.

Similar to other laws that regulate the disclosure of personal and medical information, the application of the HIPAA Privacy Rule is heavily fact-dependent. Accordingly, if Lawrence County EMS shares information with the Lawrence County Drug & Major Crime Task Force other than the number of times naloxone is administered by Lawrence County EMS personnel, the HIPAA Privacy Rule may prohibit the disclosure of such information.

In addition to HIPAA, state statutes regulate the disclosure of personal and medical information in Ohio. See, e.g., R.C. Chapter 1347 (protecting information in personal information systems); R.C. 2317.02(B) (protecting communications between a physician and patient); R.C. 3701.243 (regulating the disclosure of the identity of persons diagnosed with AIDS or related conditions); R.C. 3719.13 (confidentiality of reports that record the administration of a controlled substance). None of these statutes prohibit Lawrence County EMS from disclosing to the Lawrence County Drug & Major Crime Task Force the number of times naloxone is administered to a patient suffering an actual or suspected drug overdose.⁶ As aforementioned,

1. R.C. 2317.02(B) is known as the physician-patient testimonial privilege. R.C. 2317.02(B) protects from disclosure communications between a physician and patient. Courts have extended the physician-patient testimonial privilege to protect from disclosure communications and observations of “ancillary medical personnel when such personnel are assisting a physician in treatment or diagnosis of a patient.” 1996 Op. Att’y Gen. No. 96-005, at 2-22 (summarizing the state of case law as of 1996). In reliance upon these court decisions, prior opinions of the Attorney General have opined that “information observed and recorded by EMS personnel … to assist a physician with the diagnosis and treatment of the patient” may be protected by the physician-patient testimonial privilege codified in R.C. 2317.02(B). 2001 Op. Att’y Gen. No. 2001-041, at 2-253; see also 1996 Op. Att’y Gen. No. 96-005, at 2-22 to 2-23 (“even though emergency medical services are provided by emergency medical technicians or paramedics rather than by physicians, to the extent the records of such services are intended to assist a physician in treatment, such records may be subject to the physician-patient privilege”).

In this instance, the information subject to disclosure (the number of times EMS personnel administer naloxone) is not recorded to assist a physician with the diagnosis and treatment of the patient, but rather to assist local law enforcement in its efforts to track opioid overdoses in Lawrence County. The number of times a medical professional administers a medication “is the equivalent of ‘time data,’” the disclosure of which has been held not to be protected by R.C. 2317.02(B). Medina v. Medina Gen. Hosp., Cuyahoga App. No. 96171, 2011Ohio-3990, at ¶14 (the number of times an anesthesiologist “charted end-tidal CO2 and the intervals at which she did so is not privileged information but is the equivalent of ‘time data’”).

Furthermore, since the issuance of 2001 Op. Att’y Gen. No. 2001-041 and 1996 Op. Att’y Gen. we presume for the purpose of this opinion that Lawrence County EMS will not disclose personally identifying information about the patient such as the patient’s name, address, or social security number.

There are circumstances, however, in which emergency medical service personnel are required to disclose the name and address of a patient to whom naloxone is administered. R.C. 4765.44 states, in part:

(B)(1) Upon request of a law enforcement agency as described in division (B)(2) of this section, emergency medical service personnel … shall disclose the name and address, if known, of an individual to whom the emergency medical services personnel … administered naloxone due to an actual or suspected drug overdose, unless the emergency medical services personnel … reasonably believes that the law enforcement agency making the request does not have jurisdiction over the place where the naloxone was administered.

(2) A law enforcement agency may request a name and address of an individual under division (B)(1) of this section for the purposes of investigation or treatment referral and may use a name and address received under that division for either or both of those purposes.

 

Accordingly, if a law enforcement agency requests the name and address of a person to whom Lawrence County EMS personnel administered naloxone in response to an actual or suspected drug overdose pursuant to R.C. 4765.44(B)(2), Lawrence County EMS personnel are required to disclose the information unless they “reasonably believe[] that the law enforcement agency making the request does not have jurisdiction over the place where the naloxone was administered.”⁷ R.C. 4765.44(B)(1). For purposes of R.C. 4765.44, “‘[l]aw enforcement agency’ means a government entity that employs peace officers to perform law enforcement

 

 

No. 96-005, Ohio courts have held that, unlike information recorded by a nurse, “information obtained by a paramedic when giving emergency care to an individual is not a privileged communication falling within the protection of the physician-patient privilege.” State v. Wetta, Butler App. No. CA2001-08-184, 2002-Ohio-2597, ¶16; see also State v. Barrett, Butler App. No. CA2003-10-261, 2004-Ohio-5530, at ¶36. Accordingly, the physician-patient testimonial privilege codified in R.C. 2317.02(B) does not prohibit Lawrence County EMS from disclosing to the Lawrence County Drug & Major Crime Task Force the number of times naloxone is administered to a patient experiencing an actual or suspected opioid overdose.

⁷ Although the health information disclosed by Lawrence County EMS pursuant to R.C. 4765.44 would be individually identifiable health information, a covered entity may disclose protected health information without violating HIPAA when the disclosure of the information “is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.” 45 C.F.R. § 164.512(a)(1); see also 45 C.F.R. § 164.512(f) (governing the disclosure of information to law enforcement).

duties.” R.C. 2925.61(A)(1); see also R.C. 4765.44(A) (“[a]s used in this section, ‘law enforcement agency’ has the same meaning as in [R.C. 2925.61]”). The definition of “peace officer” is set forth in R.C. 2921.51(A)(1). See R.C. 2925.61(A)(3) (“‘[p]eace officer’ has the same meaning as in [R.C. 2921.51]”).

Conclusions

Based on the foregoing, it is my opinion, and you are hereby advised that:

1. A county emergency medical service (“EMS”) organization, as defined in R.C. 4765.01(H), may disclose to a county drug task force the number of times EMS personnel administer naloxone to a person experiencing an actual or suspected opioid overdose. If the county EMS organization is a “covered entity,” as that term is defined in 45 C.F.R. § 160.103, and if the number of times EMS personnel administer naloxone is “health information,” as that term is defined in 45 C.F.R. § 160.103, the county EMS organization shall determine that the information “is not individually identifiable health information” in accordance with 45 C.F.R. § 164.514(b) prior to the information’s disclosure
2. If a “law enforcement agency,” as defined in R.C. 2925.61(A)(1), requests from emergency medical service (“EMS”) personnel the name and address of a person to whom EMS personnel administered naloxone in response to an actual or suspected drug overdose, R.C. 4765.44(B)(1) requires EMS personnel to disclose the information to the law enforcement agency unless EMS personnel reasonably believe that the law enforcement agency making the request does not have jurisdiction over the place where the naloxone was administered.

Very respectfully yours,

 

MICHAEL DEWINE

Ohio Attorney General

 

1. Lawrence County EMS is a county EMS organization as defined in R.C. 4765.01(H). R.C. 4765.01(H) defines an “emergency medical service organization” as “a public or private organization using first responders, EMTs-basic, EMTs-I, or paramedics … to provide emergency medical services.” See also R.C. 4765.01(A) (defining “first responder”); R.C. 4765.01(B) (defining “EMT-basic”); R.C. 4765.01(C) (defining “EMT-I”); R.C. 4765.01(D) (defining “paramedic”); R.C. 4765.01(G) (defining “emergency medical service”). A board of county commissioners is authorized to operate an emergency medical service organization pursuant to R.C. 307.05. ↑
2. Naloxone is “a white, crystalline, nonaddictive, synthetic drug … used to counteract the effects of narcotic overdoses.” Webster’s New World College Dictionary 970 (5th ed. 2014).

   ↑

3. Your letter asks for our opinion whether a county emergency service organization may “initiate” to a county drug task force “the disclosure of information concerning patients whom have experienced a drug overdose.” A member of your staff provided us additional details about the information Lawrence County EMS desires to disclose. ↑
4. For the purpose of this opinion, we presume that the administration of naloxone is “health information,” as that term is defined in 45 C.F.R. § 160.103. ↑