5.1 Overview of Healthcare Law and Ethics
Christine Malone, EdD
Laws that apply to healthcare may vary from one state to another. This chapter will focus on the laws that apply in Washington State. Ethics, unlike laws, are not universally agreed on. For this reason, healthcare associations provide ethical standards for the professions they serve. For example, the American Nurses’ Association publishes a Code of Ethics for Nurses with Interpretive Statements. These ethical codes are periodically updated to keep up with new technology, treatments, and diseases. Ethics differ from morals in that what one person considers morally wrong may not necessarily be considered ethically wrong. For example, if a person is morally opposed to abortion, but the state allows it, this procedure is not an ethical violation. In other instances, violating a healthcare law may also be a violation of ethics. For example, if a healthcare professional falsifies a medical record entry, that is a violation of healthcare law and ethics.
Anyone working in healthcare, whether in clinical or non-clinical roles, should be aware of ethical considerations. Healthcare organizations will often have their own code of ethics for employees, which may address issues such as employee use of company equipment for personal purposes. In this example, an employee using the employer’s copy machine for personal use would be considered an ethical violation.
Healthcare law applies to everyone working in a healthcare setting, whether in clinical or non-clinical roles. Clinical employees must adhere to their scope of practice, which is defined by the Department of Health in each state and dictates what a clinical employee may or may not do. For example, a medical assistant is not permitted to suture a wound.
Non-clinical employees must also comply with healthcare laws. The most important of these is the Health Insurance Portability and Accountability Act (HIPAA), which covers patient privacy and the release of patient information.

Federal, State, Tribal, and Local Law
Federal laws apply to all states and are passed by Congress. State laws, on the other hand, apply within a particular state and are passed by lawmakers in that state. Local laws apply to a county or city and are passed by local lawmakers.
Federal Healthcare Laws
There are six key federal laws that regulate the healthcare industry:
- The Health Insurance Portability and Accountability Act (HIPPA)
- The Health Information Technology for Economic and Clinical Health Act (HITECH)
- The Emergency Medical and Treatment Act (EMTALA)
- The Anti-Kickback Statute (AKBS) and the Stark Law
- The Patient Safety and Quality Improvement Act (PSQIA)
- Fraud and abuse laws
These laws apply to all states. However, some states have laws that are stronger or stricter than federal laws. In these cases, the state laws must be followed.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. The law was originally intended to protect employees from losing their insurance when they changed jobs. This aim was not achieved, and HIPAA is now most commonly associated with patient privacy.
Protected health information (PHI) refers to any personal information about a patient, including details about their care, diagnosis, medications, and even whether they are a patient at a healthcare organization. Releasing PHI in a way that violates a patient’s privacy is a violation of HIPAA.
HIPAA also includes specific regulations about how and when healthcare providers may communicate with one another regarding a particular patient. As a general rule, providers may only discuss a patient’s care if both providers are involved in that patient’s care. For example, a surgeon can discuss their findings with the patient’s primary care physician.
Most HIPAA violations are caused by carelessness or a lack of attention to detail. For example, two healthcare providers might discuss their patient in an elevator while other people are present. Healthcare professionals must always be cautious when discussing any patient care details, regardless of setting.
The HIPAA Privacy Rule defines how and when PHI may be released. It also mandates that healthcare organizations disclose to patients their rights to understand and control their PHI. Under this rule, patients must consent to the release of their PHI to any other entity.
The exception to this rule is when a healthcare organization is court-ordered to produce a patient’s PHI. This process involves a subpoena, which is served on the healthcare organization either in person or by mail. A subpoena is a legal order issued by a court.
All healthcare facilities, regardless of size, must have a HIPAA compliance officer. This person receives any complaints regarding HIPAA violations.
A Day in the Life of a HIPPA Compliance Officer
The HIPAA Compliance Officer plays a crucial role in ensuring that a medical office or healthcare organization adheres to the regulations outlined in the Health Insurance Portability and Accountability Act (HIPAA). Their primary responsibilities include:
- Developing and implementing policies and procedures: The Compliance Officer is responsible for creating and implementing policies and procedures that align with HIPAA regulations. This involves understanding the requirements of HIPAA, including privacy, security, and breach notification rules, and developing protocols to ensure compliance.
- Staff training and education: The Compliance Officer is responsible for educating and training employees about HIPAA regulations. This includes raising awareness about patient privacy rights, data security practices, and the proper handling of protected health information (PHI).
- Conducting risk assessments: The Compliance Officer performs regular risk assessments to identify potential vulnerabilities related to the security and privacy of PHI. They evaluate the effectiveness of current security measures and identify areas for improvement to mitigate risks.
- Ensuring policies and procedures are followed: The Compliance Officer monitors the implementation of policies and procedures to ensure they are followed consistently. They may conduct audits, inspections, or internal reviews to verify compliance and address any identified issues.
- Responding to breaches and incidents: In the event of a security breach or unauthorized disclosure of PHI, the Compliance Officer takes the lead in responding. They investigate the breach, assess its impact, and coordinate the necessary steps to mitigate the breach, including notifying affected individuals, regulatory authorities, and other relevant parties.
- Maintaining documentation: The Compliance Officer is responsible for maintaining documentation related to HIPAA compliance efforts. This includes policies, procedures, training records, risk assessments, incident reports, and any other relevant documentation that demonstrates compliance.
- Keeping Up with regulatory changes: HIPAA regulations can change over time, and it is the Compliance Officer’s responsibility to stay updated on any modifications or additions to the rules. They monitor updates in healthcare privacy and security laws and ensure that the medical office remains compliant with the latest requirements.
The role of the HIPAA Compliance Officer is critical to protecting patient privacy, safeguarding PHI, and ensuring that a medical office meets the standards set forth by HIPAA regulations.
Skill Stitch: Protecting Patient Privacy

The Department of Health and Human Services’ Office for Civil Rights (OCR) oversees breaches of HIPAA legislation. From October 2009 to December 2022, over 5,000 data breaches were reported to the OCR.
HIPAA legislation includes descriptions of the entities that must comply with its regulations, including healthcare providers, their employees, and healthcare insurance plans. However, there are occasions when PHI may be accessible by entities not bound by HIPAA. For example, a copy-machine repair technician may visit the office to repair the copier and come into contact with PHI. Under HIPAA, this technician is not obligated to protect patient privacy. Because of such cases, healthcare organizations must have such a person sign a business associate agreement, which legally binds a non-employee to protect patient privacy.
There are several situations where HIPAA does not apply. These include:
- Public Interest: Certain public health requirements, such as reporting communicable diseases, are mandated by law.
- Victims of Abuse: State law dictates what injuries must be reported to local authorities in cases of abuse.
- Law Enforcement: If a person is taken into custody, their medical condition may need to be disclosed to law enforcement personnel.
- Prevention of Public Harm: If a person informs their healthcare provider of an intent to harm another person, the provider may be required to disclose this information.
- Workers’ Compensation: Employers have the right to access information regarding an injured employee’s condition for workers’ compensation purposes.
The Health Information Technology for Economic and Clinical Health Act (HITECH)
The HITECH Act was passed by Congress in 2009 to promote the adoption and meaningful use of electronic health records. Part of this law addresses privacy concerns associated with the electronic transfer of PHI. The HITECH Act also established a tiered system of penalties for violation, with the severity of the penalty corresponding to the level of the violation. The maximum penalty for a violation is $1.5 million.
The Emergency Medical Treatment and Labor Act (EMTALA)
The Emergency Medical Treatment and Labor Act (EMTALA) was passed by Congress in 1986 to protect public access to emergency services. Under this law, healthcare organizations must stabilize a patient in an emergency situation before transferring or releasing them. EMTALA aims to prevent organizations from “dumping” patients who are unable to pay for their care.
Under EMTALA, an emergency medical condition is defined as one that is life-threatening, or involves a patient in active labor. Once the patient has been stabilized, the healthcare organization may facilitate a transfer to another facility. If the healthcare organization is unable to stabilize the patient, or if the patient requests a transfer, a transfer may be made.

The Anti-Kickback Statute and the Stark Law
The federal Anti-Kickback Statute (AKBS) was passed by Congress in 1972 to prevent illegal financial incentives that influence healthcare decisions. The Stark Law, named after the congressman who authored the bill, addresses physician self-referral, prohibiting physicians from referring patients to facilities in which they have a financial interest. Both of these laws apply to organizations treating Medicare and Medicaid patients.
The AKBS is designed to prevent unethical transactions between healthcare organizations and hospitals. Under the AKBS, it is a criminal offense to exchange anything of value for patient referrals. For example, a hospital that provides gift cards to physicians for referring patients would violate the AKBS. Such kickbacks can lead to unneeded treatment or diversion from a more appropriate provider. Penalties for violating the AKBS include fines of up to $25,000 per violation and/or a sentence of up to five years in prison.

The Physician Self-Referral Law, commonly known as the Stark Law, was passed to prevent physicians from profiting off of self-referrals. Under this law, physicians may not refer patients to an organization with which the physician has a financial interest. For example, a physician cannot refer a patient to a physical therapy clinic that the physician owns. Many healthcare organizations are physician-owned, but to comply with the Stark Law, physicians must advise patients that there are alternatives to their referrals. Penalties for violating the Stark Law include fines of up to $15,000 per referral, as well as three times the amount of any improper payment made as a result of the referral.
Patient Safety and Quality Improvement Act (PSQIA)
The Patient Safety and Quality Improvement Act (PSQIA) was passed by Congress in 2005 to protect healthcare employees from retaliation when reporting unsafe conditions in their workplace. This law encourages individuals to report errors while maintaining patient confidentiality. The PSQIA is also commonly referred to as a “whistleblower statute.”
Fraud and Abuse Laws
Both federal and state laws are in place to prevent fraud and abuse in healthcare. Fraud is defined as intentional deceit for financial gain. Examples of fraud include billing insurance companies for services not provided or using a higher-level billing code to receive higher reimbursement for services. Another form of fraud in healthcare is identity theft. To prevent patients from using another person’s identity, healthcare organizations must request photo identification. This is known as the Red Flags Rule under HIPPA. Examples of abuse include referring patients for tests or procedures that are not medically necessary or having patients return for care that is not medically necessary. While both fraud and abuse are illegal and unethical, fraud typically carries more severe penalties. Penalties for fraud and abuse may include jail time, fines, and exclusion from insurance contracts.
Tribal Healthcare Laws
There are 574 federally recognized American Indian and Alaska Native tribes and villages in the United States. Because these tribes are sovereign nations, they are self-governed and create their own healthcare systems to serve their members. Members of these recognized tribes have access to free or low-cost healthcare through tribal and Urban Indian Health programs.
As part of the Patient Protection and Affordable Care Act (PPACA), the Indian Healthcare Improvement Act (IHIA) was made permanent. The IHIA serves as the agreement between the federal government and tribal nations to improve the healthcare services and facilities available on tribal lands, with the goal of improving care for the Native American population.
Attributions
- Figure 4.1: Stethoscope And Gavel by George Hodan is released under CC0
- Figure 4.2: image released under the Pexels License
- Figure 4.3: image released under the Pixabay License
- Figure 4.4: image released under the Pexels License
The development of EMS systems and qualifications is primarily managed by each state's Office of Emergency Medical Services. However, these offices rely on the federal government’s National Highway Traffic Safety Administration (NHTSA) EMS Education Agenda for the Future. This document was developed collaboratively with stakeholders from all aspects of EMS. States use it as a framework while developing and revising the curriculum, qualifications, and scope of practice for each level of EMS provider within their jurisdiction. Although state-specific curriculums may vary slightly, they all adhere to some general accepted practices. EMS programs are typically administered through community colleges, local or regional EMS systems, or hospitals.
In general, the curriculum for an entry level EMS program (EMT) requires approximately 200 hours of training. This program covers non-invasive care for sick and injured individuals. EMTs have a limited range of life-saving medications that they can administer, typically using auto-dose delivery systems.
Advanced emergency medical technicians (AEMTs) undergo an additional 200-300 hours of training on top of the EMT training. This training allows AEMTs to administer certain essential medications, manage airways, and provide care for common medical and trauma emergencies.
Core paramedic certification takes an additional 1,080 to 2,000 hours of education, including classroom instruction, laboratory work, hospital clinical training, and a field internship. Paramedics can earn certificates, associate degrees, or bachelor's degrees in EMS. They are trained to perform intensive, life-saving invasive procedures in the prehospital environment. These procedures may include advanced airway management, critical care pharmacology, intensive cardiology, and advanced trauma management. The scope of practice for paramedics is governed by the state office of EMS (OEMS), regional EMS agencies, and local medical directors.
The information below is taken directly from the State of Washington OEMS website at the time of this publication, although it is generally applicable to most states.
Professional Requirements and Qualifications for EMTs, AEMTs, and Paramedics
To work as an EMT, AEMT, or paramedic, appropriate training is required. For all three roles, successful completion of a department-approved training course is required in most states. In Washington State, applicants who graduated from paramedic training after June 30, 1996, are required to have graduated from a paramedic training program accredited by the Committee on Accreditation of Educational Programs for the Emergency Medical Services Professions (CoAEMSP).
For all three careers (EMT, AEMT, and paramedic), applicants must meet the following criteria:
- Be at least 18 years of age
- Possess a high school diploma or GED
- Have professional work experience
Applicants are also required to be associated with one of the following:
- An EMS agency licensed by the Department of Health (e.g., aid or ambulance service)
- A law enforcement agency
- A business with an organized industrial safety team
- A senior EMS Instructor or coordinator teaching in a department-approved EMS training program who is not affiliated with any of the above agencies
Applicants must also be recommended for certification by the Medical Program Director (MPD) of the county in which they will be working.
EMTs must successfully complete the paramedic certification examination, which includes both written and practical skills exams. This exam is developed and administered by the National Registry of EMTs (NREMT). Upon successful completion of the exam, applicants must provides proof of certification to the Department of Health in Washington State (WAC 246-976-141).
AEMTs must first pass the EMT exam before completing an additional AEMT course. After successfully finishing the AEMT course, they must pass the NREMT exam for AEMTs. AEMT programs are less common and tend to be located in more rural settings, but it is important to note that you do not have to become an AEMT prior to becoming a paramedic. Many EMTs go directly into paramedic coursework if they pursue that career path.
Skill Stitch: Blood Pressure
Blood pressure is a critical vital sign that provides valuable insight into a patient's health, particularly regarding their cardiovascular system. It measures the force of blood pushing against the walls of the blood vessels. High blood pressure, or hypertension, is an early indicator of heart disease. If you work directly with patients, it is likely that you will be taking blood pressure on a regular basis. Let's take a closer look at what blood pressure entails and why it is so important.

Blood pressure is typically measured using a blood pressure cuff and a stethoscope. The cuff is placed around the patient's upper arm and inflated to a to a pressure that temporarily cuts off blood flow. The healthcare professional then slowly deflates the cuff until blood begins to flow again while listening for the korotkoff sounds.
- The first sound heard is associated with systolic pressure, representing the maximum arterial pressure during the contraction of the left ventricle of the heart.
- The Korotkoff sounds continue through various phases as the cuff deflates. Once the sounds stop, diastolic pressure is recorded, representing the relaxed pressure in the arteries between heartbeats.
Blood pressure is stated as a fraction of systolic over diastolic readings, such as 120/80 mmHg. These measurements can provide important information about a person's risk of heart disease and stroke. A higher systolic or diastolic pressure is linked to an increased risk of mortality. Health professionals use blood pressure standards set by the American Heart Association and the American College of Cardiology to determine whether a patient’s blood pressure is healthy or concerning.
From EMTs to nurses and medical assistants, blood pressure is a standard vital sign used by health professionals to measure how well a person's cardiovascular system is functioning. While high blood pressure (hypertension) can be an indicator of heart disease, low blood pressure (hypotension) can lead to a poor prognosis as well. Healthcare professionals must be familiar with the blood pressure categories linked above to apply early interventions for patients at risk for heart disease.
Attributions
- Figure 6.6: image released under the Pexels License