Why do you say that? It is supposed to prevent the giving out of any patient information without the patient's permission. Putting that information over the air unencrypted is doing just that. Yes you are correct in that many EMS organizations are not doing it but that's not saying they're correct.
It drives me crazy when people/agencies hide behind HIPAA because of the myths that surround it. This is directly from a law firm that specializes in EMS:
Myth No. 1: Dispatch centers can't give out any identifiable information over the radio.
Fact: HIPAA doesn't prevent dispatch centers from communicating all information necessary
for EMS response and treatment to EMS agencies. While patient names shouldn't be given out
unless truly necessary, a dispatch center may transmit any information necessary to facilitate
the EMS treatment of a patient.
Myth No. 2: Ambulance services are violating HIPAA if they give patient information to the
hospital over the radio.
Fact: HIPAA permits any and all treatment-related disclosures of patient information between
health care providers. Ambulances are freely permitted to give patient information to hospitals
over the radio for treatment purposes.
Myth No. 3: Dispatch centers must convert all communications equipment to digital or
institute new privacy technologies so that people with scanners can no longer hear radio
dispatches.
Fact: HIPAA does not prohibit dispatch centers from communicating with ambulance services,
which is necessary for response and patient treatment, even though everyone in "scannerland"
can listen in! These are called "incidental disclosures" under HIPAA, meaning they are
legitimate disclosures with unavoidable side-effects, and are permissible under HIPAA.
