6 min read

HIPAA vs. EMTALA: What’s the difference?

Gugu Ntsele Apr 1, 2025 5:53:48 PM

HIPAA Compliance
HIPAA vs. EMTALA: What’s the difference?

According to MedTrainer’s 4 Healthcare Regulations You Need To Know article, “HIPAA’s Privacy Rule grants patients control over their health information by providing them with rights to access, amend, and obtain an accounting of their PHI. The Security Rule sets requirements for implementing administrative, physical, and technical safeguards to protect electronic PHI. HIPAA also addresses the electronic exchange of health information, ensuring secure transactions through the use of standardized code sets and unique identifiers.”

On the other hand, “EMTALA’s primary objective is to prevent patient dumping, where hospitals deny treatment or transfer patients based on their financial situation. It’s crucial in guaranteeing equal access to emergency medical services and upholding ethical standards in healthcare delivery.”

 

Origins and core purposes

HIPAA: Protecting health information

HIPAA was enacted in 1996 with a number of objectives, yet today it is best recognized for its security and privacy regulations. The law was originally created to:

  • Increase portability and continuity of health insurance coverage
  • Combat waste, fraud, and abuse in health insurance and the delivery of healthcare
  • Promote use of medical savings accounts
  • Simplify the administration of health insurance
  • Develop standards for electronic health information exchange

The Privacy Rule, which went into effect in 2003, established the regulations for protecting individuals' personal health information, and the Security Rule (2005) mandated standards for specifically ePHI.

 

EMTALA: Emergency care access

EMTALA, enacted into law in 1986 as a section of the Consolidated Omnibus Budget Reconciliation Act (COBRA), was enacted with another but equally important objective: to ensure access to emergency care regardless of a patient's financial capability. Often called the "anti-dumping" law, EMTALA was a response to widespread reports of hospitals' refusal to treat patients unable to pay for care or dumping them in public hospitals without proper stabilization.

 

Privacy provisions

HIPAA's privacy framework

HIPAA's Privacy Rule protects "covered entities" (health plans, healthcare providers, and healthcare clearinghouses) and their "business associates" (organizations handling protected health information on their behalf).

The Privacy Rule develops a number of building blocks:

  • Protected health information (PHI): The law safeguards all "individually identifiable health information" that is stored or transmitted by covered entities, in electronic, paper, or oral form. 
  • Patient rights: Patients have rights to their health information, including:
    • The right to obtain access to their health records
    • The right to have corrections of incorrect information
    • The right to receive a notice of privacy practices
    • The right to request limitations on certain uses and disclosures
    • Right to receive an accounting of disclosures
    • Right to provide direction on how and where they would like communications
  • Limitations on use and disclosure: Covered entities are permitted to use or disclose PHI only with patient authorization or specifically permitted under the Privacy Rule. 
  • Administrative mandates: Covered entities must have procedures and policies of privacy, maintain a privacy official, privacy-trained personnel, and must have the appropriate safeguards in place.
  • Breach notification: Under the changes in the HITECH Act, covered entities must give notice to the individual whose information is affected, to the Department of Health and Human Services (HHS), and in some cases, to the media on breach of unsecured PHI.

HIPAA's Security Rule complements the Privacy Rule by requiring administrative, physical, and technical safeguards for electronic PHI, including risk analysis, access controls, audit controls, integrity controls, and transmission security.

Related: What are HIPAA’s Privacy Rule provisions?

 

EMTALA's limited privacy provisions

While HIPAA contains privacy provisions, EMTALA hardly contains any direct privacy material. However, several aspects of EMTALA do relate to information handling:

  • Medical screening examination (MSE): “The first of the 3 legal requirements enacted by EMTALA is that the hospital must provide a medical screening examination (MSE) on any person who presents to the Emergency Department and requests treatment to determine if an emergency medical condition exists. The hospital's emergency department completes the screening examination requirement by not altering its standardized screening procedure,” explains the NIH in EMTALA and Patient Transfers. While this does not specifically address privacy, it does create documentation requirements that generate protected health information.
  • Transfer documentation: EMTALA requires specific documentation of the transfer decision when transferring patients to other institutions, such as certification that the benefits outweigh the risks. According to the NIH, “The transfer of the patient to another hospital must follow detailed guidelines set by EMTALA including that the transferring hospital must send all available documents related to the patient's emergency condition to the receiving facility.” This documentation goes into the patient's medical record and is under HIPAA protections.
  • Reporting obligations: Hospitals must report suspected EMTALA violations, which may be releasing specific patient information to regulators. These releases are normally permissible under HIPAA's health oversight activities provisions.
  • Overlap with HIPAA: While EMTALA itself has limited provisions regarding privacy, the information collected in EMTALA-mandated treatment is protected by HIPAA's Privacy Rule if it is created or maintained by a covered entity.

 

Enforcement and penalties

HIPAA enforcement

HIPAA is primarily enforced by the HHS Office for Civil Rights (OCR). The enforcement mechanisms are:

  • Complaint investigations: OCR investigates complaints filed by individuals who believe their Privacy Rule rights have been violated.
  • Compliance Reviews: OCR may conduct reviews to determine if covered entities are complying with HIPAA regulations.
  • Civil Monetary Penalties: Violations can result in monetary penalties of $127 to $63,973 per violation (with a $1,919,173 annual limit per type of violation) depending on the level of culpability.
  • Criminal Penalties: Criminal prosecution for HIPAA violations is pursued in serious cases by the Department of Justice, with penalties up to $500,000 in fines and up to 10 years imprisonment.
  • Resolution Agreements: OCR also regularly resolves investigations through settlement agreements that include monetary payments and corrective action plans.

Notably, HIPAA does not have a private right of action, and thus individuals cannot sue directly under HIPAA for HIPAA violations, although HIPAA violations can support state law claims.

Related: The complete guide to HIPAA violations

 

EMTALA enforcement

EMTALA enforcement operates differently:

  • CMS oversight: The Centers for Medicare & Medicaid Services (CMS) is the primary enforcement agency for EMTALA.
  • Hospital penalties: As of August 2024 the EMTALA penalties were that physicians and hospitals that violate EMTALA can be liable for a fine of up to $133,420 per individual violation for hospitals with 100 beds or more and up to $66,712 per violation for smaller facilities. Independent physicians may also face fines of up to $133,420 per violation. These fines are not covered by malpractice insurance. A more substantial penalty would be the possibility of losing Medicare and Medicaid hospital funding for repeated or blatant violations. Maximum hospital penalties are reviewed annually and adjusted for inflation.
  • Physician sanctions: EMTALA violation can put physicians at risk of civil monetary sanctions as well as Medicare and Medicaid exclusion.
  • Private right of action: Unlike HIPAA, EMTALA provides a private right of action to patients who are directly injured as a result of an EMTALA violation, but only against the transferring hospital, not receiving hospitals or physicians.

The impact on vulnerable populations

HIPAA and vulnerable groups

HIPAA has additional safeguards for a few vulnerable groups:

  • Mental health information: According to the HHS, “Generally, the Privacy Rule applies uniformly to all protected health information, without regard to the type of information. One exception to this general rule is for psychotherapy notes, which receive special protections.”
  • Substance use disorder records: While governed mostly by other rules (42 CFR Part 2), HIPAA adds an added layer of protection to information related to substance use disorders.
  • Minors: HIPAA refers to state law regarding parents' access to minors' health records but has provisions to protect minors when access might place them in harm's way.
  • Victims of abuse: The HIPAA Privacy Rule addresses the protection of information relating to victims of abuse, neglect, or domestic violence in 45 CFR § 164.512(c). This section permits covered entities to disclose the PHI of aperson who they have a reasonable belief is a victim of abuse, neglect, or domestic violence to a government authority legally authorized to receive reports of such cases, such as social services or protective agencies.

EMTALA and vulnerable groups

EMTALA has been most important for

  • Uninsured patients: 42 U.S.C. § 1395dd(a)​ provides that any individual who comes to a hospital emergency department requesting examination or treatment must receive an appropriate medical screening examination to determine if an emergency medical condition exists, regardless of their ability to pay.
  • Psychiatric patients: 42 U.S.C. § 1395dd(e)(1)(A) defines "emergency medical condition" which includes conditions manifesting acute symptoms of sufficient severity such that the absence of immediate medical attention could reasonably be expected to result in serious health consequences. This includes psychiatric emergencies where patients may be a danger to themselves or others.
  • Pregnant women in labor: 42 U.S.C. § 1395dd(e)(1)(B)​ addresses pregnant women who are having contractions. It states that an emergency medical condition exists if there is inadequate time to effect a safe transfer to another hospital before delivery, or if transferring may pose a threat to the health or safety of the woman or the unborn child. ​
  • Undocumented immigrants: 42 U.S.C. § 1395dd(a)​ requires hospitals to provide emergency medical screening and necessary stabilizing treatment to "any individual" who comes to the emergency department, without specifying citizenship or immigration status. ​

 

FAQs

Does HIPAA apply to all healthcare providers?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates.

 

Can a hospital refuse treatment under EMTALA if the patient is intoxicated?

No, EMTALA requires hospitals to provide a medical screening examination (MSE) to determine if an emergency medical condition exists, regardless of intoxication status.

 

Are there exceptions to HIPAA’s Privacy Rule for law enforcement?

Yes, HIPAA allows disclosures of protected health information (PHI) to law enforcement under specific conditions, such as court orders, subpoenas, or reporting victims of abuse.

 

Does EMTALA apply to urgent care centers?

No, EMTALA applies only to hospitals with emergency departments that participate in Medicare.

 

Does EMTALA require hospitals to provide free treatment?

No, hospitals must screen and stabilize emergency conditions but can bill patients for services rendered.

Download the HIPAA compliant email checklist

Download the HIPAA compliant email checklist