The Health Insurance Portability and Accountability Act (HIPAA) was enacted on August 21, 1996. Its fundamental purpose was to improve both the portability and the continuity of health insurance coverage. Title II of the act, intended to reduce paperwork, contained a clause called the Privacy Rule. The Privacy Rule is responsible for much confusion and controversy, particularly in collegiate sport settings. This paper identifies issues with the HIPAA Privacy Rule and suggests methods with which collegiate sport professionals can deal with those issues.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted on August 21, 1996, by the 104th U.S. Congress as Public Law 104-191 (29 U.S.C. §18). The act amended both the Employee Retirement Income Security Act, or ERISA [29 U.S.C.§1182(a)(1)], and the Public Health Service Act [42 U.S.C.§ 6(a)]. Its main purpose was to improve both the portability and continuity of health insurance coverage for workers and their families, especially as individuals changed employers. Title II of the act was intended to reduce paperwork—making it easier to detect and prosecute fraud and abuse—and to streamline industry inefficiencies (Office of Civil Rights, 2003). However, one specific clause in title II part C, titled “Administrative Simplification,” has had implications beyond the original intent of the act. This clause is referred to as the Privacy Rule; it was effective on October 15, 2002, and is responsible for much confusion and widespread controversy (Kuczynski & Gibbs-Whalberg, 2005), especially in collegiate sport settings.
“Standards for Privacy of Individually Identifiable Health Information” is the Privacy Rule (45 CFR parts 160 and 164). The Privacy Rule implements the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996. The Privacy Rule was added to the legislation at the request of the insurance industry. It was intended to be a confidentiality provision—controlling the use and disclosure of health information—by establishing for the first time a set of national standards for the protection of personal health information. Before the enactment of this act, an individual’s health information was readily available and able to be shared among insurance companies. The resulting effect of this ethically questionable, yet legal, sharing of health information was across-the-board rejections of many persons who requested, and often needed, health insurance.
The Department of Health and Human Services is responsible for the enforcement and implementation of HIPAA. Being a federal agency, its power is far-reaching and at times intimidating. The passage of HIPAA and more specifically of the Privacy Rule has had an immediate impact on sporting organizations and personnel, especially with the normative method by which injuries are reported and information concerning athletes is released. The challenge facing sport professionals is determining if HIPAA applies to them, and if it does, establishing protocol for performing their duties adequately while being in compliance with the federal regulations. This paper will identify issues with the HIPAA Privacy Rule and suggest methods with which sport professionals can cope with these issues.
Personal health information is defined by HIPAA as individually identifiable health information. This includes any demographic or personally identifiable data relating to physical or mental health conditions, as well as information relating to the provision of health care and payment; however, patient information that is redacted for identifiable information is not subject to HIPAA guidelines (Jones, 2003). The Privacy Rule (also known as “Standards for Privacy of Individually Identifiable Health Information”) is in title 45 of the Code of Federal Regulations, part 160 and subparts A and E of part 164. The full text of the Privacy Rule can be found at the HIPAA privacy website of the Office for Civil Rights, http://www.hhs.gov/ocr/hipaa.
The Privacy Rule specifies that all covered entities follow five steps to ensure the privacy of patients’ health information (Dolan, 2003):
- Notify patients about their rights and inform them of how their information will be used.
- Adopt and implement privacy procedures.
- Train employees on privacy procedures.
- Designate an individual to be responsible for ensuring that privacy procedures are adopted and followed.
- Ensure that patient records containing individual identifiable health information are secure.
Some of the problems encountered from the Privacy Rule are best reflected in the following two questions: What constitutes a covered entity, and how does HIPAA interact with the Family Educational Rights and Privacy Act of 1974 (FERPA) in the collegiate sport setting? In addition, the Privacy Rule also affects how information about an athlete’s injury can be provided to the media as well as to coaches and athletic administrators (Wyatt & Carden, 2003).
The Administrative Simplification standards adopted by the Department of Health and Human Services under HIPAA apply to any entity that is a health-care provider that conducts certain transactions in electronic form; or is a health-care clearinghouse; or is a health plan. An entity that is one (or more) of these types of entities is referred to as a “covered entity” in the Administrative Simplification regulations found at http://www.cms.hhs.gov/HIPAAGenInfo/06_AreYouaCoveredEntity.asp. Covered entities are expected to adhere to the policies of the Privacy Rule. Any organization that bills for medical services or transmits personal health information electronically will fall under the guidelines of the Privacy Rule.
A college, university, or high school, then, is not automatically a covered entity simply because it has an athletic trainer on staff. Only if the athletic trainer bills the student-athlete or the student-athlete’s insurance plan for outside treatment may the institution become a covered entity. Further, a physician who bills, transmits claims to a health plan, or receives payments through some type of electronic form is considered a covered entity under HIPAA regulations (Magee, Almekenders, & Taft, 2003). Moreover, hybrid entities exist: organizations including some part that is a covered entity and another part that is not. This typically transpires in a university setting in which the student medical and health centers are covered entities, but the rest of the departments are not. HIPAA regulations allow an institution to designate which components are involved and which individuals are covered within the respective components. This allows the institution to place HIPAA requirements on a specific category of persons it has defined as its health-covered components (Hill, 2003).
Questions also have arisen about whether non-covered entities that interact and share information with covered entities consequently become covered. Though the distinction is a bit murky, the answer seems to be no. Information communicated from a covered entity to a non-covered entity is no longer subject to the Privacy Rule, and the non-covered entity does not change its status (Office of Civil Rights, 2003).
The Department of Health and Human Services (HHS), which oversees the regulation of HIPAA, has established the following website with information about the law along with a tool that can be used to see what qualifies as a covered entity: www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp. Additional online resources are available from HHS that provide a general overview and an explanation of individual rights; see the website www.hhs.gov/ocr/hipaa/consumer_rights.pdf.
HIPAA and FERPA
The interaction of HIPAA’s Privacy Rule with the FERPA adds to the confusion surrounding HIPAA. FERPA applies to all schools receiving federal funding. The intent of the act is to allow parents access to information about their children, while safeguarding information from release to other parties. However, the act does allow for information to be released, without consent, to school officials who have a legitimate educational interest in the student (e.g., faculty advisors, registrars). Exempted from the definition are education records, as those are defined in and covered by FERPA, and also treatment records of students 18 years of age or older that are made and maintained by the student’s treating physician or other medical professional and are available only to that physician or professional. Under HIPAA, protected health information excludes individually identifiable health information in education records that is covered by FERPA (Windley & Walueff, 2005). It appears that FERPA’s application takes precedence over HIPAA (Pitz, 2003).
HIPAA and the Athlete
Within sport, it has been standard practice for information about players’ injuries to be communicated to a wide range of individuals, from physicians and athletic trainers to coaches, school administrators, and even the media. The biggest concern for many sport organizations has been how the privacy act will affect these procedures. Professional teams have feared that athletes may withhold injury information before signing contracts (Jenkins, 2003). Both professional and college teams are unsure if information can be provided to trainers and coaches by team physicians. Another major concern for both types of teams is what, if any, information can be provided to the media (Elmore, 2002), as it disseminates information rapidly and readily to the populace as a whole.
For professional teams, health and injury information is considered criteria for employment, because of the nature of the job. Therefore, an injured athlete would not be able legally to withhold injury information from a team to whom he or she is contractually obliged. This also means that health and treatment information could be shared with coaches and team owners (Magee, Almekinders, & Taft, 2003).
Depending upon the status of a team physician for college teams, there are different stipulations about what information can be shared. Some team physicians conduct part of their practice through the student health center. In this case, the physician falls under the guidelines of FERPA and should be allowed to share information with coaches and athletic trainers. A physician not employed by a university-run health center will be subject to the HIPAA guidelines. In this case it is possible that, in order for any information to be released to athletic trainers, an authorization form would need to be signed. An exception to HIPAA exists that specifically states that information can be released to another provider for treatment purposes. What is unclear, however, is whether or not a trainer is considered a provider under HIPAA guidelines (Hill, 2003).
For coaches and other school administrators, an authorization would need to be provided before this information could be shared. Another concern is on-field evaluations information. Can this be shared with the necessary parties? The answer, it seems, is that these evaluations would fall under the category of emergency evaluations, for which prior authorization is unnecessary.
Finally, regarding the sharing of information with the media, this issue is clear-cut. Under HIPAA, personal health information can be provided to sports information staff or the media only with authorization from the athlete (Magee et al., 2003).
Any sport entity that is covered under HIPAA needs to review its existing practices, policies, and procedures. Relationships with other businesses also will need to be reviewed as they fall under HIPAA guidelines. Utilizing experienced legal counsel to determine status under HIPAA and also to recommend authorization forms, privacy notices, and business-associate contracts is recommended (Kibbe, 2005).
One way that some schools are fulfilling the authorization constraint is by requiring athletes to sign authorization forms in order to participate in athletics. Signing the form is mandatory if the student-athlete wants to participate in athletics. Surprisingly, HHS approved this measure (Hill, 2003). Other schools that have not implemented such a policy suggest always getting permission from athletes when reporting to the media. Even when an athlete has consented to the sharing of information with one media outlet, consent should be given for each media entity that subsequently becomes involved.
Schools choosing to opt for signed consent and authorization should ensure that their forms meet the requirements of HIPAA. Authorization forms should contain a statement about what information will be shared and with whom and for how long; moreover, the form must have an expiration date. The form should be specific about who may disclose the information and about what information may be disclosed and to whom. The form also should state that the athlete cannot be denied treatment for refusing to sign and that, if information is disclosed to a non-covered entity, it may no longer be protected under HIPAA. The form also needs to contain a statement that an athlete has a right to revoke authorization at any time (Hill, 2003).
Consequences of Inappropriate Release of Information
The Department of Health and Human Services has stated that most of its enforcement will be compliance-driven and that the rule focuses on seeking voluntary compliance and providing technical assistance to covered entities. Entities found in violation will be given opportunities to demonstrate compliance or to submit a corrective action plan. However, HHS has outlined both a civil penalty of up to $25,000 per person per year per standard, and the following criminal penalties for knowingly disclosing information (Jones, 2003): knowing disclosure, $50,000 and 1 year imprisonment; false pretenses, $100,000 and 5 years’ imprisonment; intent to sell, $250,000 and 10 years’ imprisonment.
HHS has released information about filing a complaint against a covered entity that is non-compliant. Individuals who believe their privacy rights have been violated must file complaints in writing, either electronically or on paper, within 180 days of when they knew or should have known that the act or omission occurred. A form was developed by HHS to assist anyone who wants to file a complaint and is available at www.hhs.gov/ocr/hipaa.
To safeguard protected information, covered entities need to ensure that personal health information is secure. Any records need to be kept in locked file cabinets. When athletic trainers treat athletes, they need to make sure information about the athletes is not discussed where others can hear it. Any consultation with parents or other involved parties needs to be done with a degree of privacy. Moreover, computer security measures must comply with the HIPAA standards.
HIPAA and Sport Managers and Their Employers
The largest concern for most institutions relates to treatment and injury information for student-athletes. Sport managers need to investigate their institutions’ status as a covered entity and review their compliance with HIPAA and the Privacy Rule. If an institution is a covered entity, the sport manager will need to fully understand the implications of HIPAA and insure that the department is in compliance by safeguarding personal health information, training staff, and obtaining the appropriate authorizations. A further implication of HIPAA concerns the status of sport facilities. If medical information about patron accidents is kept or if a facility employs a nurse or EMT unit, then it is considered a covered entity.
Though HIPAA and the Privacy Rule may seem daunting, most institutions and organizations have only had to make a few changes to their policies to be in compliance. As the act is relatively new, however, sport managers need to continue to update their knowledge of HIPAA to ensure full compliance.
Dolan, T. G. (2003). PTs respond to HIPAA: The real world experience. PT Magazine of Physical Therapy, 11(7), 52–56.
Elmore, L. (2002). Law injects confusion into injury reporting. Street and Smith’s Sports Business Journal, 5(26), 30.
General Overview of Standards for Privacy of Individually Identifiable Health Information, 45 CFR Part 160 and Subparts A and E of Part 164 (2003).
Hill, D. (2003). A matter of privacy. Athletic Management, 15(2), 37–42.
Jenkins, D. (2003, September 12). Hiding the hurt: Privacy act puts twist on obtaining injury reports. Chattanooga Times Free Press, p. D5.
Jones, D. (2003). HIPAA: Friend or foe to athletic trainers? Athletic Therapy Today, 8(2), 17–19.
Kibbe, D. C. (2005). 10 steps to HIPAA security compliance. Family Practice Management, April, 2005, 43–49.
Kuczynski, K., & Giggs-Wahlberg, P. (2005). HIPAA the health care hippo: Despite rhetoric, is privacy still an issue? Social Work, 50(3), 283–287.
Magee, J. T., Almekinders, L. C., & Taft, T. N. (2003). HIPAA and the team physician. Sports Medicine Update, March–April, 2003, 4¬–7.
Office for Civil Rights. (2003). Summary of the HIPAA privacy rule, (May 2003). Retrieved March 28, 2007. http://www.hhs.gov/ocr/privacysummary.pdf
Pitz, S. M. (2003). HIPAA and the sports media: Separating fiction from reality. Nevada Lawyer, 11(8), 12–14.
Windley, V. R., & Walueff, G. (2005, June). HIPAA, right to privacy, contracts. NAEB Journal, 4–6. Retrieved from the Internet March 28, 2007. http://wikis.oet.udel.edu/uapp667sinesummer05/index.php/Main/HIPAA
Wyatt, B. M., & Carden, K. E. (2003, April). The HIPAA privacy regulations and access to athletes’ medical information. Ropes & Gray Sports Law Newsletter, 6–7. Retrieved from the Internet March 28, 2007. http://www.ropesgray.com/files/Publication/3b22be16- 0237-4e05-9e11-af29b45830aa/Presentation/PublicationAttachment/0e23970d-d944- 4ace-acce-893ed0f9dba7/Newsletter_April%202003_Sports%20Law%20Group.pdf