Handling HIPAA

By Staff

Athletic Management, 16.3, April/May 2004, http://www.momentummedia.com/articles/am/am1603/wuhipaa.htm

A year after its effective date, many athletic departments are still wrestling with the Health Insurance Portability and Accountability Act. An administrative burden, a pile of paperwork, and a legal threat is how some administrators describe HIPAA. It’s also created confusion, with interpretations seemingly changing week to week.

"One reason it remains confusing is it hasn’t been tried in court to get some legal precedent," says Keith Webster, Administrative Head Athletic Trainer at the University of Kentucky and Chair of the National Athletic Trainers’ Association’s Governmental Affairs Committee. "Until there is some legal precedent, even lawyers will vary with their interpretations. We’re still in that gray area of everyone interpreting it differently and doing the best they can to comply with the way they read it."

HIPAA was implemented to standardize electronic management and sharing of individuals’ medical information, curb abuses of the data, and make health insurance easier to obtain and maintain when workers switch jobs. It covers health care providers, health insurance plans, and anyone else who conducts electronic transactions involving individual patients’ medical records. Thus, some high school and college sports medicine departments are subject to its rules—termed covered entities in HIPAA jargon.

Some schools follow the rules just to be on the safe side. "I don’t think we are totally 100 percent positive which entity we are, covered or non-covered," says David Polanski, Head Athletic Trainer at the University of Tulsa. "So we’re treating ourselves as a covered entity just to be safe."

Covered entities must take certain steps to guard against improper disclosure of personal health information—PHI in HIPAA jargon. Among them are designating an employee as its privacy officer, having staff training on safeguarding PHI, and making sure that business associates receive PHI only when there is a legitimate reason and do not misuse it. Covered entities must also try to ensure that any non-covered entities they regularly deal with will safeguard shared PHI.

Webster recommends developing an authorization-to-release form for student-athletes to sign as part of their standard pre-participation paperwork packets. The form must state: who will be authorized to receive information; that authorization can be revoked in writing; and that once released to someone not covered by HIPAA, the information is fair game for anyone. Some schools have combined HIPAA authorization with their FERPA forms (the Family Educational Rights Privacy Act governs student records).

At Miami (Fla.) Country Day School, Athletic Trainer Theresa Belesky has followed a path similar to Polanski’s. The school’s lawyers said they don’t believe the school is a covered entity, but Belesky developed a form for parents to sign anyway. Belesky says it helps her feel her bases are covered, and it serves to educate coaches on respecting their athletes’ medical privacy.

At first, coaches were confused and concerned about the form, Belesky says. "They asked, ‘Does this mean you are not going to be able to tell me anything about an injured student?’ I told them, ‘That’s not the case. It’s just that you need to know that because the parents have signed this, they’re allowing me to talk to you. Therefore, you can’t go and talk to some other parent or somebody else.’ It was just a matter of educating my coaches as to how this all worked."

As for media releases, HIPAA has reminded those in athletics that their athletes’ medical information is private and should be respected as such. For example, at the University of Wisconsin, Head Athletic Trainer Dennis Helwig says the school’s new policy is to release only the fact that an athlete was injured and what part of the body was involved. Beyond that, reporters are told to ask the athletes directly. Sometimes the athletes then authorize sports medicine and sports information staff to say more so the student-athletes themselves aren’t inundated with interview requests.

It’s a change in attitude, Helwig says. "For so long people had been used to saying, ‘So and so has this type of knee injury and is going to have this test or more surgery done and is going to be out so long’ without asking the athlete, ‘Is this really what you want us to put out there?’ Everybody had the impression that all this information was fair game for the public to know. But it’s not."

The University of Tulsa at first stopped releasing injury information to the media, but has since asked student-athletes what they want, says Polanski. For example, on the football team, about 10 players didn’t sign the release. But the coaching staff didn’t want to have to keep track of which players had given authorization and who hadn’t, so they decided not to release any medical information.

"But we had to do a little education with the media," says Polanski. "A lot of the media members said they’d checked into HIPAA and told us we can release injury information. We explained it wasn’t because of HIPAA that we didn’t release it, but because the players don’t want it released."

For a longer look at the implementation of HIPAA, go to www.athleticsearch.com and enter, "Honing in on HIPAA" into the search window.

To view the release-authorization form used by Miami Country Day School, please visit: www.miamicountryday.org/athletics/HIPAA_form.htm.

The form used by the University of Oklahoma Department of Intercollegiate Athletics is at www.ouhsc.edu/hipaa/docs/HIPAA_AthleticDeptAuthorizationForm_3-10-03.pdf.