Getting Hip to HIPAA

Being ready for the implementation of HIPAA means understanding privacy issues, covered entities, and the specifics of release forms. It also means rethinking your communication procedures.

By David Hill

David Hill is an Assistant Editor at Training & Conditioning.

Training & Conditioning, 13.2, March 2003,

During a football game last fall, a Hofstra University administrator came onto the sidelines and toward Head Athletic Trainer Rick Zappala, ATC. He wanted to ask Zappala how a player with an in-game injury was faring.

“I said, ‘I don’t think I have permission to say. Let me go check,’” Zappala recalls. “He said, ‘What, are you kidding me? Is this a joke?’ I said, ‘No, I’m serious.’”

Serious, indeed. With the effective start of the federal Health Insurance Portability and Accountability Act (HIPAA) scheduled for April 14, many athletic trainers have spent recent months figuring out a plan to comply with the new law. Non-compliance could subject a health-care professional to penalties of up to $250,000 and even prison.

Hofstra had been preparing for the law by adding a paragraph to its injury report form in which athletes under treatment could authorize the release of their medical information. Without that authorization, Zappala and his staff would remain mum on an athlete’s injury, except among fellow members of the sports medicine staff.

While more recent interpretations of HIPAA have somewhat loosened the silent treatment, every athletic trainer must be aware of, and have a plan for, dealing with this new law. Whether you work as the sole athletic trainer at a high school or oversee a large sports medicine team, the implementation of HIPAA will affect your procedures.

Congress passed HIPAA in 1996 with several aims in mind, one of which is to protect the confidentiality of medical information. Instead of being locked away in filing cabinets, patients’ medical records are increasingly being stored as computer files and flying around the Internet during electronic claims, billing, care authorizations, and other administrative tasks. Horror stories abound about misuse and abuse of records. Thus, HIPAA includes privacy rules forbidding health care providers, insurers, and claims clearinghouses from selling or otherwise providing medical information to anyone who doesn’t need it.

Unless the patient specifically authorizes release for a certain purpose, only those with a legitimate need may get a person’s private medical information, and anyone who maintains such records has to set up procedures to ensure they’re kept private. So while the law was clearly written for aims far removed from athletics, anyone involved in sports medicine is very much affected.

“Legislators really didn’t see the implications for athletics when they first authored this act,” says Keith Webster, MA, ATC, Administrative Head Athletic Trainer at the University of Kentucky and Chair of the National Athletic Trainers’ Association Governmental Affairs Committee.

As a result, exactly how the law affects athletics is not crystal clear, and many athletic departments are struggling with how to interpret it. In December, Webster met with officials from the U.S. Department of Health and Human Services (HHS), the part of the federal government responsible for enforcing the law, and found them sympathetic to athletic trainers’ concerns.

“They seemed to be willing to give us a little bit more liberal interpretation,” Webster says. “I think they were trying to help us through it, not intimidate us by holding it over our heads.”

But every athletic trainer must decide for themselves how HIPAA applies in their particular situation. And most will want to get athletic administrators involved in deciding how to interpret the law for their school.

The defining feature of HIPAA and how it relates to athletics boils down to covered entities. If you are a covered entity, you are subject to HIPAA’s rules. As defined by HHS, covered entities are organizations or individuals who conduct healthcare or health-insurance transactions electronically. By transactions, HHS means a slew of administrative procedures, such as billing, payments, authorization for services, certification of referrals, benefits coordination, eligibility determination, and verification of the status of claims.

An athletic trainer on staff at a college, university, or high school is not automatically a covered entity. If the athletic trainer bills for medical coverage or bills athletes’ insurance plans for in-house or outside treatment, however, that may make his or her employer a covered entity.

If an athletic trainer does not conduct any electronic transactions, but other employees in the institution do, his or her status is a bit murky. “You have what’s known as a hybrid entity,” says Elizabeth Squeglia, a partner in the Columbus, Ohio, law firm of Bricker & Eckler, who has been focusing her practice on preparing for HIPAA, including its athletics implications. “A hybrid entity is an organization with some aspects of its operation that are covered entities, and some that are not. The classic example would be a major university where the student health clinic, which is owned by the university, is a provider, but the rest of the university—the engineering department, the college of art—are not.

“Under HIPAA, you have the ability to designate yourself as a hybrid entity and to designate your covered components—and which individuals are a part of them,” Squeglia continues. “By doing that, you limit the HIPAA requirements to that category of people you’ve defined as your covered health-care components, and the rest of the organization’s not subject to it.”

“If you’re [an athletic trainer] employed by a covered entity, you need to ask more questions,” Webster says. “On one day I’m a covered entity: I’m an employee of the University of Kentucky, which has components that do electronic transactions. Another day I’m may be determined to not be a covered entity because I’m not involved with the electronic transactions in our athletic department, even though our doctors are. Lawyers can make a pretty good living helping people abide by these policies.”

Another issue is relations between covered and noncovered entities who work together. For example, a team physician in a private practice working with a noncovered athletic department will need to communicate with the school’s athletic trainers. The physician’s disclosure of information about players he or she is treating would be restricted, says Squeglia, but the athletic trainers are not. If the physician discloses information to the athletic trainers do they then become covered entities?

Webster says his committee took these concerns to HHS and had their fears largely resolved. HHS clearly stated that protected health information can be disclosed for treatment purposes, Webster says.

“That allows the physician to call me and say, ‘Okay, Johnny sprained his knee, and he needs ice, exercise treatment, et cetera,’ and that’s fine,” Webster explains. “If I’m not a covered entity under the privacy rule, he can still give me that information, and then the HHS enforcement stops at that point, allowing me to discuss this information with a coach.

“The release of the private health information [PHI in HIPAA lingo] for treatment purposes was a key clarification,” Webster continues. “Our receiving the information does not make us covered entities by definition. That was our fear: By us receiving information, we might become covered entities, and have to sit on that information and not disclose it.”

But a noncovered entity still has no restrictions on what he or she can say, according to Squeglia. “They are free under HIPAA to use or disclose that information however they want,” she says. “HIPAA simply doesn’t cover them.”

However, David Jones, ATC, Director of Sports Medicine at Jackson Hospital in Montgomery, Ala., and a member of the NATA Governmental Affairs Committee, is advising the athletic trainers he supervises and other athletic department staff to be careful just the same. If information passed from the physician to the athletic trainer to the coach consists of more than a treatment plan, and it becomes headline news, the physician could be called on it. Mainly to protect the team physician, an athletic trainer may want to be careful not to broadcast any athlete’s health information. Or, if an athletic trainer wants to discuss an athlete’s injury with a coach, the two should be careful to keep the conversation private.

“We’ll definitely be educating our athletic trainers on what we are interpreting as being reasonable and just in releasing information to a coach,” says Jones. “And the coach needs to realize that he doesn’t need to spread everything out among the entire team, the parent-teacher organization, and everyone else. Technically, it’s all going to boil down to, outside the athletic trainer, coach, and athletic director, no one really needs to be saying anything to anybody.”

Another relationship HIPAA may affect is those with business associates. A commonly cited example in athletic training is a brace manufacturer who needs details about individual athletes to make its custom braces. HIPAA requires covered entities to get written assurances from business associates that they will not misuse protected health information and will help the covered entity meet its privacy obligations. If these agreements are properly made, HHS does not plan to prosecute covered entities whose business associates violate the HIPAA privacy rules, says Webster.

At Kentucky, staff lawyers have been taking inventory of vendors who might get protected health information from the university and deciding whether agreements are needed, Webster says. “The vendors are aware of what’s coming and taking measures to comply because they know they could lose business,” he adds.

While it’s important for athletic departments to understand the nuances of covered entities, some are choosing to bypass the restrictions by asking student-athletes to sign an information-release form. “You simply get a signed authorization from a player that authorizes the treating healthcare provider, the physician or whoever it is, to disclose the information to the coach,” Squeglia says. “And with that, it’s permissible. Once that information has been released to the coach, it is no longer protected under HIPAA.”

A HIPAA-release form need not be complicated, but the law does set forth some requirements for it to be valid, Squeglia says. First, it must have an expiration date—no one can talk about a person’s condition forever. How long it can last isn’t specified in the law, but lawyers believe one sport season or one year is reasonable. Under earlier interpretations, the NATA Governmental Affairs Committee had recommended members get authorizations for each injury, but Webster says HHS officials have since affirmed the validity of blanket long-term authorizations.

Second, the authorization should be specific about who may disclose information. “You can name more than one person,” Squeglia says. “You can name the treating physician and the hospital emergency room, but you have to specifically designate by person or at least by type of person who is authorized to disclose the information. You also have to state who the information can be disclosed to. Then you have to specifically describe the information.

“So a valid authorization might say something like, ‘My treating physician, Dr. Mike Smith, is authorized to disclose information regarding any injuries I might receive during the course of the season, as well as my general fitness to play, to my coach or any designated member of the coaching staff,’” explains Squeglia.

Other required points include a stipulation that the student-athlete cannot be denied treatment for refusing to sign, and notice that if the information is disclosed to a non-covered entity, such as a coach, it may no longer be protected under HIPAA, Squeglia says. The form must also explain that the athlete has a right to withdraw his or her consent, which is to be done in writing.

However, HHS has also said that schools can require athletes to sign the form in order to be allowed to participate. “What they’re suggesting with athletes is making play contingent on the release of information,” explains Webster. “Then, if the athletes choose to revoke, they’re choosing not to play.

“It goes back to what we do now,” Webster continues. “In August, we have athletes sign an authorization to release this information, but if they choose to revoke it, then they choose to not be on the team. It can be that basic.”

The task of dealing with HIPAA won’t end with well-written release-of-information authorizations, however. Even at organizations not specifically subject to the privacy rules, discussions about HIPAA have made people aware of other restrictions on releasing student-athletes’ medical information.

For instance, student-athlete medical records are generally covered by the Federal Educational Records Privacy Act (FERPA), which forbids unauthorized release of most student information. In many states, parental-consent laws also govern what medical information about minor student-athletes can be shared. And some state medical-privacy laws are more strict than HIPAA.

Aside from laws, many sports medicine professionals are considering how student-athlete medical information is handled as an ethical issue due for more thoughtful consideration. “In our profession, we may not be as diligent as we could be, so it’s probably a timely thing for us to readdress,” says Webster.

This may mean changes in culture and operations. For example, athletic trainers at the University of Tennessee used to simply get a verbal okay from student-athletes before discussing injuries with the sports-information staff—information that was then forwarded to the media. But now the authorization is a written part of the medical notes that athletic trainers maintain, and care is taken to be specific about what will be said and to whom, says Jenny Moshak, MS, ATC, CSCS, Assistant Athletic Director for Sports Medicine in the Tennessee women’s athletic department.

When a basketball player was hurt in the closing minutes of a tournament game in November, Moshak got the okay from the athlete to give an injury briefing to a radio reporter. But when two print reporters questioned her a few minutes later, Moshak says she asked again.

“A lot of it is heightening the conversation and the communication, and just checking and double-checking, ‘Is this okay?’” says Moshak. “We haven’t been turned down yet by a player. But there’s a trust that a lot of our athletes have with us, and I don’t think we’ve ever broken that trust regarding the media. We’ve reiterated, case-by-case, asking the players, ‘This is what we’re going to tell the media. Is this okay?’”

Prudence is demanded for other reasons. Jones recalls a scene a few years ago in a hospital emergency room where the father of a high school NBA prospect demanded secrecy over the exact nature of his son’s knee injury. “He brought in our orthopedic doctor, the nurse, the ER physician, and me and said, ‘I know what the laws are. And nothing can leave this room. I don’t want you even telling the high school coach. And if it comes out, I will take you to court on the basis that you hurt this boy’s chances of earning millions of dollars.’

“Here’s a kid who wasn’t even going to be around in another year,” Jones continues, “yet I have a long-term relationship to worry about with an athletic director who was there before this kid was there, and who’ll be there long after this guy is gone. Still, I couldn’t tell anything to the athletic director.”

Athens (Ohio) High School Athletic Director Pat Murtha says he expects to explain HIPAA rules to parents at the beginning of next season and to include a release for parents to ensure that the coach can be filled in when injuries happen. He and the school’s athletic trainer will also have an in-service explaining HIPAA and other medical-privacy concerns to coaches. “The biggest thing is educating the coaches, the kids, and the parents,” Murtha says.

Zappala sees more mundane issues. For instance, athletes’ files should be kept in locked drawers in rooms with controlled access.

“The days of having notes out on the table when you’re doing treatment are over,” he says. “You can’t have the athletes reading other athletes’ files because it’s personal information. You also have to recognize the difference between a football player asking a field hockey athlete, ‘How’s your knee,’ and the football player asking the athletic trainer, ‘How’s her knee?’”

For Zappala, it all points out that a person’s private health information should be respected and handled for the precious commodity it is. “Whether we’re determined to be a covered entity or not, we’re all going to adjust what we do to protect the confidentiality of medical and health information regarding our athletes,” Zappala says. “That doesn’t mean that it can’t be released, just that we’re going to need their permission to release it. It’s not that hard, but you need to set up procedures to allow that to happen. We will live and learn, and then it will just become another part of our job.”

Web Resource
For more information on determining if your organization is a covered entity, check out the Department of Health and Human Services’ online tools at

Sidebar: Educating Athletes

Before asking student-athletes to sign a HIPAA release form, you must educate them about what they are authorizing. At Hofstra University, Head Athletic Trainer Rick Zappala, ATC, has found it equally important to clearly outline with athletes the pros and cons of not signing release authorization forms. He feels many overlook the cons, which can be serious.

For one thing, details of injuries and the nuances of prognoses are easily lost if sports medicine professionals are cut out of the communications loop. “I’ve had athletes walk out of the doctor’s clinic and go see their coaches,” Zappala says. “Then the coach comes to see me and says, ‘The athlete just came to see me and said the doctor said this is what they have.’ And I respond, ‘Well, I was in the room, and I didn’t hear the doctor tell them that.’ And many times, that misinformation also goes to the media.”

Athletes with aspirations for the next level of play may want the seriousness of their conditions withheld. But Zappala points out that, in many cases, openness about injuries can be in an athlete’s long-term best interest.

“We had an individual who did not perform up to most people’s expectations this year, and the truth is that there was a series of injuries that affected this person’s performance,” he says. “The athlete did not want that information released, so it appeared that he was having a lousy year, when in reality he was fighting through injury.”

In addition, athletic trainers can clear up misperceptions about an injury before rumors spread. For instance, a “knee injury” may often be interpreted as a torn ACL, though the condition may be found less serious after tests that can’t be done on the sidelines. “If I report an injury, I always say that we’re scheduling an MRI and there will be a follow-up appointment afterward where we will confirm the diagnosis,” Zappala says.

“It’s certainly not for me to tell someone that they should release information or not release information,” Zappala says. “But you’ve got to let them know what the pros and cons are, and let them make the decision.”