Honing in on HIPAA

Forms. Jargon. Red Tape. Lawyers. The Health Insurance Portability and Accountability Act can be a headache—but it can also help you serve your student-athletes better.

By David Hill

David Hill is an Assistant Editor at Training & Conditioning. He also

Training & Conditioning, 14.3, April 2004, http://www.momentummedia.com/articles/tc/tc1403/hipaa.htm

Eighteen months ago, the talk of the athletic training world—and much of the health care world, for that matter—was about the Health Insurance Portability and Accountability Act. The federal law’s provisions guarding the confidentiality of individuals’ medical records were about to kick in, triggering a new way of working for most practitioners, or so the conventional wisdom had it.

One result: Athletic trainers got in touch with their lawyers.

"How has HIPAA affected me? I’ve probably talked to our legal counsel more this year than I ever have before," says David Polanski, MS, ATC, Head Athletic Trainer at the University of Tulsa.

A year after the April 14, 2003 effective date of the privacy regulations, many athletic trainers are still wrestling with HIPAA. They call it an administrative burden, a pile of paperwork, an intimidating morass that hangs the threat of legal action over their heads. It’s created confusion, with interpretations seeming to change week to week. A colleague in one setting seems to have it figured out, only to learn such an interpretation might be critically flawed.

And yet there are athletic trainers who have conquered HIPAA instead of the other way around. They’ve taken it in stride, dealt with whatever changes in policy and procedures it might have dictated, and gotten others they work with—athletic directors, coaches, student-athletes, parents—on board with them. Some even credit the law with improving their work. In this article, we’ll talk with those members of the profession who are hip to HIPAA.

Conquering the Confusion
For nearly two years, Keith Webster, MA, ATC, Administrative Head Athletic Trainer at the University of Kentucky, has been at the forefront of helping the profession deal with HIPAA. As Chair of the National Athletic Trainers’ Association’s Governmental Affairs Committee, Webster has been in frequent contact with the U.S. Department of Health and Human Services (HHS), the arm of Washington responsible for administering the law, which was intended to standardize electronic management and sharing of individuals’ medical information, curb abuses of the data, and make health insurance easier to obtain and maintain when workers switch jobs.

It was Webster who met with HHS officials in early December 2002 to speak specifically about the effects of HIPAA’s privacy rules on athletic trainers, and who came away with the message that it may not be all that difficult to cope with. Yet early this past January, Webster was in Philadelphia for a meeting of the Eastern Athletic Trainers’ Association and found several hundred athletic trainers seeking clarifications.

"One of the reasons it remains confusing is because it hasn’t been tried in court to get some legal precedent," says Webster. "Until there is some legal precedent, even lawyers will vary with their interpretations. Lawyers don’t like working without precedents to hang their hat on. We’re still in that gray area of everyone interpreting it differently and doing the best they can to comply with the way they read it."

Webster says HHS reports 3,100 complaints filed over HIPAA through mid-January, mostly under the privacy rules. While HHS has forwarded some cases to the Department of Justice for possible prosecution, there have yet to be any fines or penalties imposed. The leading type of complaint, he adds, was from patients who don’t have access to their own personal medical records—one of the main reasons the privacy rules were established—and not over mishandling of records by health care professionals.

Webster understands the confusion. HIPAA’s privacy rules are complicated, at times arcane, and border on being contradictory. At the core, any organization must follow the privacy rules if it is a covered entity, the term for an organization or person that conducts electronic transactions of medical records. Transactions can be billing, payments, authorization for services, certification of referrals, benefits coordination, eligibility determination, and checking on the status of claims. Thus, covered entities include most doctors’ offices and group practices, hospitals, health-insurance companies, claims clearinghouses, and medical-practice management companies. But the law doesn’t spell out every scenario, and it’s up to each organization to determine whether it is a covered entity. Most ask their lawyers to decide.

For example, the University of Oklahoma’s athletic department considers itself a covered entity because it has hired an outside company to help with billing. "We really don’t do any in-house submitting of claims, per se. But we do contract with a practice-management firm that does submit some claims on our behalf, and that’s the primary reason we have to be HIPAA-compliant," says Scott Anderson, ATC, Head Athletic Trainer at Oklahoma. "We deal with them electronically. Outside of that, HIPAA would probably have no bearing on us whatsoever."

At Tulsa, the question is still open. But to be on the safe side—and because it’s the right thing to do, regardless of federal laws—the sports medicine department has taken some HIPAA-compliance steps, anyway, Polanski says. Student-athletes are told what their private health information is and that they have the right to file complaints over its handling. They’re also asked to fill out release-authorization forms.

"I don’t think we are totally 100 percent positive which entity we are, covered or non-covered," Polanski says. "We’re treating ourselves as a covered entity just to be safe. But if the government keeps reviewing things and we find out later that we’re not, then we’re not. Our legal counsel thinks maybe things will change."

Guarding PHI
Covered entities must take certain steps to guard against improper disclosure of personal health information—PHI in HIPAA jargon. Among them are designating an employee its privacy officer, having staff training on safeguarding identifiable PHI, and making sure that business associates only receive PHI when there is a legitimate reason and do not misuse that information. That last clause means that covered entities must take steps to ensure that any non-covered entities they regularly deal with will reasonably safeguard the information before PHI is shared. Thus, doctors, hospitals or other providers who are covered will want to be sure sports medicine departments with which they work will safeguard patients’ health information. That means the sports medicine department will have to follow many HIPAA-style safeguards whether it’s a covered entity or not.

The privacy rules allow for PHI to be disclosed for certain purposes. Billing is an acceptable reason. More importantly for athletic training, so is treatment. Thus, a head team physician is free to discuss a case with a consulting orthopedic surgeon, for instance. Athletic trainers, too, are in the loop, as are coaches, since they have say over practice and playing time, which are important to an athlete’s recovery, Webster says.

Others are not so sure about including coaches, however, and this is a major source of potential confusion. The rule says that release of PHI for treatment purposes to an authorized provider is acceptable, says Webster, but that definition of "authorized provider" is left open to interpretation.

"Someone could interpret it to mean that the person providing care needs to be a licensed provider of care," Webster says. "The doctor talks to another doctor—that’s fine because they’re both licensed to practice medicine. But some people will ask, ‘Can a coach or someone who isn’t a certified or licensed provider be considered a health care provider?’ I would say yes because the coach is a member of that health care team at some point in time."

Another gray-area situation Webster has encountered concerns clinic-based athletic trainers who provide outreach to high schools. "They’re almost wearing two hats," Webster says. "When they’re in the clinic, for all intents and purposes, they do billing, and they fall under the category of covered entity and they must abide by HIPAA. When they work at the school with students, they’re usually not a covered entity, but then they need to abide by a different privacy policy instead of HIPAA."

The other privacy policy to which Webster refers is FERPA, the Family Educational Rights and Privacy Act, which limits disclosure of students’ individual educational records by any institution receiving federal funds—basically all schools, colleges, and universities, though some private high schools aren’t covered. FERPA has been widely interpreted to supercede HIPAA for public high schools. At colleges and universities, however, it might not, because medical records may or may not be considered part of each students’ educational record, depending on the practices at a particular institution.

The FERPA-HIPAA boundary is a major reason Polanski has gotten to know Tulsa’s legal staff. "They’re telling us that the FERPA laws are in effect and they already cover student records," he says. "They’ve told us our records in sports medicine are student records—they’re medical records, yes, but they’re also student records. Basically what that means is that we’re going to comply with whichever law is more stringent in whichever facet of operations we’re looking at.

"So say there’s some information requested," Polanski continues. "If FERPA would release it but HIPAA wouldn’t, we won’t release it. Or if HIPAA says it’s okay but FERPA says it’s not okay, we won’t release it."

For many schools, the solution to all the disclosure questions is to ask student-athletes to release their PHI. At both Tulsa and Oklahoma, for example, student-athletes sign forms authorizing release of their PHI under certain circumstances, to certain people, for certain purposes. This is Webster’s key take-away advice: Get the okay to release information when needed, and then which law governs isn’t really an issue.

"I recommend everyone use a well-worded authorization-to-release form," Webster says. "It’s just informed consent. Instead of saying, ‘It’s education records and under FERPA,’ just spell it out, and make your authorization form the key tool that allows for all the communication to take place."

An authorization form must contain a few key points, according to Elizabeth Squeglia, JD, a HIPAA expert with the Columbus, Ohio, law firm of Bricker & Eckler. First, it needs an expiration date—in college and high school athletics, this is typically one sport season or an academic year. Second, it should state the person or class of people the information will be released to, such as doctors, emergency-room personnel, athletic trainers, coaches, administrators at the school, and media, if necessary. Third, it should say that no one will be denied treatment for not signing—though it can be made a condition for participation. Fourth, it should include notice that authorization to release can be revoked but only through writing. Finally, it should explain to student-athletes that if information is disclosed to a non-covered entity, it is no longer protected under HIPAA.

Making It Work
The beauty of a well-written, correctly executed release-authorization form lies not just in the paperwork, but in the act of getting it signed. The process works internally by reminding athletic trainers and other practitioners of the confidential nature of personal health information, but it also shows your student athletes—and others—that you are aware of the need for privacy and will handle medical information properly.

That’s what happened at the University of Missouri, says Rex Sharp, ATC, Head Athletic Trainer for Tiger sports. Going through the HIPAA education process reiterated the privacy of student-athletes’ medical records and the importance of sharing the information only when necessary.

"We already had a general release-of-information form, but we had to be a little bit more specific," Sharp says. "It’s not our policy to talk about injuries, anyway, but it’s made us more aware of confidentiality."

Anderson says Oklahoma’s adoption of HIPAA rules was relatively painless, thanks to help from the university-wide office set up to comply in all operations (many human resources offices must follow the rules because they deal with health-insurance claims as employees’ benefits administrators). Much of the work involved helping the compliance office understand what athletic trainers do, he says. It hasn’t been a burden on the staff or student-athletes, but the process did uncover some room for improvement.

"The biggest adjustment has been the physical protection of the information," Anderson says. "We talked about facilities and logistics, in terms of protecting the files and the records. For example, we make sure the X-rays aren’t left here, files there, those general types of issues."

Covering Your Bases
Many people agree that there’s one good thing that’s come out of the new regulations—it’s forced everyone to examine how they handle personal health information. Then it becomes a matter of finding the guidelines that are most appropriate for each situation, be they HIPAA, FERPA, or more of a reliance on authorization forms.

Dennis Helwig, ATC, Head Athletic Trainer at the University of Wisconsin, says he sat in on university-wide meetings about HIPAA compliance and learned his department wouldn’t be a covered entity and that FERPA governs student-athletes’ medical records on his campus. But the process raised his awareness of FERPA’s requirements and the general handling of confidential medical information, he says.

"Awareness of HIPAA has certainly brought out the existence of FERPA and the concept that the student-athlete you deal with is in charge of their private information. If you go from that premise, everything falls in line and makes sense," Helwig says.

The process also helped the Wisconsin sports medicine department become better prepared for sharing information with outside medical providers who are covered entities. "When our athletes go outside of our university providers, they now have a set format for authorizations," Helwig says. "You don’t just call up the athlete’s physician and say, ‘Hey, I’m the athletic trainer at State University and I need to know what’s going on with Johnny’s knee.’ That’s not going to happen, and shouldn’t have happened before. You need to have the proper format to get that information."

HIPAA’s privacy rules say that authorization forms have to specify what information is going to be released, to whom, and for what purposes. It’s much more detailed than FERPA regulations, Helwig says, but following the HIPAA rules helps ensure that FERPA is followed as well.

Like Wisconsin, Miami (Fla.) Country Day School also does not consider itself a covered entity. However, Theresa Belesky, LAT, ATC, Athletic Trainer, still has student-athletes’ parents sign a release-authorization form. She says it helps her feel her bases are covered, and it serves as a talking point for helping to educate coaches—who have turned out to be a little harder to acclimate to the idea of medical privacy than parents, doctors, and athletes themselves.

"I’ve had more flak from the coaches about the release form than anyone else," Belesky says. "They’ll say, ‘What does it mean? Are you not going to be able to tell me anything about an injured student?’ I tell them, ‘That’s not the case. It’s just that you need to know that because the parents have signed this, they’re allowing me to talk to you. Therefore, you can’t go and talk to some other parent or somebody else.’ It was just a matter of educating my coaches as to how this all worked."

Belesky adopted the release-must-be-signed policy at the recommendation of the NATA and modeled her form after one shown to Florida athletic trainers by David Jones, ATC, Director of Sports Medicine at Jackson Hospital in Montgomery, Ala., and the Southeastern representative to the NATA Governmental Affairs Committee. "I was kind of surprised to hear our lawyer say it wasn’t really necessary," Belesky says. "But to be safe, we’re doing it anyway. My school is very expensive and we have lawyers’ and doctors’ children here. It would be very easy for someone to misconstrue something or take something the wrong way."

Requiring such forms shows an athletic trainer’s professionalism toward personal health information, says Webster, and can put parents and others at ease—especially important as more people encounter HIPAA notices when they visit their own medical providers. "If parents think providers aren’t taking the same care to protect the medical information of their son or daughter, they’re bound to ask more questions," Webster says. "It should make the parents or the adult athletes less leery as to where their records are going and for what purpose. Obviously, there’s more to HIPAA than that, but to me, that’s the gist of it."

Sidebar: Media Concerns
Many coaches and athletic administrators complain that HIPAA has caused confusion when relating student-athlete injuries to the media. That’s hardly the main concern for athletic trainers, but it can create some of the biggest headaches. There are, however, ways to cope, and there may even be a silver lining in the media-release cloud.

At the University of Wisconsin, for example, the sports medicine department’s review of its policies relating to HIPAA and FERPA (the privacy law for educational institutions) raised awareness that student-athletes should be in charge of the information about their injuries and rehabilitation, says Dennis Helwig, ATC, Head Athletic Trainer. In the past, student-athletes would sometimes read or hear about their conditions in the media and complain that they didn’t realize so much detail would be made public. When told they’d signed an authorization for it, many athletes said they didn’t realize they had given such broad permission. Wisconsin has since revisited its media injury-reporting policy.

"I don’t think there was an awareness by coaches and administrators about the privacy of student-athletes’ information," says Helwig. "So there would be casual conversation about how so-and-so is doing, and things appeared in the newspaper that athletes had no knowledge were going to be there. We have tightened that up, which has really benefited the athletes.

Badger student-athletes said that the public really needed to know only the fact that they were injured and what body part was involved, says Helwig. So now, if journalists want to know more, they’re told to ask the student-athletes directly. And sometimes, the athletes then authorize sports medicine and sports information staff to say more so the student-athletes themselves aren’t inundated with interview requests. "We have a specific authorization for that, and the athlete knows what you’re going to say, and it’s fine—all above-board and all accounted for," says Helwig.

The University of Tulsa at first stopped releasing injury information to the media, but has since asked student-athletes what they want and adjusted policy for specific scenarios, says David Polanski, MS, ATC, Head Athletic Trainer. For example, on the football team, about 10 players didn’t sign the release. But the coaching staff didn’t want to have to keep track of which players had given authorization and who hadn’t, so they decided not to release any injury information.

"A lot of the media members said they’d checked into HIPAA and told us we can release injury information," says Polanski. "We said it wasn’t because of HIPAA that we didn’t release it, but because the players don’t want it released. So we had to do a little education with the media."

Sidebar: Sample Forms
The following are links to two sample student-athlete authorization forms:

Miami Country Day School:

University of Oklahoma Department of Intercollegiate Athletics: