Jan 29, 2015A Private Matter: HIPPA and your athletic program
If you understand HIPAA, there’s no reason it should be a barrier to athletic training communication, a source of administrative headaches, or a cause to fear legal action.
Six years after taking effect, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule still confuses athletic trainers, coaches, administrators, and even lawyers. That’s not surprising–after all, the federal government’s “administrative simplification” exceeds 100 pages. But over time, as athletic trainers have scrambled to make sense of it, the outlines are becoming clearer.
The Privacy Rule was created primarily to establish national standards for protecting the privacy and security of patients’ medical records. It was never intended to affect the care athletic trainers give their patients or complicate the work of healthcare providers. But even before the legislation was implemented, that’s exactly what happened.
Across the country, high school and college athletic trainers worried about disclosing information to just about anybody. If a football player was injured during a game, what could they tell his coach? What could they tell the athletic director? What could they tell his parents? When a reporter called asking about an injury, what should they do?
“In an effort to protect privacy, the earliest drafts of HIPAA were very restrictive,” says Keith Webster, MA, ATC, Administrative Head Athletic Trainer at the University of Kentucky, who served as Chair of the NATA Governmental Affairs Committee when HIPAA was enacted. “The first version we saw would have required student-athletes to sign a release before a doctor could talk to their athletic trainer, and continue signing releases every step of the way. It was clearly going to be a roadblock to providing healthcare for our patients, and it was very scary.”
The NATA voiced its concerns about the burdens HIPAA could place on athletic trainers. Lawmakers listened, relaxing some of HIPAA’s restrictions and clarifying their intentions. They made it clear they wanted to encourage healthcare providers to communicate freely with athletic trainers about the patients they treat without compromising important protections. Their motive in drafting the legislation was ensuring that patient data wouldn’t be stolen or sold, and that outsiders wouldn’t have access to personal health information without a patient’s permission.
In practice, the Privacy Rule has been much easier to navigate than athletic trainers initially feared. Still, the problems haven’t completely disappeared, and as Congress continues to refine HIPAA, athletic trainers are keeping a close watch.
When Congress passed the American Recovery and Reinvestment Act of 2009, commonly called the economic stimulus bill, the rules for HIPAA changed again. New measures included a charge for violations due to “willful neglect,” a $100 fine for minor offenses, a broader application of criminal penalties, and a provision granting patients the right to sue for damages.
“If your school is covered by HIPAA, now is the time to get much more serious about following the rules,” says attorney Maren L. Calvert, who specializes in medical malpractice and healthcare compliance. “With the stimulus bill, the regulations grew stricter and the penalties more onerous. And even though athletic trainers aren’t responsible for creating institutional policy, they’re the ones responsible for protecting their patients.”
After the dust settled, it became clear that HIPAA would not change the way most athletic trainers worked day-to-day. After all, many had long been working under another set of federal rules governing the release of student information–the Family Educational Rights and Privacy Act (FERPA), which was enacted in 1974.
FERPA was designed to protect the privacy of “educational records,” which were broadly defined to encompass most student health and medical information kept by an institution. To help fulfill the school’s educational mission, athletic trainers are employed by an athletic department, housed in an athletic department facility, and given responsibility for treating student-athletes. As long as they don’t bill students for services or provide treatment to non-students, they’re governed by FERPA.
The HIPAA Privacy Rule only applies to “covered entities,” which the act defines as health plans, healthcare clearinghouses, and healthcare providers who transmit information electronically. And even for those entities, the Privacy Rule only governs “covered transactions” involved in the billing process, including requests for payment, certification of referrals, benefits coordination, claims for authorization, eligibility determination, and inquiries into health plan coverage.
In practice, the term “covered entities” does include athletic trainers working in hospitals, health centers, sports medicine clinics, and physicians’ offices. And athletic trainers who work for university hospitals, which treat anyone who walks through the door, generally follow HIPAA as well. It can also apply to athletic trainers at campus medical centers, who treat faculty and staff alongside students and student-athletes. Athletic trainers employed by private schools that electronically bill for services are generally considered covered entities.
Athletic trainers employed by covered entities can be contracted to provide healthcare at a public secondary school, where they would follow FERPA guidelines. If they split their work week, they’d follow HIPAA when they’re treating patients in the clinic and FERPA when they’re providing outreach at the school. Theoretically, two athletic trainers–one employed by the FERPA school and the other by a HIPAA hospital that bills per patient service–could work side by side at a high school football game, perform the same tasks, and fall under different privacy and security rules.
Hybrids exist at the college level, too. At Kentucky, which considers athletic trainers part of a FERPA academic institution, there’s also an on-campus HIPAA-governed medical center where student-athletes are referred for treatment. At Princeton University, which primarily follows FERPA, athletic trainers are formally employed and administered by the HIPAA-governed University Health Services, which houses all health records.
Whether your practice is governed by HIPAA boils down to two questions: Do you bill patients or health plans for the care you provide to student-athletes? And do you process those bills electronically? If you answered yes to both, you’re most likely a covered entity. If you answered no to either, you’re probably not.
How can you be confident about whether you’re supposed to follow HIPAA, FERPA, or both? “As an athletic trainer, if you feel concerned about HIPAA or FERPA, don’t take this question on yourself,” says Calvert, an associate attorney at the Honolulu law firm Alston Hunt Floyd & Ing and a consultant with the Hawai’i Athletic Trainers’ Association. “Because there are multiple levels of legal analysis, this is really an institutional question. The first thing to do is talk to your administration–it’s their job to figure out the athletic trainer’s responsibility. Get them involved in whether you fall under HIPAA or FERPA, find out which rules your institution follows, and ask what you need to do to fully comply.”
“First and foremost, athletic trainers need to know what rules they are supposed to follow,” agrees Jon Almquist, ATC, Fairfax County (Va.) Public Schools (FCPS) Athletic Training Program Administrator, who testified before Congress in 2007 about the problems facing athletic trainers due to HIPAA and FERPA. “It’s critical to understand the situation you’re in and confirm what you are and aren’t allowed to do.”
At FCPS, help from legal counsel has made the rules clear, and communication flows smoothly between athletic trainers, coaches, and administrators. “If you’re employed by the school district, there’s no problem sharing a student-athlete’s medical information with another school employee, as long as you have a common responsibility for providing care,” says Almquist. “For instance, a teacher can’t go to another teacher and say, ‘So-and-so has such-and-such an injury.’ But athletic trainers, who are responsible for the care of athletes, can talk to coaches and athletic directors, who are responsible for providing a safe, healthy environment for their players.”
For Almquist, who oversees 25 high schools and 50 athletic trainers, including many who work under contract through local medical practices, the difficulties with HIPAA come when athletic trainers reach outside the system. In providing care for student-athletes, athletic trainers often request records from medical practices that misinterpret the law and refuse to supply information.
“If you look at the nuts and bolts of HIPAA, there’s nothing to restrict communication between healthcare providers who are treating a common patient,” Almquist says. “Both providers share an interest in caring for their student-athletes. But in practice, HIPAA can sometimes restrict communication, rather than truly protect it.”
“Some people have attempted to use HIPAA as a shield, limiting the flow of information between healthcare providers, which is not the intent of the law,” agrees Calvert. “HIPAA isn’t supposed to make the practice of medicine more difficult.”
Closing the communication gap
The sternest protections of HIPAA come when institutions are asked to disclose information beyond the immediate community of healthcare providers–especially to the media, which has no responsibility for patient care. How much should the public know about a student-athlete’s health? What can professional scouts be told without violating the Privacy Rule?
Release forms are the backbone of both HIPAA and FERPA, and can legally be required by schools as a precondition for participation. Without release forms, there’s very little information a HIPAA institution can legally disclose beyond the immediate healthcare community. But with properly written, attorney-approved forms, there’s virtually no limit to the authority an athlete can give a school to release information.
Some HIPAA release forms fit easily on a half page, while others fill five or six. Some forms are designed to be filled out once per disclosure, and others cover multiple disclosures over an extended period of time. Though the longer forms provide more detail for patients, bigger isn’t necessarily better.
Under HIPAA, says Calvert, any legitimate release form for disclosing information outside the circle of healthcare providers should include:
- The name of the patient.
- The names of the people releasing the information.
- The names of the people receiving the information.
- A meaningful description of the information being disclosed.
- The reason for the request to disclose information.
- A statement acknowledging the patient’s right to revoke the authorization.
- Statement acknowledging the provider’s ability to require the authorization as a condition for participation.
- A statement that once a patient has authorized the release of information, that information can be re-released by anyone for any reason.
- An expiration date or expiration event.
- The dated signature of the patient.
If the HIPAA release you’re currently using doesn’t include all the required elements, Calvert advises consulting an attorney for a second opinion. “A blanket authorization that says, ‘You can disclose my healthcare information to anyone’ won’t satisfy the requirements of HIPAA,” she says. “A release form has to follow a certain format, and if it doesn’t, the authorization is not legally valid.
“With the shorter release forms, I’d be concerned that all the requirements haven’t been met,” continues Calvert. “With the longer forms, where there’s more effort to educate patients, I’d be concerned about providing too much information. As an attorney, I advise institutions to keep the release forms as short as possible while including all the necessary details.”
Kentucky takes extra precautions by using a two-tiered system for disclosing information to the public. At the beginning of each school year, student-athletes fill out an authorization form. Then, in response to any outside requests over the course of the year, they fill out a second form with more specific information on what can be disclosed.
“The case-by-case forms are especially important when professional sports organizations ask for medical information,” says Webster. “To make sure we have all the documentation for both HIPAA and FERPA, we double up. Is that really necessary? Probably not. But we like the security of knowing there won’t be any surprises.
“In a similar way, when athletes come into our program, we ask their healthcare providers back home to fax a blank authorization form,” he continues. “The student-athlete signs it and we fax it back to the physician’s office. That way, we’re in compliance and the records can be released. It may seem overdone, but we’re following HIPAA very carefully, which is easier and safer than arguing we shouldn’t have to.”
At Princeton, where the athletic training department is formally administered by the FERPA- and HIPAA-governed University Health Services, there are two additional layers of protection. All media requests for student-athlete health information are funneled through university communications, which then forwards them to the sport coach. And after obtaining a signed release from student-athletes before the start of the season and an authorization after an incident, Princeton permits its coaches to disclose only the injured body part–not the diagnosis.
“For example, even in my coaches’ reports, all I write about an injury is ‘left knee,'” says Head Athletic Trainer Charlie Thompson, MS, ATC, who currently serves as Chair of the NATA College/University Athletic Trainers’ Committee. “If a coach asks, I may discuss the injury in a private conversation. But I don’t write ‘MCL sprain’ and I don’t provide any description of the actual pathology. According to our lawyers, that falls safely within HIPAA guidelines for protecting patient privacy.”
The best defense
FERPA and HIPAA have different kinds of penalties, but each can carry a high price. For FERPA schools, failure to follow the rules could lead to the institution losing its funding from the federal government. For HIPAA schools, lack of compliance could lead to lawsuits, monetary penalties, and strict requirements for notifying the people whose records have been compromised.
During the past six years, before a school could be prosecuted for violating HIPAA, a complaint had to be filed with the U.S. Department of Health and Human Services and investigated by the Office for Civil Rights. (Under the 2009 revision of the law, state attorneys general can also file suit.) But in the years since the law was enacted, Calvert hasn’t heard of a single complaint filed against an athletic trainer.
Out of 400 complaints filed in the first few years of the law, the only court cases have involved identity theft or selling patient information for personal gain. Calvert calls those examples “the most egregious violations.” That’s a long way from prosecuting an inadvertent mistake by an athletic trainer. But in a new twist, lawyers have begun to argue that by failing to follow the standards of HIPAA, physicians can be sued for malpractice.
Could athletic trainers be sued, too? According to Calvert, without any trial precedents, it’s too early to know. “In a couple of cases where doctors haven’t satisfied HIPAA standards, lawyers have filed suits claiming that’s a failure to meet the standard of care,” she says. “It’s a way they can sneak HIPAA through the back door, and there’s nothing that precludes attorneys from doing that.”
The best defense for satisfying HIPAA, says Webster, is to conduct an annual review of your compliance procedures, focusing on privacy and security and beginning with your athletic training room. Are student-athletes able to speak confidentially in your office? Or is it impossible to have a conversation without other people overhearing?
“You need to take prudent measures to protect patient privacy,” says Webster. “If you’re at a clinic, that could mean adding a partition at the receptionist’s window, or moving the registration desk a little farther away from the waiting room seating.
“The law doesn’t tell you to build a wall across your athletic training room, because that would be unreasonable,” he continues. “But you can still take steps to show your intention of protecting student-athletes’ privacy and security. Until a legal precedent has been set, we need to be very concerned about demonstrating our intent.”
It’s also important to review the completeness of your records. Do you have up-to-date authorization forms on file for each student-athlete? Have they been properly filled out? If not, it’s important to secure that documentation to remain in compliance with the law.
Schools are responsible for establishing safeguards for storing information in both electronic and paper form. “It’s not okay to have patient files and folders sitting out on a desk where anybody can see them,” says Calvert. “If you place paper records in a high-traffic area, you’re not adequately protecting that information, and you’re likely to end up with an inadvertent disclosure. To be safe, store student-athletes’ medical records in a locked file cabinet or a locked room that you control access to.”
For added security of electronic records, there are a few easy steps. If you keep patient records on your computer, add a password to prevent unauthorized people from accessing the information. Or instead of saving the information on your hard drive, save it to a thumb drive, which can be worn around your neck and stored under lock and key.
For maximum security, Calvert advises saving patient records on an encrypted thumb drive, which will protect the information even if the drive is lost or stolen. She suggests other technology-based solutions for secure record keeping as well–for instance, rather than transmitting information electronically, a school could create a Web site where healthcare professionals log in, enter a password, and gain immediate access to protected records. “That way, the information is never actually transmitted,” says Calvert. “It simply resides on the server and can only be accessed through two or more levels of authentication.”
For other concerns about keeping your electronic records secure, Calvert advises talking to your school’s information technology (IT) professionals. “The IT department is usually in charge of electronic security, because they have the greatest understanding of the technology that’s involved,” she says. “They’ve already looked at these issues from an institutional perspective, and rather than trying to reinvent the wheel, you should capitalize on the work they’ve already done. In most cases, they already have IT security policies in place, and you can simply make sure your department procedures are woven into those existing policies.”
As technology keeps evolving, regulations for safeguarding electronic communications will, too. This summer, the federal government plans to publish an updated set of guidelines for complying with HIPAA, and over the coming years, athletic trainers should expect more changes to the law.
Changes could also come in state regulations, which may be even more demanding than HIPAA. “Whatever the strictest rule is, that’s the one athletic trainers should follow,” says Patty Ellis, NATA National Manager of Markets and Revenues, who serves as the association’s point person on HIPAA and FERPA. “That offers the greatest protection for both the patient and the athletic trainer.”
When faced with questions about the safest course, Ellis refers athletic trainers to school attorneys and state athletic training associations. “Laws vary from state to state, so athletic trainers need to make themselves aware of which regulations apply to their own situation,” she says. “Through your state association, you can access up-to-date, local information. Seek advice from others, and if there’s legal counsel at your school, talk to them about what you should be doing to comply with the applicable rules.”
“If you have any questions about how HIPAA or FERPA affect you, always go to your school’s attorneys,” agrees Webster. “Their job is to protect the whole institution, including you, and to stay current on the laws that determine how you do your job. There’s a lot of uncertainty around HIPAA, because every attorney has his or her own opinion about what needs to be done. With that much inconsistency, the way your school attorney interprets the rules should determine how you act.
“As athletic trainers, we need to work proactively with our attorneys to stay on top of any developments,” Webster continues. “HIPAA has brought privacy and security to the forefront, and if we’re really committed to providing the best possible care, that’s where they should remain.