Jan 29, 2015Pre-Show Primer: Understanding HIPAA
No administrative topic has caused more confusion in the healthcare field over the past decade than the Health Insurance Portability and Accountability Act (HIPAA). Since taking effect, this law has caused many athletic departments to rethink the way they share and manage information–and some are still sorting through exactly what it means to them.
If you’re among the many athletic trainers who need help grasping HIPAA, you’ll want to attend “Understanding Both Sides of HIPAA and FERPA” (the latter refers to the Family Educational Rights and Privacy Act). This presentation is part of a three-part session entitled “Staying Ahead in the Complex World of the Secondary School Athletic Trainer,” offered on Thursday, June 24, from 9:15 a.m. to 11:15 a.m.
Last year, T&C covered HIPAA’s impact on the athletic training community. Here’s some of what we learned about how schools, athletic departments, and individual athletic trainers can help make sure they stay on the right side of the law and keep their athletes’ private health information secure:
Out of 400 complaints filed in the first few years of the law, the only court cases have involved identity theft or selling patient information for personal gain. Maren L. Calvert, an attorney who specializes in medical malpractice and healthcare compliance. calls those examples “the most egregious violations.” That’s a long way from prosecuting an inadvertent mistake by an athletic trainer. But in a new twist, lawyers have begun to argue that by failing to follow the standards of HIPAA, physicians can be sued for malpractice.
Could athletic trainers be sued, too? According to Calvert, without any trial precedents, it’s too early to know. “In a couple of cases where doctors haven’t satisfied HIPAA standards, lawyers have filed suits claiming that’s a failure to meet the standard of care,” she says. “It’s a way they can sneak HIPAA through the back door, and there’s nothing that precludes attorneys from doing that.”
The best defense for satisfying HIPAA, says Keith Webster, MA, ATC, Administrative Head Athletic Trainer at the University of Kentucky, who served as Chair of the NATA Governmental Affairs Committee when HIPAA was enacted, is to conduct an annual review of your compliance procedures, focusing on privacy and security and beginning with your athletic training room. Are student-athletes able to speak confidentially in your office? Or is it impossible to have a conversation without other people overhearing?
“You need to take prudent measures to protect patient privacy,” says Webster. “If you’re at a clinic, that could mean adding a partition at the receptionist’s window, or moving the registration desk a little farther away from the waiting room seating.
“The law doesn’t tell you to build a wall across your athletic training room, because that would be unreasonable,” he continues. “But you can still take steps to show your intention of protecting student-athletes’ privacy and security. Until a legal precedent has been set, we need to be very concerned about demonstrating our intent.”
It’s also important to review the completeness of your records. Do you have up-to-date authorization forms on file for each student-athlete? Have they been properly filled out? If not, it’s important to secure that documentation to remain in compliance with the law.
Schools are responsible for establishing safeguards for storing information in both electronic and paper form. “It’s not okay to have patient files and folders sitting out on a desk where anybody can see them,” says Calvert. “If you place paper records in a high-traffic area, you’re not adequately protecting that information, and you’re likely to end up with an inadvertent disclosure. To be safe, store student-athletes’ medical records in a locked file cabinet or a locked room that you control access to.”
For concerns about keeping your electronic records secure, Calvert advises talking to your school’s information technology (IT) professionals. “The IT department is usually in charge of electronic security, because they have the greatest understanding of the technology that’s involved,” she says. “They’ve already looked at these issues from an institutional perspective, and rather than trying to reinvent the wheel, you should capitalize on the work they’ve already done. In most cases, they already have IT security policies in place, and you can simply make sure your department procedures are woven into those existing policies.”