SOSA - Sports Ophthalmology Society of the Americas

Education // Articles HIPAA Compliance in Athlete Care :: January 3, 2008

The recently adopted privacy regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) adopt a uniform standard for confidentiality of patient information. In many ways, HIPAA requirements are stricter than previous existing law.

The general rule under HIPAA is that patient identifying information is not to be used or disclosed except as permitted by the regulations. A health care provider may generally use a patient’s health information for purpose of the patient’s treatment, for purposes of collecting payment for services rendered, or for the providers internal management purposes of collecting payment for services rendered, or for the providers internal management purposes consistent with a proper notice to the patient of the provider’s privacy practices. The law also permits a number of specific disclosures that are otherwise required by law, but does not normally permit disclosure of a patient’s health information to his employer. In the case of a patient who is an athlete, this would mean that normally the patient’s health information cannot be disclosed to the organization he works for, to his coach, or to a trainer, unless that person can also be considered a “health care provider.”

Under HIPAA, a “health care provider” is one who provides medical or other health services under Medicare, “and any other person or organization that furnishes…health care in the normal course of business.” The team manager and the coach of course do not fit this description, but what about the trainer? While the trainer is arguably who “furnishes health care in the normal course of business,” it is not clear that the trainer’s role is in fact within the intent of the law.

The key here is that the disclosures are made in the presence of the patient. Otherwise, a written authorization from the patient will generally be required prior to any disclosure to coaches, managers, trainers and other team representatives. The term “authorization” has a special meaning under HIPPAA, and is different from “consent.” An authorization must be in writing and must include, among other things, a description of the information that will be disclosed, the name or identification of the persons authorized to receive the closure, a date or event that will mark the expiration of the authorization, and a statement of the patients right to revoke the authorization.

by Charles Key, J.D. – Memphis, TN