HIPAA coverage for athletic medical staff

HIPAA applies to athletic medical staff when they work for covered entities, like hospitals, health centers, or sports medicine clinics that engage in electronic healthcare transactions. According to a study in Athletic Therapy Today, “The most important HIPAA rule for athletic trainers is the privacy rule, which protects patient health information.”

However, the situation is different for team physicians and trainers employed directly by sports organizations. These medical professionals are not typically subject to HIPAA in their role as team employees, as their relationship with the athlete is primarily an employment context rather than a traditional healthcare provider-patient relationship.

How athletic medical staff are defined under HIPAA

How athletic staff are defined under HIPAA depends on the type of healthcare transactions they handle. HIPAA applies to covered entities, healthcare providers, health plans, or healthcare clearinghouses that engage in electronic billing for services. Athletic trainers, physicians, and other medical personnel working in hospitals, clinics, or university health centers that bill patients or insurers electronically are explicitly classified as covered entities under HIPAA. For example, athletic trainers employed by a university hospital that treats the general public or processes electronic billing for student-athletes must comply with HIPAA. 

A distinction arises because their role is tied to an employment relationship rather than a traditional healthcare provider-patient dynamic. Team physicians and trainers in these settings are considered agents of the employer, and the medical information they handle is treated as part of employment records rather than protected health information (PHI). A study published in the American Journal of Bioethics notes, “As a club employee, the success of the team physician may rely on the success of the team and his or her ability to keep players on the field, which may mean advocating for short-term gains at the risk of long-term consequences.” Athletes typically consent to share health information with their teams through contractual agreements, bypassing HIPAA protections. 

The balance between athlete's privacy and meeting public demand

Athletes’ health information directly influences team performance, betting markets, and fan engagement. Public disclosure can lead to strategic advantages for opponents or financial repercussions for athletes. Withholding information risks eroding fan trust and transparency in multi-billion-dollar sports industries. In the absence of HIPAA, privacy in sports relies on contractual agreements and ethical codes. 

According to a study by Xiaoyu Li and Xinyan Guo published in Scientific Reports, “However, due to the powerful ability of big data technology to collect, store, and process data, ethical issues such as infringement of athletes' privacy rights and jeopardizing the security of sports data, as well as market issues such as illegal theft of sports data,” The extensive use of wearable sensors, video analysis, and AI-driven analytics allows for the collection of vast amounts of personal and performance data from athletes. This data can include biometric information, health metrics, and detailed performance statistics. While these technologies improve team strategies and player performance, they also create privacy risks. Athletes may feel that their personal data is being excessively monitored and potentially shared without consent. 

Collective bargaining agreements (CBAs) in professional leagues often outline consent requirements for sharing PHI with teams, sponsors, or media. However, these agreements prioritize organizational interests over individual privacy. Collegiate athletes face further complexity, while the Family Educational Rights and Privacy Act (FERPA) protects educational records, HIPAA may apply if treatment occurs at a university health center.

Examples of violations of HIPAA under patient privacy

Jason Pierre-Paul's medical record leak

In 2015, ESPN's Adam Schefter tweeted a photo of Jason Pierre-Paul's medical chart, showing his finger amputation after a fireworks accident. This incident involved a potential HIPAA violation by the healthcare worker who leaked the information, as Schefter himself was not subject to HIPAA. Pierre-Paul sued ESPN, alleging privacy violations, and the case was settled out of court.

Ezekiel Elliott's COVID-19 diagnosis

Ezekiel Elliott claimed that his COVID-19 diagnosis was leaked without his consent, sparking discussions about potential HIPAA violations. Elliott's medical information was however likely handled outside a traditional healthcare setting.

NFL Players' medical records theft 

In 2016, a laptop containing medical records of thousands of NFL players, spanning 13 years, was stolen from the car of a Washington Redskins athletic trainer. The laptop, which also held information from the 2016 Scouting Combine, was password-protected but unencrypted, violating HIPAA's security requirements.

How to securely share athlete PHI

• Use HIPAA compliant email services like Paubox that meet HIPAA standards, such as those offering secure encryption and business associate agreements (BAAs). This ensures that emails containing PHI are secure and compliant with federal regulations.
• Implement electronic health record (EHR) systems that are HIPAA compliant, allowing for secure storage and sharing of medical records. These systems should include features like role-based access controls and audit trails to monitor data access.
• Limit access to PHI based on the user's role within the organization. This ensures that only necessary personnel can view or modify sensitive health information.
• Protect clinical reports with passwords to ensure that only authorized individuals can access them. This is particularly necessary for sensitive diagnostic images like MRIs or X-rays.
• Implement automatic logouts after periods of inactivity to prevent unauthorized access to PHI on unattended devices.
• Use HIPAA compliant file sharing services that employ strong encryption (e.g., AES 256-bit) for data at rest and in transit. Services like SFTP, FTPS, or HTTPS should be used for secure file transfers.
• Use case-by-case authorization forms for specific disclosures, especially when dealing with professional sports organizations or media requests.

Special considerations in collegiate settings

Collegiate athletic trainers working for a university health center that bills electronically must adhere to HIPAA, while those employed by the athletic department may follow FERPA for student-athlete records. When it comes to collegiate athletes' health data, one of the main special considerations is the interplay between privacy laws and the unique status of student-athletes. Unlike professional athletes, collegiate athletes are not considered employees but rather students participating in extracurricular activities. The distinction affects how their health data is protected and shared. 

HIPAA does not extend to collegiate athletic programs directly, as student-athletes are not patients in the traditional sense. Instead, the Family Educational Rights and Privacy Act (FERPA) protects educational records that might include health information if linked to an individual student's educational file.

There is also the factor of pressure related to data collection. Collegiate athletes often face social and institutional pressures to participate in biometric data collection, which can be used to monitor performance, health, and risk factors for injuries. While this data can be beneficial for optimizing training and preventing injuries, athletes may not fully understand the implications of sharing their data, leading to potential privacy concerns.

FAQs

Can medical staff discuss patient information with family members?

Yes, but only if the patient has not objected or if it is in the patient's best interest, as determined by professional judgment. This is allowed under HIPAA for treatment purposes or if the patient is incapacitated.

Can medical staff access PHI for personal reasons?

No, accessing PHI for personal reasons or for friends and family is a HIPAA violation unless it is part of a healthcare provider's job responsibilities. 

How should medical staff handle electronic access to PHI?

Electronic access to PHI must be limited to those who need it for their job functions. All accesses are typically tracked, and unauthorized access can lead to disciplinary action.

How often should medical staff receive HIPAA training?

Staff should receive training upon hiring and annually thereafter to ensure they understand and follow HIPAA guidelines.

Can medical staff use PHI for research purposes?

Yes, but only if the use is approved and follows HIPAA guidelines for research, which often require patient authorization or a waiver from an Institutional Review Board (IRB).