The Health Insurance Portability and Accountability Act (42 United States Code § 1320d), which took effect nearly 10 years ago, has had a profound impact on the healthcare industry. Though HIPAA covers many areas, the privacy rule in particular is noteworthy. If you’ve ever wondered if and how this law affects your fitness facility, this article provides an overview and an explanation.
What Is the HIPAA Privacy Rule?
The HIPAA privacy rule gives individuals a fundamental right to information about the privacy practices of their health plans and of most types of healthcare providers, as well as information about their privacy rights with respect to their personal health information. Health plans and covered healthcare providers are required to distribute a notice that clearly explains these rights and practices. The notice focuses on privacy issues and concerns, and prompts individuals to discuss these issues with their health plans and healthcare providers (HHS 2012).
HIPAA imposes very specific requirements about how health plans and healthcare providers handle the exchange of “protected health information” (Logan v. Department of Veterans Affairs 2004). Protected health information comprises virtually all of a covered healthcare provider’s information about an individual. This includes medical, financial and basic-intake information, as well as any related notes, in either hard-copy or electronic form.
The U.S. Department of Health and Human Services, specifically the Office of Civil Rights, oversees the HIPAA privacy rule, and the department has the authority to assess penalties for violations. Two years ago, for example, the department imposed a $4.3 million penalty on a Maryland healthcare provider for, among other things, failing to provide patients with access to medical records when they requested them (HHS 2011).
HIPAA’s privacy rule applies only to “covered entities.” Covered entities are
- healthcare providers,
- health plans (health insurance companies, company health plans, HMOs) and
- healthcare clearinghouses (entities that process healthcare data).
HIPAA has not been construed as applying to gyms and fitness facilities, or to personal trainers, massage therapists, nutritionists and other nonmedical wellness professionals. The definition of health care under the regulations is quite broad—including “preventive [care],” “rehabilitative [care]” and “maintenance” and “assessment” of “the physical or mental condition, or functional status of an individual that affects the structure or function of the body.” But the regulations and overall context indicate that “covered entities” are the more traditional providers of healthcare: doctors, hospitals, dentists, podiatrists, pharmacists, laboratories, optometrists and the like.
Partnerships Can Affect Privacy
If your fitness facility is affiliated with a healthcare provider, however, the businesses may collectively be considered a hybrid entity. Take a supermarket pharmacy as an example of this type of entity. As a supermarket customer, you may have “frequent shopper” data that is not subject to the privacy rule, but you may have data at the pharmacy that is subject to it. The supermarket does not need to comply with HIPAA when releasing data about your purchasing habits to a coupon marketer, but its pharmacy must adhere to HIPAA’s privacy rule with respect to your prescriptions and insurance information.
Likewise, what if your fitness facility (which employs certified personal trainers and other nonmedical wellness professionals) partners with a podiatrist to provide gait analysis and foot-strengthening exercises to discharged or postsurgical patients? Your intake files should be completely separate from the podiatrist’s, and the podiatrist’s HIPAA notice-of-privacy practices should explain the distinction. Another example: college medical and health centers (covered under HIPAA) and college fitness facilities (not covered).
In these scenarios, where covered entities (and/or their affiliates) provide both covered and noncovered functions, the covered entity must decide if it wants to be considered a hybrid entity. If it does not, then all of its functions are covered by HIPAA’s privacy rule. If a covered entity decides to be a hybrid entity, it must define and designate its healthcare component(s) so that all patients, clients and staff know when information is considered protected health information and is subject to HIPAA—and when it is not.
If you believe that the unique circumstances of your fitness business might cause it to be considered a covered entity or a hybrid entity under HIPAA, contact the Department of Health and Human Services or visit its website for a flowchart-style decision-making tool (www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/AreYouaCoveredEntity.html). You should also consult a healthcare lawyer in your jurisdiction to ensure that all appropriate privacy practices are being followed—both by your own staff and by the entity with which you partner.
How does a “business associate” fit into the picture? A business associate is a person or an entity that performs functions (or provides services) or activities that involve the use or disclosure of protected health information on behalf of a covered entity. The HIPAA privacy rule lists some of the functions or activities, as well as the particular services, that make a person or an entity a business associate if the activity or service involves using or disclosing protected health information.
Business associate functions and activities include the following: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation and financial services.
HIPAA’s privacy rule governs the contractual relationship between a covered entity and its business associates. Contracts must address how protected health information is to be handled and safeguarded and how to protect against confidentiality breaches. Again, the overall context and purpose of this rule suggest it would not apply to nonmedical wellness professionals unless your business provides staff to, or shares staff with, a covered entity to perform administrative or accounting functions. Under these circumstances, you would need to define the scope of services and whether a “business associate” relationship is contemplated. Retain an attorney to analyze the specific nature of your business and the services provided and to draft the appropriate contractual provisions to protect your company.
Communication With Covered Entities
Even if your business is not covered by HIPAA, the privacy rules will come into play if and when you or your fitness professionals attempt to obtain medical information about your clients from their physicians. Even if a PAR-Q (Physical Activity Readiness Questionnaire) or other risk stratification questionnaire indicates that obtaining a medical release is advisable, your client’s physician will likely not release protected health information directly to you or your trainers. Rather, the appropriate protocol is to ask the client to obtain the necessary information from the physician, and then have the client provide it to the fitness professional.
The client will also have executed appropriate informed consent and release forms, indicating that the risks associated with the physical activities are understood and the client has medical clearance. If these safeguards are in place, direct communication between your business and your client’s personal physicians should not be necessary.
In short, even though your fitness facility is not likely to be directly governed by HIPAA, many of the organizations you deal with are. Know the types of restrictions and protections that apply to your clients’ information. This will enable you to acquire the information appropriately and handle it responsibly. Adhere strictly to your business purpose and scope of practice—to avoid having them be mischaracterized or inadvertently subjected to HIPAA regulation.
Are you a club owner or manager? Gain, train and retain world class staff with the fastest growing health club software in the world: https://www.ideafit.com/clubconnect
HHS. 2011. News release: HHS imposes a $4.3 million civil money penalty for violations of the HIPAA Privacy Rule.
HHS. 2012. Notice of privacy practices for protected health information. www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/notice.html; retrieved Sept. 2012.
Logan v. Department of Veterans Affairs. 2004. 357 F.Supp.2d 149 (D.D.C., 2004).
Subscribe to our Newsletter
Stay up tp date with our latest news and products.