The Health Insurance Portability and Accountability Act (HIPAA) was enacted on August 21, 1996, by the 104th U.S. Congress as Public Law 104-191 (29 U.S.C. [section]18). The act amended both the Employee Retirement Income Security Act, or ERISA [29 U.S.C.[section]1182(a)(1)], and the Public Health Service Act [42 U.S.C.[section] 6(a)]. Its main purpose was to improve both the portability and continuity of health insurance coverage for workers and their families, especially as individuals changed employers. Title II of the act was intended to reduce paperwork--making it easier to detect and prosecute fraud and abuse--and to streamline industry inefficiencies (Office of Civil Rights, 2003). However, one specific clause in title II part C, titled "Administrative Simplification," has had implications beyond the original intent of the act. This clause is referred to as the Privacy Rule; it was effective on October 15, 2002, and is responsible for much confusion and widespread controversy (Kuczynski & Gibbs-Whalberg, 2005), especially in collegiate sport settings.
"Standards for Privacy of Individually Identifiable Health Information" is the Privacy Rule (45 CFR parts 160 and 164). The Privacy Rule implements the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996. The Privacy Rule was added to the legislation at the request of the insurance industry. It was intended to be a confidentiality provision--controlling the use and disclosure of health information--by establishing for the first time a set of national standards for the protection of personal health information. Before the enactment of this act, an individual's health information was readily available and able to be shared among insurance companies. The resulting effect of this ethically questionable, yet legal, sharing of health information was across-the-board rejections of many persons who requested, and often needed, health insurance.
The Department of Health and Human Services is responsible for the enforcement and implementation of HIPAA. Being a federal agency, its power is far-reaching and at times intimidating. The passage of HIPAA and more specifically of the Privacy Rule has had an immediate impact on sporting organizations and personnel, especially with the normative method by which injuries are reported and information concerning athletes is released. The challenge facing sport professionals is determining if HIPAA applies to them, and if it does, establishing protocol for performing their duties adequately while being in compliance with the federal regulations. This paper will identify issues with the HIPAA Privacy Rule and suggest methods with which sport professionals can cope with these issues.
Personal health information is defined by HIPAA as individually identifiable health information. This includes any demographic or personally identifiable data relating to physical or mental health conditions, as well as information relating to the provision of health care and payment; however, patient information that is redacted for identifiable information is not subject to HIPAA guidelines (Jones, 2003). The Privacy Rule (also known as "Standards for Privacy of Individually Identifiable Health Information") is in title 45 of the Code of Federal Regulations, part 160 and subparts A and E of part 164. The full text of the Privacy Rule can be found at the HIPAA privacy website of the Office for Civil Rights, http://www.hhs.gov/ocr/hipaa.
The Privacy Rule specifies that all covered entities follow five steps to ensure the privacy of patients' health information (Dolan, 2003):
1 Notify patients about their rights and inform them of how their information will be used.
2 Adopt and implement privacy procedures.
3 Train employees on privacy procedures. …