Athletic Trainers are skillful folks who often work in in-between spaces: they're not a coach but they guide athletes; they're not physicians but they provide crucial medical care; they're not professors but they work in universities.
So when it comes to Patient Health Information (PHI), and the management of that information, Athletic Trainers have also existed in an in-between spot. These professionals are left with confusion as to whether HIPAA -- and its fearsome set of regulations and punishments -- apply to them. Can they email a picture of a patient's ankle to an Orthopedist? How do they need to save patient information at the right level of security? With whom -- The patient's family? The coach? A doctor? The patient's professor? -- can they share patient medical information?
It is certainly understandable that an Athletic Trainer might be confused, because this is a rapidly evolving field and set of rules with a knot of confusing laws. A college or university may be considered a "covered entity" or hybrid - with a health center being a covered entity and an academic department, not. "Covered entities", of course, do need to comply with HIPAA… but Athletic Trainers are not billing the patient, so it's possible that there is a loophole there.
Despite the confusion, some legal precedent is beginning to make it clear that Athletic Trainers must be aware of, and for the most part, adhere to HIPAA.
As summarized in HIPAA Solutions' Compliance Alert, "Court rulings, along with recent updates to Federal and state regulations reveal that, in fact, HIPAA has a broad reach in relation to health information associated with students."
In particular, another ruling, drills down into the exact HIPAA status of Athletic Trainers themselves: "a Federal District Court applied both HIPAA and FERPA to Penn State University, concluding that both statutes apply to athletic trainers."
Given the legal precedent and ramifications of not complying, here are our 3 tips for Athletic Trainers on staying in compliance with HIPAA:
- Protect PHI. Especially given the legal precedent above, it's clear that PHI must be protected by Athletic trainers. That means protecting it from people that aren't allowed to access it, making sure it's stored securely, and making sure it's shared securely.
- Consult an attorney if in doubt. Because there are some grey areas here, you'll certainly need to make the best decision you can, but don’t ignore it. Get the information that exists and then decide what makes sense in your unique situation.
- Stop using email to send pictures. When any PHI is sent by electronic means, it is protected under HIPAA. Email isn't HIPAA-secure, so if you want to collaborate with other providers, you'd need to use a telemedicine platofrm like ClickCare that promises HIPAA compliance.
As Athletic Trainers, how has HIPAA come into your practice? What precautions do you take? Share your experiences in the comments below.
Image courtesy of pennstatelive on Flickr, used under Creative Commons rights.