HIPAA for Health Clubs: Protecting Your Members' Right to Privacy
For Gym Operators
HIPAA for Health Clubs: Protecting Your Members' Right to Privacy
When personal information is involved, maintaining member privacy is of the utmost importance. Here is how and why health clubs need to protect their members and themselves.
The following is a summarization of an education session from the 2014 IHRSA Convention, produced with full permission from IHRSA. The full-length video is available for purchase at ihrsastore.com.
About the speaker
Linda Howard is the CEO at Alturnative Management.
The Wellness Industry
In the health and wellness industry, there is a tremendous amount of money and personal information changing hands. As a whole, the wellness industry is valued at $1.9 trillion in the global market. The fitness, mind, and body sectors are a $390 billion market.
Some reasons for this market growth include baby boomers wanting more health benefits, Generation X being more aware of their health and fitness, a decline in health care, bad health habits, the social environment where celebrities are advocating wellness, and the political environment such as the First Lady’s Let’s Move initiative.
The wellness industry is multidimensional and holistic, integrating physical, mental, spiritual, and social aspects. It is complementary and proactive not only in treating illness, but also in preventing sickness and improving overall quality of life. It is a consumer-driven industry, relying on consumer choice rather than patient necessity.
Why Healthcare Privacy Policies are Relevant in Wellness
The worlds of wellness, fitness, and medicine are merging to create a seamless selection of health services. Health clubs have to collect detailed personal information in order to deliver comprehensive wellness services.
Due to the Health Insurance Portability and Accountability Act (HIPAA), clients have grown to expect a certain level of privacy protections when sharing information to achieve a state of wellness. Privacy protection lessons learned from the healthcare industry are becoming increasingly relevant to the fitness industry.
Federal Privacy Laws: The Health Insurance Portability and Accountability Act
HIPAA requires certain individuals and entities to comply with very rigorous and prescriptive privacy rules. The penalties for non-compliance can be very severe.
In the US, privacy rights are reinforced with every healthcare visit. In most circumstances, HIPAA will not apply to health clubs, but if you are covered by HIPAA, you need HIPAA training.
Types of Information Requiring Protections
Individually identifiable health information or protected health information (PHI) are protected under HIPAA. Any protected health information that a covered entity creates, receives, maintains, or transmits in electronic form is known as electronic protected health info (ePHI).
HIPAA Privacy and Security Provisions
The goal is to ensure that PHI is properly protected while allowing the flow of health information needed to provide and promote high-quality healthcare and to protect the public's health and wellbeing.
HIPAA Basics: The Rules
The HIPAA rules leave little room for error, so be sure to familiarize yourself with them if your facility deals with members' personal information, which it most likely does.
- Do not use information for anything other than its authorized use.
- If you plan to share information with business associates, you must include special provisions in your member contract.
- Protected data requires you to keep data secure from loss.
- Secure papers containing member information.
- Only disclose the minimum information necessary.
- Members have to be notified about a breach of privacy.
- Maintain proper access to records.
- Put a process in place so clients can grant access to authorized information.
Privacy and electronic security protocols developed under HIPAA are some of the best for protecting privacy in healthcare. Protecting privacy makes good business sense. Protecting clients' privacy makes good legal sense.
What Is a Covered Entity?
Every healthcare provider (any person or organization that furnishes, bills, or is paid for healthcare), regardless of size, who electronically transmits health information in connection with certain transactions is a covered entity.
If you are not a covered entity, you could be a business associate or a person who works on behalf of a covered entity, other than a member of their workforce, who creates, receives, maintains, or transmits protected health information.
How a Health Club or Fitness Professional Can Become a Covered Entity or Business Associate
Traditionally, the fitness industry is not included in HIPAA’s definition of covered entity or business associate, but collaborating with a traditional health care provider could make you an agent, employee, or business associate of that provider. Offering services defined as wellness could also bring you underneath the heading of health care provider.
The Affordable Care Act (ACA) includes wellness in the definition of healthcare services. The ACA defines medical professionals -- health educator, registered dietitian, physician assistants, and nurse practitioners -- as eligible to provide wellness visits.
Legislative Intent of HIPAA
It is clear that the intent of the legislation was to protect health information supplied or gathered in the course of an individual seeking healthcare services. It is not a far stretch to conclude that this protection should extend to the information that is communicated to wellness professionals that are: providing services at the request of physicians or providing services to a health seeker responding to a facility's representation that it provides wellness services.
Unauthorized Disclosure of Personal Information
There are different types of disclosures:
- Intentional internal and external disclosures
- Inadvertent disclosures
- Employees viewing records unnecessarily
- Personal information stored in public view or discussed in public area
The offender can be sued for violating privacy as a facility and/or in an individual capacity. The offender can also be sued for defamation of character.
Federal Criminal Penalties
A person who knowingly obtains or discloses individually identifiable health information in violation of the privacy rule may face a criminal penalty of up to $50,000 and up to one year of imprisonment.
The criminal penalty increases to $100,000 and up to five years of imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years of imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm.
Train and discipline your staff regarding the handling of client files. Monitor and protect electronic communications. Use software that allows levels of permissions. Dispose of files properly by shredding them or placing them in locked or secure recycle containers. Hardware must be wiped clean of data.
By taking the necessary steps to ensure your members' privacy, you'll avoid the difficult consequences of violating HIPAA and keep your members' trust.