HIPAA applies to what the law calls "covered entities." Under 45 CFR § 160.103, the definition states, "Covered entity means: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter."
This means HIPAA doesn't apply to everyone who handles health information, it applies to those operating within this defined framework. This distinction matters for professional sports.
Also, the HHS guidance on employer health information states that "the Privacy Rule does not apply to the actions of an employer." The law governs disclosures made by healthcare providers, not the questions or conduct of employers. As HHS guidance explains, the Privacy Rule is directed at the provider's disclosures, not at what an employer may ask or do with health-related information in employment records.
The team doctor problem
When a team physician or certified athletic trainer treats a player on the sideline, are they acting as a HIPAA covered healthcare provider? The answer is often no.
Most professional sports teams employ their medical staff directly. A team doctor is an employee or contractor of the franchise, not of a hospital or independent clinic. This matters because 45 CFR § 160.103 also defines a business associate as someone who acts "on behalf of a covered entity but other than in the capacity of a member of the workforce of such covered entity." Team medical staff are workforce members of the franchise, not business associates of a covered entity, which places them outside of HIPAA's obligations.
The team itself is not a covered entity under HIPAA. This means that when a team physician examines an athlete, the information collected in that interaction may not be protected by HIPAA.
This concept is noted in the peer-reviewed article Sports Medicine and Ethics which notes that team physicians operating as club employees carry contractual obligations to share health-related information with team management, obligations that sit outside HIPAA's reach.
A University of Utah legal analysis shows the consequences of this. When New York Giants defensive end Jason Pierre-Paul suffered a fireworks accident in July 2015, an ESPN reporter resolved days of speculation by tweeting photographs of his actual medical record, confirming a finger amputation and skin grafting that even the Giants themselves were not yet aware of. Following that disclosure, the Giants withdrew a $60 million contract offer. The hospital staff involved faced consequences, but the publication of that information exposed how unprotected an athlete's medical records can be once they leave a traditional clinical setting.
HHS guidance reinforces this gap when stating that employment records fall outside the Privacy Rule's protections, even when they contain health-related information. For professional athletes, injury data recorded and held by a franchise falls under this gap.
The confidentiality problem
Research reviewed in Sports Medicine and Ethics found that when sports medicine physicians were surveyed about how they handled sensitive player information, including details about recreational drug use, blood-borne infections, and pain medication, roughly half said they had disclosed that information to team management, while the other half said they had not.
That inconsistency matters because effective medical care depends on trust. An athlete who suspects their team physician might relay sensitive disclosures to management can withhold information, which can directly compromise the quality of care they receive. As Sports Medicine and Ethics notes, some team physicians deliberately keep player information private to preserve that trust, knowing that a player who doesn't trust their doctor will hide problems in the future. Others take the position that coaches need to know the health status of every player to plan effectively.
Informed consent
Besides confidentiality, there is a second ethical fault line that Sports Medicine and Ethics calls informed consent.
In a standard medical setting, valid informed consent requires that a patient be competent to make decisions, that risks and benefits be explained, that the patient understands what they've been told, and that the consent be voluntary. In professional sports, all four of those conditions can be compromised.
For example, a player who has sustained a head injury may lack the capacity to assess their own condition. They may be surrounded by coaches, teammates, and staff whose interest is having them return to the field. As Sports Medicine and Ethics documents, some athletes have actively manipulated their own medical evaluations to avoid being removed from play, fully aware they were doing so and later acknowledging it may have been one of the worst decisions they ever made. As a result, Sports Medicine and Ethics notes that Informed consent frameworks designed for calm clinical settings do not translate properly to professional sports.
League injury reports
One example of medical disclosure in sports is the league injury report, a formalized system where teams are required to publicly disclose player injuries. The NFL, NBA, and other leagues require these filings, for competitive fairness and to prevent insider trading in sports betting markets.
In the NFL, the system is detailed. According to a 2024 report by The Sporting News, the league operates a three-tier reporting structure which includes a practice report tracking how much an injured player participated during the week, a game status report due by 4 p.m. ET the day before each game, and an in-game injury report requiring clubs to provide updates to broadcasters, media, and stadium fans. The NFL frames the system as needed for competitive integrity and transparency.
These reports are an agreed-upon waiver. By signing their contracts, players consent to a degree of medical disclosure as a condition of employment. The league's collective bargaining agreements, not HIPAA, govern what gets disclosed and when.
HHS guidance acknowledges this dynamic in ordinary workplaces, it states that employers may request health documentation such as a doctor's note for purposes like sick leave, workers' compensation, or insurance. The request is permissible, what HIPAA restricts is the provider going around the employee to hand that information directly to the employer. In professional sports, the contract removes this distinction by putting consent into the employment contract from the beginning.
Not following these contractual obligations has its consequences. The Sporting News reported in 2024 that violations carry financial consequences, teams can be fined, coaches can be personally sanctioned, and franchises risk losing draft picks for non-compliance. For instance, the Atlanta Falcons and head coach Arthur Smith were each fined in 2023 after running back Bijan Robinson played a limited role in a game without being listed on the injury report, despite later revealing he had not been feeling well. A similar situation happened in 2019 when the Pittsburgh Steelers and coach Mike Tomlin were fined for failing to disclose a quarterback injury.
League injury reports compel disclosure, while HIPAA is designed to restrict it. A player's medical information gets more public exposure under league rules than it would receive protection under federal privacy law.
The player's perspective
The University of Utah article recounts the case of Vince Chuy, who learned of his own alleged career-ending diagnosis not from his doctor, not from the Philadelphia Eagles organization but from a newspaper. The team's general manager and physician had shared the information with the press because, as the Eagles later explained, Chuy was a matter of interest to Philadelphia sports fans and sports writers. The diagnosis turned out to be incorrect, but the damage to Chuy's peace of mind, his public standing, and potentially his career had already been done. This shows how the current system can remove an athlete’s control over their own medical disclosures.
Should the law catch up?
Sports Medicine and Ethics calls for clearer standards and more research into how decision-making actually works in sports medicine, not just to resolve ethical questions, but because the decisions being made can mean the difference between a long, healthy career and one cut short by an injury or a privacy violation that changed how the world saw a player before they had any say in the matter.
FAQs
Do amateur or college athletes have stronger privacy protections than professional athletes?
College athletes treated by university medical staff may have stronger HIPAA protections, since university health systems can qualify as covered entities than private sports franchises.
Can an athlete sue their team for leaking medical information?
While HIPAA may not apply, athletes could pursue civil claims under contract law, tort law, or state privacy statutes depending on their jurisdiction.
Do players' unions negotiate any medical privacy protections into collective bargaining agreements?
Unions can negotiate some health-related provisions into CBAs, but privacy protections for medical disclosures remain limited and differ by league.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Tshedimoso Makhene : June 28, 2025
