Esports, short for electronic sports, refers to organized, competitive video gaming at a professional or semi-professional level. Players compete individually or in teams across popular titles like League of Legends, Counter-Strike, Valorant, and Call of Duty, often in front of live audiences and online viewers.
The global esports market was valued at approximately $3.64 billion in 2025 and is projected to expand to $17.42 billion by 2031. The League of Legends 2025 World Championship drew an audience of 6.7 million viewers in the final. Professional esports players are contracted athletes employed by organizations, competing in structured leagues, and earning salaries that can reach seven figures. With the rise of esports, medical and performance support has become prominent, requiring careful attention to HIPAA compliance.
The rise of esports medicine
Esports organizations have built out medical and performance support teams that are similar to those found in traditional professional sports. Teams now employ or contract physicians, physical therapists, occupational therapists, sports psychologists, nutritionists, and vision specialists. In 2019, ABC News reported that Cleveland Clinic had formally partnered with the University of Akron's esports program, becoming their official medical provider with a specific focus on researching and preventing repetitive-use injuries, nutrition, and neurocognitive performance.
The physical demands of competitive gaming are documented in a peer-reviewed study published in BMJ Open Sport & Exercise Medicine which surveyed collegiate esports players and found that the most commonly reported complaint was eye fatigue, affecting more than half of players surveyed. Neck and back pain were the second most prevalent issue, followed by wrist and hand pain. The same research found that players practice anywhere from five and a half to ten hours per day, and that a number of them do not engage in physical exercise.
Psychologists and psychiatrists working with esports players address anxiety, burnout, cognitive behavioral patterns, and team dynamics. All of this includes documenting clinical notes, treatment plans, and health histories.
This information is protected health information (PHI) under HIPAA and the clinicians generating it may be covered entities or business associates with compliance obligations.
Where HIPAA enters
HIPAA's Privacy Rule, codified at 45 CFR § 164.502, establishes the rule for how PHI can be used and disclosed, "A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart."
A covered entity, under HIPAA, includes healthcare providers who transmit health information in electronic form in connection with a covered transaction. When a sports psychologist contracted by an esports organization conducts a therapy session, documents clinical notes, and emails those notes to a team's coaching staff, HIPAA is triggered. When a physical therapist treats a player for strain injury and communicates treatment progress to the organization's medical director, that communication must meet HIPAA's security standards.
The minimum necessary standard under 45 CFR §§ 164.502(b) requires that covered entities evaluate their practices and limit access to PHI to only what is necessary for the intended purpose. In practice, this means a team's head coach has no right to a player's full psychological evaluation simply because they want performance insights.
The business associate problem
Esports organizations may not employ medical staff directly, instead, they contract with third-party clinics, telehealth providers, and wellness platforms to deliver care to their players. Under HIPAA, any third party that handles PHI on behalf of a covered entity is a business associate and must be governed by a business associate agreement (BAA).
Under 45 CFR § 164.502(a)(3), a business associate may use or disclose PHI "only as permitted or required by its business associate contract." Without a BAA in place, any sharing of a player's health information between the contracting organization and the external provider is a potential HIPAA violation.
Esports organizations that share player health data across internal Slack channels, via standard email, and through shared Google Drives counter HIPAA's requirements for secure transmission and access controls.
Learn more: How to know if you’re a business associate
Mental health records
Generally, HIPAA's Privacy Rule applies uniformly to all protected health information, without regard to the type of information. However, one exception exists for psychotherapy notes, which receive a heightened level of protection. According to HHS guidance on the Privacy Rule, psychotherapy notes are defined specifically as notes recorded by a mental health professional "documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session,” and they must be kept separate from the rest of the patient's medical record.
According to 45 CFR § 164.501 psychotherapy notes do not include medication prescription and monitoring records, session start and stop times, treatment modalities and frequencies, results of clinical tests, or summaries of diagnosis, functional status, treatment plans, symptoms, prognosis, and progress to date. Those records are part of the general medical record and are governed by standard HIPAA protections.
HHS explains that psychotherapy notes receive special treatment both because of their particular sensitivity and because they are "the personal notes of the therapist that typically are not required or useful for treatment, payment, or health care operations purposes, other than by the mental health professional who created the notes." They exist for the clinician's own use and not for the broader care team and team management.
Under 45 CFR § 164.508(a)(2), a covered entity must obtain a patient's separate, specific written authorization before disclosing psychotherapy notes for any reason, including disclosure for treatment purposes to another healthcare provider, unless that provider is the one who originally created the notes. Exceptions exist for disclosures required by other law, such as mandatory abuse reporting or state-law duty-to-warn obligations where a patient has made a credible threat of serious and imminent harm.
This matters in the esports context, where organizations may feel entitled to access a player's psychological records as part of their roster management. A progress note summarizing a player's treatment status and symptom improvement is not a psychotherapy note under HIPAA, a clinician's private session notes documenting the contents of a therapy conversation are. Both receive protection, but the latter requires a specific written authorization.
Learn more: HIPAA, psychotherapy notes, and other mental health records
What esports organizations should be doing
Any organization employing or contracting licensed healthcare professionals who generate and transmit electronic PHI is operating within HIPAA's jurisdiction.
The research states that esports athletes need medical support and the clinicians providing that support have legal obligations. Building out a health infrastructure modeled on the kind proposed in the sports medicine literature is not just good practice for player welfare. It is the scenario in which HIPAA compliance becomes necessary.
Organizations should start by conducting a risk assessment to identify every point at which PHI is created, accessed, transmitted, or stored. All third-party medical and wellness vendors should be reviewed for BAA compliance. Internal communication tools used to share health-related information must be evaluated against HIPAA's security requirements.
Also, the channels through which medical staff communicate with players, coaches, and management need to be HIPAA compliant. Standard email is not encrypted by default and does not meet HIPAA's transmission security requirements under 45 CFR § 164.312(e). HIPAA compliant email solutions provide the encrypted, auditable communication that clinical staff in esports organizations need.
Read also: Secure, HIPAA compliant email for healthcare
FAQs
Does HIPAA apply to amateur or collegiate esports programs?
While HIPAA applies to covered entities and business associates regardless of the competitive level, collegiate programs affiliated with university health systems or employing licensed clinicians who transmit electronic health information may fall under its jurisdiction.
Can a player waive their HIPAA rights as a condition of their contract?
HIPAA protections cannot be waived through an employment or player contract, as authorizations must be voluntary, specific, and informed rather than coerced as a condition of participation.
What happens if an esports organization suffers a data breach involving player health information?
Organizations that experience a breach of unsecured PHI are required under HIPAA's Breach Notification Rule to notify affected individuals, HHS, and in some cases the media.
Are team physicians subject to the same HIPAA obligations as independent clinicians?
Yes, a physician employed directly by an esports organization who transmits electronic health information in connection with covered transactions is a covered entity or workforce member subject to HIPAA's requirements.
Kirsten Peremore : October 9, 2024
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
