Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Professional athletes' health information and HIPAA

Picture of Kirsten Peremore Kirsten Peremore August 18, 2023

HIPAA Compliance
Professional athletes' health information and HIPAA

Privacy is a fundamental right that all individuals, including athletes, should enjoy, especially when it comes to their sensitive medical data. As such, the protections provided within HIPAA's requirements play a role in assuring that athletes feel confident that their health information is kept confidential.

 

HIPAA and athletic medical staff

HIPAA applies to athletic medical staff, including athletic trainers, when they work for covered entities that engage in electronic healthcare transactions. As part of covered entities, professional athletic trainers and medical staff must adhere to strict privacy and security rules to protect athletes' medical information. These rules include the HIPAA Privacy Rule, which governs the use and disclosure of protected health information (PHI) related to athletes' physical and mental health conditions. 

They should follow the minimum necessary standard when accessing, using, or disclosing PHI, ensuring that only the minimum required information is shared for legitimate purposes. 

Additionally, athletic trainers and medical staff may need to sign business associate agreements (BAAs) with third-party vendors, ensuring these vendors also comply with HIPAA when handling PHI. 

 

Informed consent in sports teams 

Athletes are often required to sign informed consent forms at the beginning of their tenure with a professional sports team. These forms outline the types of PHI that may be shared, the purposes for sharing, and the entities with whom the information may be disclosed. By signing these forms, athletes provide explicit consent for the team to share their PHI for specific purposes.

College and professional sports teams also often have specific health and safety policies that address how PHI is collected, used, and shared. These policies are designed to comply with relevant privacy laws while ensuring athletes' well-being and healthcare needs. If the team contracts with third-party vendors, such as medical service providers, to handle PHI on their behalf, they may enter into BAA with the vendor. 

See also: HIPAA compliance and the NFL (National Football League)

 

Collective bargaining and PHI

Collective bargaining agreements (CBAs) between professional sports leagues and players' unions often address various aspects of athletes' employment, including the protection of their PHI. While HIPAA primarily applies to covered entities, such as healthcare providers, and their handling of PHI, CBAs may have provisions related to the privacy and security of athletes' PHI. 

These may include

  1. Privacy protections: CBAs may include provisions that outline the privacy protections for athletes' PHI when collected, used, or disclosed as part of their employment or participation in the league.
  2. Consent and authorization: CBAs may specify the circumstances under which athletes' PHI can be accessed, used, or disclosed and may require players to provide consent or authorization for certain activities.
  3. Medical examinations: CBAs may address the requirements and limitations on medical examinations, including who has access to the results and how the information is used.
  4. Confidentiality obligations: CBAs may impose confidentiality obligations on team physicians, medical staff, and other individuals involved in athletes' healthcare, ensuring their PHI is kept confidential.
  5. Notification of rights: CBAs may require athletes to be informed about their rights regarding their PHI, including their ability to access and request amendments to their medical records.
  6. Data sharing: CBAs may address data sharing between the league, teams, and medical personnel while emphasizing the need to protect athletes' PHI during such exchanges.

See also: What is the HIPAA treatment exception?

 

Drug testing results

The results of a drug test can be considered PHI under HIPAA if a healthcare provider or a covered entity conducts the drug test. The drug test results would be subject to HIPAA's privacy and security rules in this case.

However, if the drug test was conducted by an employer or a third-party drug testing service that is not a covered entity under HIPAA, the results may not be considered PHI under HIPAA regulations. Instead, the results may be subject to other privacy laws or regulations that govern workplace drug testing.

If the drug test results are considered PHI under HIPAA, they can only be shared with individuals who have a legitimate need to know the information for treatment, payment, or healthcare operations purposes, or if the individual provides written authorization for disclosure. This means that the results can only be shared with appropriate medical staff and individuals involved in the athlete's treatment or care, and only to the extent necessary to carry out their responsibilities.

See also: HIPAA Compliant Email: The Definitive Guide

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.