An issue has arisen that has college coaches and athletic trainers concerned about disclosing medical information about student-athletes. Congress has decided to establish a minimum national standard to protect the privacy of personal health information, and that has now become a matter of concern for athletics teams.

Congress included in the Health Information Portability and Accountability Act of 1996 (HIPAA) provisions for the Department of Health and Human Services (HHS) to promulgate regulations on the privacy and security of personally identifiable health information. The HIPAA Privacy Rule is scheduled to become effective April 14, 2003, although several amendments are under consideration. A Notice of Proposed Rule Making regarding physical and electronic security of health information was issued in 1998, but the final rule still has not been issued.

A recent New York Times article reported that, to the surprise of many, the Privacy Rule may apply to athletics programs and prevent the disclosure of medical information about athletes without their written consent that complies with the rule. Representatives of both college and professional sports teams commented about their concerns. A subsequent article in the Times on July 4, 2002, reported that one professional team's attorneys have written HHS asking that professional sports teams be exempted. Others are advising professional teams that these athletes are employees and the health information maintained by the teams is part of the player's "employment record" and thus not protected health information under the Privacy Rule. HHS has responded with a press release indicating its belief that this issue can be dealt with under the present rule.

The Privacy Rule applies to the use and disclosure of protected health information by health-care providers who transmit medical information electronically, primarily in relation to payment for services. For sports teams, this will generally be athletic trainers and sports physicians who bill for their services.

College coaches and athletic trainers are worried that they will not be able to use and disclose medical information about athletes as they have in the past unless they have a written authorization that complies with HIPAA. They fear that blanket authorizations now signed by the athletes may not be adequate under the new rules.

Those trainers employed by academic institutions may have some relief, however, because the Privacy Rule excludes from its definition of "protected health information" student health information held by institutions covered by the Family Educational Privacy and Rights Act of 1974 (FERPA). FERPA already protects the privacy of health information on students, either because it is used for very limited purposes and is therefore exempt from the FERPA definition of "education records" or because its use qualifies it as a FERPA "education record." In either case, the privacy of the information already is protected, and HHS has concluded that Congress did not intend for the HIPAA Privacy Rule to supercede the protections of FERPA.

Athletic trainers employed by a university's athletics association rather than the university, and who bill for their services, may have more of a problem with the Privacy Rule, however. They probably cannot rely on the FERPA exception or consider the athletes as employees. Thus, they may only be allowed to use or disclose medical information for treatment, payment and operations purposes, unless they have a signed authorization from the athlete and it complies with the Privacy Rule. "Operations" refers specifically to health-care-related functions only.

The Privacy Rule puts control of medical information in the hands of the patient, which means that if the rule applies, the athlete would decide whether his or her information may be released to the press or even to coaches. The Times article noted that sports officials worry that they will no longer be able to release information to the public about player injuries without the specific written authorization of the player, which could be revoked at any time.

Athletic trainers employed by an academic institution must be careful about concluding too quickly that the HIPAA Privacy Rule applies to them. If their records are covered by FERPA, they do not have the option of choosing to apply HIPAA instead.

Even in an academic institution, athletic trainer records could become a HIPAA Privacy Rule issue if the athletic trainer who bills for services treats people who are not students. Records on nonstudents would not qualify for the FERPA exception.

University counsel may want to evaluate the institution's handling of all medical information on students and assure that there is a uniform policy that complies with FERPA with regard to privacy and, if the institution is a covered entity, with the HIPAA Security Rule when it becomes final.

Health-care providers can expect the final Security Rule to require them to (1) assess the risks to the security of health information, (2) protect against threats to that security, (3) implement security measures appropriate to the provider's circumstances and (4) ensure that staff comply with the safeguards. The provider will be expected to adopt administrative procedures to manage the security measures, a process to protect and monitor information access, and measures to protect electronic data transmissions. Academic institutions with health care functions will not have the benefit of a FERPA exception under the Security Rule .

Athletic trainers need to consult with counsel about the application of the HIPAA Privacy Rule and, when it becomes final, the HIPAA Security Rule. Remember, violators of HIPAA may be subject to serious criminal sanctions.

Jerry Woods is former counsel at the Medical College of Georgia and now is a health-law specialist in private practice.