For many years, colleges and universities that receive federal funding have been required to have student-athlete consent to release medical information to noninstitutional employees or outside entities, such as conference offices and the media.

That requirement came under the Family Educational Rights and Privacy Act (FERPA) (also known as the Buckley Amendment), but now a new federal law, the Health Insurance Portability and Accountability Act (HIPAA), which sets parameters for providing personal medical information, has athletics administrators and those in the sports-medicine community concerned -- and in some cases confused -- about whether the new law applies to them and how it relates to the old law.

The HIPAA Privacy Rule addresses the latter point. It says that the HIPAA definition of "protected health information" does not apply to a student's college or university education records. Those records are instead protected by FERPA.

The FERPA definition of "education records" excludes a student's health records if they are (1) maintained by a physician, psychologist or recognized professional or paraprofessional (such as a certified athletic trainer) who is an employee or agent of the institution, (2) are made, maintained or used only in connection with the provision of treatment to the student, and (3) are not available to anyone other than those treating the student, except a physician or other appropriate professional of the student's choice. Students' health records that are excluded from FERPA's definition of education records also are excluded from the definition of health information protected by HIPAA.

This means that a college or university's health records on its students are not subject to the HIPAA Privacy Rule. Any disclosure of injury or additional information in those records to other than those specifically enumerated in FERPA can only be done if the student-athlete consents in writing. One group that is allowed access without first obtaining such a written consent is other institutional employees who have legitimate educational interests in the records. For example, disclosure of injury information from an athletic trainer to a coach for the purpose of protecting the health and safety of the student-athlete does not need the student-athlete's prior consent.

Covered entities

A FERPA consent must contain certain elements to be valid. It must be in writing and must specify the records to be released. It also must specify the reasons for such release and to whom the records are being released. It also needs to be signed by the student.

If student-athlete medical records do not meet the definition of records exempted from HIPAA, (for example, if a health care professional or paraprofessional is not an employee of the institution but instead works under contract to the institution to accept referrals), the next question to be asked is whether that health care provider is a "covered entity" under HIPAA.

To be a covered entity, a health care provider must be transmitting health information in electronic form in connection with the transmission of information between two parties to carry out financial or administrative activities related to health care. Once a provider uses a electronic transmission for that purpose, all of its health care records and oral communications about them become subject to HIPAA requirements. A U.S. Department of Health and Human Services (HHS) Web site containing a decision tree that clarifies whether an individual or organization is a covered entity under HIPAA can be viewed at: http://www.
cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.
asp.

If a health care professional or paraprofessional such as a certified athletic trainer is a covered entity, HIPAA will prevent the disclosure of private health information to third parties such as conference offices and the media without authorization from the student-athlete. As with a FERPA consent, a HIPAA authorization must be signed and in writing and specify the information to be used or disclosed and the purpose of the use or disclosure. It must specify to whom the information is to be released and the purpose of the request. In addition, unlike FERPA, HIPAA requires that the authorization identify the person authorized to disclose the information and an expiration date or event. In addition, it must state that the student has a right to revoke the authorization and how to do so, and it must include a statement that treatment will not be conditioned on execution of the authorization. Unlike FERPA consents for those enrolled in college, HIPAA authorizations for students who are minors will have to be signed by a parent or guardian.

Effect on athletic trainers

To better understand the extent to which HIPAA requirements apply to athletic trainers, representatives from the National Athletic Trainers' Association (NATA) met in December with officials charged with enforcing HIPAA regulations from the Office for Civil Rights. NATA members were encouraged by what they heard.

"In general, we came away from the meeting with good news," NATA governmental affairs representative Rich Rogers told the NATA News. "There are no blanket statements because it's going to depend on each specific situation as to whether an ATC (certified athletic trainer) is a covered entity subject to HIPAA regulations, but the HHS has strictly defined 'covered entity,' so it's easier to determine."

The HHS confirmed in the meeting that its definition of covered entity centered on whether a person uses electronic transmissions to transmit protected health information involving billing, reimbursement, benefits eligibility and plan-eligibility issues. HHS officials told the NATA representatives that the electronic transmissions in question involve billing, reimbursement, benefits eligibility and plan-eligibility issues.

Keith Webster, athletic trainer at the University of Kentucky and chair of NATA's governmental affairs committee, told the NATA News that "our fear was that (certified athletic trainers) would be included because we do use and receive protected health information (PHI). That's not the case. Even if we share (receive) the PHI that is protected under the privacy rule, that in itself doesn't make us a covered entity. The OCR allows health care providers to share PHI for treatment purposes."

Based on the HHS interpretation, The NATA News reported that PHI can be disclosed for treatment purposes without authorization and that the person receiving this information does not have to be a licensed health care provider.

NATA also reported that HHS officials noted the following regarding HIPAA authorization forms:

An authorization to release PHI for treatment purposes can be a prerequisite to a student-athlete's participation in the athletics program.

Authorization is not necessary on a per-injury basis; a blanket authorization at the beginning of the year will suffice for all injuries and treatments done during the course of participation for the year.

Authorizations must indicate clearly what information may be released, to whom and for what length of time.

More information about HIPAA in general can be obtained from the OCR's Web site at: www.hhs. gov/
ocr/hipaa.