HIPAA and the Y


As YMCAs begin to offer more non-traditional services like physical therapy, rehab classes, and weight-loss, tracking the collection of personal health information has become a necessity. Information may range from simple physical data (height and weight), to cholesterol levels and blood pressure readings, to full medical histories. This material may be kept by different classes or programs and often raises the question: Is the YMCA subject to HIPAA regulation? In most cases the answer is no.

Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) of 1996 to protect the privacy and security of personal health data. There are two primary components of HIPAA: the Privacy Rule and the Security Rule. The former establishes a standard for protecting an individual’s health information from distribution, and the latter sets security standards for the electronic transmission of the information.

HIPAA regulations apply only to covered entities, which are defined as “health plans, health care clearinghouses, and…any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of Health & Human Services (HHS) has adopted standards under HIPAA.” A YMCA is not a health plan or health care clearinghouse, but in rare cases might be a health care provider.

By HIPAA definition a health care provider includes “all providers of services (e.g., institutional providers such as hospitals) and providers of medical or health services (e.g., non-institutional providers such as physicians, dentists, and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.” According to this definition, a YMCA that provides health, nutrition, or diet care, and is paid specifically for that care, could be considered a health care provider.

However, even if a YMCA is a health care provider, the rules only apply if they then transmit the information (or use a third party to transmit the information) “in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA.”

These standard transactions are:

  • Claims or equivalent encounter information
  • Payment or remittance advice
  • Claim status inquiry and response
  • Eligibility inquiry and response
  • Referral certification and authorization inquiry and response
  • Enrollment and disenrollment in a health plan
  • Health plan premium payments
  • Coordination of benefits

If any of these transactions are being transmitted in electronic form by the health care provider, then the provider is a covered entity and is subject to HIPAA regulations. The use of e-mail not directly performing these transactions is not sufficient to trigger HIPAA.

In short, unless the YMCA is…

  • providing specific health care services
  • is paid for those services, and
  • is billing or doing business with health insurance or health plans in regard to those services …then its transactions are not subject to HIPAA regulations. However, any YMCA that is doing the above probably has accountability under HIPAA and should check with its local counsel to determine applicability and necessary action.

The popular Silver Sneakers program is generally not sufficient to make a Y subject to the statute. 45 CFR 160.103 requires both care and sale or dispensing of a drug, device, etc. for qualification. While the Y may meet the preventative care aspect, they do not meet the latter so they are not subject even though they transmit attendance numbers in order to receive payment.

For more information please see:

HIPAA Privacy summary Security final rule Covered entities Are you a covered entity?

Please call us at 800-463-8546 to discuss this or any other risk management safety tip, or visit our web site at www.redwoodsgroup.com to learn more about YMCA risk management issues.


Submit a comment