As YMCAs begin to offer more non-traditional services like physical therapy, rehab classes, and weight-loss, tracking the collection of personal health information has become a necessity. Information may range from simple physical data (height and weight), to cholesterol levels and blood pressure readings, to full medical histories. This material may be kept by different classes or programs and often raises the question: Is the YMCA subject to HIPAA regulation? In most cases the answer is no.
Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) of 1996 to protect the privacy and security of personal health data. There are two primary components of HIPAA: the Privacy Rule and the Security Rule. The former establishes a standard for protecting an individual’s health information from distribution, and the latter sets security standards for the electronic transmission of the information.
HIPAA regulations apply only to covered entities, which are defined as “health plans, health care clearinghouses, and…any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of Health & Human Services (HHS) has adopted standards under HIPAA.” A YMCA is not a health plan or health care clearinghouse, but in rare cases might be a health care provider.
By HIPAA definition a health care provider includes “all providers of services (e.g., institutional providers such as hospitals) and providers of medical or health services (e.g., non-institutional providers such as physicians, dentists, and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.” According to this definition, a YMCA that provides health, nutrition, or diet care, and is paid specifically for that care, could be considered a health care provider.
However, even if a YMCA is a health care provider, the rules only apply if they then transmit the information (or use a third party to transmit the information) “in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA.”
If any of these transactions are being transmitted in electronic form by the health care provider, then the provider is a covered entity and is subject to HIPAA regulations. The use of e-mail not directly performing these transactions is not sufficient to trigger HIPAA.
The popular Silver Sneakers program is generally not sufficient to make a Y subject to the statute. 45 CFR 160.103 requires both care and sale or dispensing of a drug, device, etc. for qualification. While the Y may meet the preventative care aspect, they do not meet the latter so they are not subject even though they transmit attendance numbers in order to receive payment.
Please call us at 800-463-8546 to discuss this or any other risk management safety tip, or visit our web site at www.redwoodsgroup.com to learn more about YMCA risk management issues.