HIPAA and Pro Sports: Let’s Get the Record Straight

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure#HCdeJure

The spotlight continues to shine brightly on HIPAA, especially as an excuse, when it comes to professional athletes responding to questions around COVID vaccine status. The most recent string of erroneous responses started strongly over the summer when NFL training camps kicked into gear. As players returned and the league indicated its intentions for health safety, questions were often posed to players to find where they all stood. Before diving into a bit from my perspective, I encourage readers to check out a similar article by Charles Curtis on ForTheWin with USA Today where I was able to provide some perspective.

As players fielded the questions, some answered, but others deflected. Deflections tried to rely on HIPAA, but that reliance was misplaced.

NFL players were only the start of the widespread HIPAA excuse though. Media days in the NBA have brought similarly misplaced statements by players. The first was Kyle Kuzma saying that HIPAA was why he would not answer a question on his vaccination status. While a tweet from Kuzma is no longer available, there is no shortage of coverage and the resulting pushback on social media. The pushback provides a bit of a silver lining because it suggests that an awareness of how HIPAA actually works is growing.

Kuzma is not the only recent example though. Dwight Howard also jumped into the HIPAA fray. Howard cited HIPAA as to why he would not discuss his opinions about the vaccine at all.

As the tweet summarizing the interaction with Howard demonstrates, a reporter immediately called Howard out on the inaccurate representation of what HIPAA does.

How Can HIPAA Be Cited?

When it comes to questions from reporters or others to athletes about the athlete’s own health status, there really is not any good time to refer to HIPAA. Going back to a quick recap of HIPAA, the law and implementing regulations are focused on the activities and actions of certain healthcare entities. Specifically, covered entities (health plans, healthcare providers, and healthcare clearinghouses) and business associates (entities or individuals providing services to covered entities). HIPAA does not talk about or cover an individual talking about their own health information or lives.

Why doesn’t HIPAA cover questions or requests to an individual about their own health information? From one perspective there is no need to address that situation by law because an individual can choose to respond or not. Personal freedom controls there. Another potentially more legally nuanced answer is that the government probably cannot (and really should not) legislate or personal decisions of how to handle information under the individual’s own control. Considering that perspective from a different direction, individuals control their own privacy and deciding whether or not to disclose information relates to that personal control over privacy, which is generally recognized in law. Since a personal privacy right is usually already covered, there is no need to have HIPAA go in that direction.

If individuals should not lean on HIPAA to avoid answering a question, who can? In the professional sports context (and likely many others), the answer is quite limited. As already noted, HIPAA applies to a relatively narrow scope of potential parties, so the most obvious people who could be asked to answer a question and should not are clinicians. If an athlete sees a doctor for an issue, then the doctor cannot answer questions absent consent from the athlete. However, the restriction does not apply to the athlete’s team. That is why the team will often discuss an athlete’s injury status or at least is not prevented from doing so if it has the information.

How Can We Do Better?

As always, doing better with correctly citing HIPAA starts with actually knowing what HIPAA is and what it does. New guidance from the Office for Civil Rights addressing vaccine questions in the workplace is a good place to start. The guidance in the form of questions and answers covers a lot of common scenarios and gets to the bottom line very quickly that vaccine status questions are very often outside the scope of HIPAA.

The need for good and accurate information both in the COVID-19 context and more cannot be better stated than as said by new OCR Director Lisa Pino:

[OCR is] issuing this guidance (the workplace guidance) to help consumers, businesses, and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19.

If we can all understand when HIPAA applies, then we should all be able to stop using it as a crutch for not answering a question. If an individual does not want to answer, then that should be the statement. Namely, “I don’t want to answer that question” or a similar statement. Hiding behind a law that does not apply only spreads an incorrect interpretation and increasingly subjects to the individual to online correction.

This article was originally published on The Pulse blog and is republished here with permission.