The wellness industry in the United States continues to grow with consumers flocking to visit massage locations, spas, and fitness facilities across the nation. The health and wellness industry is a growing market for franchises and while many of these businesses may not offer services that one might consider as healthcare, all attract customers seeking to address specific health needs and concerns. So how does the Health Insurance Portability and Accounting Act (HIPAA) and the applicable state laws designed to protect health information, apply to these franchises?
The HIPAA Privacy Rule
HIPAA gives healthcare consumers the legal right to know the privacy policies of their healthcare providers. It also entitles them to know their privacy rights under the law, especially about their personal health information (PHI).
HIPAA requires health insurance companies and other plans and care providers to distribute notices to consumers about their privacy policies and practices. PHI consists of nearly everything an insurer or service providers knows about a patient, including financial as well as medical information and the normal, basic intake information, and related notes.
The Privacy Rule is to limit the release of patient medical information without proper authorization.
For example: as a routine part of processing claims for disability benefits, the Social Security Administration makes many requests to doctors, clinics, hospitals and other providers for patient medical records. After HIPAA passed, SSA had to revise their standard authorization form to comply with the new law.
The Privacy Rule applies to what the law terms “covered entities.” As a general rule they are:
- Healthcare services providers
- Entities that process data about healthcare
- Health insurance companies and others such as Health Maintenance Organizations (HMO) and employer plans
In general, HIPAA defines healthcare traditionally, applying it to:
- Medical Laboratories
Therefore, as a general rule, HIPAA does not apply to gyms, health clubs, wellness centers, weight-loss clinics or spas.
However, that’s only a general rule. Reality is more complicated.
Some businesses contained covered divisions, so they are hybrid entities. For example: a supermarket has a pharmacy. The pharmacy is a covered entity and, therefore, must comply with HIPAA. However, HIPAA does not apply to information about what kinds of food the shopper buys at the regular supermarket checkout.
If a gym contracts with a sports medicine doctor to offer services to injured members, the government might consider it a hybrid entity like the supermarket with a pharmacy. That also goes for a weight-loss center with a doctor prescribing medication or a spa with a physical therapist or nurse on staff.
According to Lannan Legal PLLC, practicing in the hospitality industry, a spa or club that offers healthcare services is a covered entity. When they ask customers to complete questionnaires about their past and current medical conditions, including a standard Physical Activity Readiness Questionnaire (PAR-Q), that may become PHI covered by HIPAA.
The HHS [U.S. Department of Health and Human Services] regulations implementing HIPAA apply only to “Covered Entities,” which are defined to include “health care providers.” Depending on the services it provides, a spa or health club may or may not be a “health care provider.”
Every state has its own laws governing the privacy of medical and healthcare information. Therefore, every business and franchise in the wellness space needs to understand the state laws governing it. These could be stricter or broader than the federal HIPAA law. Many states include laws against the unauthorized release of confidential information by a business regardless if they are a HIPAA “covered entity” or not.
For example: a client hires a personal trainer. He tells the trainer about the lingering effects of an automobile accident he was in several years ago, so the trainer recommends exercises intended to help the client compensate for those effects, though what the personal trainer is not post-surgical or intended as rehabilitation. A professional personal trainer must keep such information confidential.
The National Law Review found that the definition for what makes up a health and fitness facility varies by state and warns that, “…the failure to understand which statutes apply to your business could result in fines and other penalties down the road.”
A key aspect of maintaining privacy is electronic transmission and storage of information. Every business needs to use modern database protection to safeguard all their customer information even if it is just their name, address and what product they bought. Every business dealing with health and wellness issues must secure all their data, even something seemingly unimportant. If someone buys St. John’s Wort at a vitamin shop, this might show they suffer from symptoms of depression, which is a detail that should be kept private to the consumer.
HIPAA’s Security Provision requires covered entities to have:
- Security policies and procedures
- Safeguards for physical space and equipment
- Technical security issues
- Security services
Use Technology to Protect Everybody Concerned
Every business that transmits or stores personal information, especially any data related to their health, can protect itself by maintaining the physical and technological security of its computer systems. They must use the most up-to-date methods of database security and cloud integrity to protect themselves against data breaches. By protecting the PHI of their customers and clients, these businesses also protect themselves from government action.