Page 12 - 74321_NSAA_SpringJournal_Web
P. 12
Operations
A PRIMER ON YOUR RESORT’S
RESPONSIBILITIES UNDER HIPAA
BY KELSEY FISHER, DUANE MORRIS LLP
HIPAA, THE ACRONYM FOR the Health Insurance Portability automatically a healthcare provider as that term is defined
and Accountability Act, is often regarded with dread by those under the HIPAA regulations. Previously, the belief in the
in the healthcare industry given its strict, quite complicated ski industry was that as long as a ski patrol or resort did
requirements and potential for serious legal exposure and fines. not charge for medical services, it was not a healthcare
The hype surrounding HIPAA has led many, including provider subject to HIPAA. However, this interpretation is
ski resort operators and patrollers, to erroneously assume that equal parts too narrow and too broad. In actuality, even if
the reach of HIPAA is much broader than it is in actuality. a resort or patrol does not charge for patrol or medical ser-
This article is intended to clarify the responsibilities of ski vices, it may still be considered a healthcare provider sub-
resorts and patrollers, if any, under the federal law. ject to HIPAA.
Essentially there are two steps in the process of deter-
What is HIPAA? mining whether your resort is considered to be a health-
HIPAA was enacted in 1996, though full compliance was care provider and thus required to comply with HIPAA.
not required until April, 14 2003. The purpose of HIPAA First, whether your patrol or resort is a healthcare
is to regulate how certain entities affiliated with the health- provider depends on how you transmit patient informa-
care industry use, disclose, and protect personal health tion. The key inquiry is whether your resort engages in the
information. Under the statute, protected health informa- electronic communication of personal, patient informa-
tion is that which is created or received by a “covered entity” tion. Even if a resort or patrol does charge for medical
(defined below) that relates to the physical or mental health services, it may not be considered a “covered entity” under
of an individual, the provision of healthcare to an individ- HIPAA, if the charges are processed via cash or credit
ual, or payment for healthcare provided to an individual that directly from the patient, without any electronic billing.
could identify that person or his or her medical informa- The same is true if referrals or requests for authorization
tion. HIPAA acts in concert with existing state laws to stan- are communicated by telephone verbally, rather than elec-
dardize the protection of patient privacy and ensure a certain tronically, from your patrol or resort clinic to an outside
minimum level of protection nationwide. provider. Telephone calls are not “electronic transactions”
for purposes of HIPAA compliance. Put simply, if you do
Does HIPAA apply to my resort or patrol? not transmit patient information electronically, HIPAA
For the ski industry’s purposes, a resort or patrol need compliance is not required.
only comply with HIPAA if it is considered to be a health- Second, you should look at the purpose of your resort
care provider, which is a “covered entity” under the law. or patrol’s transmission of any patient information.
Although it seems counterintuitive, just because your HIPAA compliance is only required if the patient informa-
patrol provides medical care, that does not mean it is tion is being transmitted for the following purposes: (1) to
10 | NSAA JOURNAL | SPRING 2017
