Page 13 - 74321_NSAA_SpringJournal_Web
P. 13

seek or remit payment, (2) to obtain or transmit claim or
              encounter information, (3) to determine eligibility, cover-
              age, or benefits under an insurance plan, or (4) for refer-
              rals or authorizations.
                 Notably, merely because a ski area is an employer and
              it transmits employee personal medical information elec-
              tronically for workers’ compensation claims does not
              itself subject the ski area to HIPAA obligations or conse-
              quences. Sending patient information contained in inci-
              dent reports to your general liability insurance carrier also
              falls outside the purview of HIPAA because the purpose of
              the transmission is not in any way related to the treatment
              of the individual patient or payment for that treatment.
              Likewise, charging a ski area guest or patient for some-
              thing like an ACE bandage also may not trigger HIPAA—  or so of ski areas embracing software and cloud storage
              unless you’re electronically billing an insurance company   systems that offer incident tracking, patrol management
              for those charges. This is similarly true for accepting dona-  services, and electronic record keeping, often using cloud-
              tions from a gracious guest or patient; donations are typ-  based platforms for management and storage of data.
              ically not considered “compensation” that would by itself   While these programs may greatly streamline and simplify
              trigger HIPAA.                                         the management and analysis of incident data, they do
                 If you are uncertain whether HIPAA applies to your   pose a risk of potential breach that may have implications
              on-site clinic or patrol, the Center for Medicare Services   under HIPAA.
              provides helpful tools on its website to aid in determin-  Whether HIPAA applies to the information stored
              ing your status as a healthcare provider “covered entity”   using cloud-based software programs depends upon both
              (https://www.cms.gov/Regulations-and-Guidance/         whether the patrol is a healthcare provider and whether
              Administrative-Simplification/HIPAA-ACA/Downloads/     the information tracked by the software it uses includes
              CoveredEntitiesChart20160617.pdf).                     protected health information (and it typically does). If
                 That said, there still may be a benefit to comply-  the patrol is not considered to be a healthcare provider as
              ing with HIPAA voluntarily, notwithstanding any obli-  it is defined under HIPAA, then maintenance of incident
              gations under the statute. “In a skier-skier collision, for   information in a software program would not by itself
              example, when a guest or their outside counsel is asking   trigger compliance obligations under HIPAA. That being
              for documentation about the incident, being able to state   said, even if HIPAA does not apply to your patrol, the gen-
              your ski area has protocols that protect personally-identifi-  eral public does have an expectation of privacy and confi-
              able or HIPAA-sensitive information is valuable from both   dentiality with regard to its health information, and it is
              an operational and personal relations perspective,” noted   advisable to vet the security certifications of any software
              Jimmy Lawrence, a former senior loss control director with   used by your patrol to track incident information that may
              the Willis MountainGuard insurance program as well as a   be used to identify individuals who have received care.
              former ski patrol director and risk manager from Heavenly   For ski areas looking to embrace electronic incident data
              Mountain Resort. “Even if a resort is not formally covered   collection, cloud storage, and its related software—and to be
              by HIPAA, it’s still a great practice to comply. In this day   sure, this is a big trend in the ski area operations right now—
              and age, we all understand about the need to protect sen-  the HIPAA implications of such software are a major concern
              sitive medical information, and it’s in the best interest of   for ski area management considering going fully electronic.
              both the guest and the resort.”                        These programs dramatically increase resort efficiency and
                                                                     improve overall analysis of incidents, but at the same time,
              If my patrol uses incident tracking and patrol         they create the potential for a breach of personally identifiable
              management software, is that subject to HIPAA?         information, including medical history and prescription drug
              There has been a dramatic growth in the past five years   use, which may be protected under HIPAA.






                                                                                              SPRING 2017  |  NSAA JOURNAL  |  11
   8   9   10   11   12   13   14   15   16   17   18