Are You Compliant?
According to Larry Furia, the vice president of business development for Club Solutions that Work, LLC, the amount of revenue that health care dollars or insurance dollars bring in may usurp the fitness dollar gained from standard membership.
There are a multitude of services that fitness centers can provide, which insurance companies will pay for. Things like physical therapy, chiropractic services and diagnostic lab testing bring dramatic increases to revenue.
“Two therapists and maybe one aide doing an aquatic program at a gym will generate about $100,000 a month in collections,” said Furia. “Their profit margin is about 30 percent, so that is better than most personal training programs in total for a given fitness center.”
The medical fitness space is a great way for a gym to maintain and retain profits, but there is also a downside. Dealing with private medical information requires clubs to become compliant with the Health Insurance Portability and Accountability Act (HIPAA).
“It is an excellent opportunity for gyms to be able to take advantage of some of the new regulations around wellness and to be able to bring these facilities on premises,” said Linda Howard, the founder and CEO of Alturnative and co-founder of CON4MX. “It is a great opportunity, but it is irresponsible to talk about this opportunity without helping gyms understand what they need to do in order to not violate any laws.”
So how can a club tell if it needs to be HIPAA compliant? Howard explained there are a number of ways a company can be subject to HIPAA regulations. One is if you are considered a covered entity, which includes traditional health care providers such as doctor’s offices and hospitals, but it also can include other persons or entities that provide “healthcare services,” such as a health educator, registered dietitian, nutrition professional and physical therapist.
The second category applies to business associates of those covered entities (in which case you are performing services with or on behalf of the covered entity and you have access to protected health information).
According to HIPAA, all information provided at a doctor’s office or hospital must be protected. If a gym is engaging in a relationship with a traditional provider and that provider is transmitting to or allows the gym access to protected health information, then the gym will fall into the category of being subject to HIPAA as a business associate.
“That covered entity is supposed to get you to sign what is called a business associate agreement where the club agrees to abide by HIPAA,” explained Howard. “I don’t know if a lot of clubs are necessarily reading those agreements in detail. One of the agreements I looked at was 64 pages. I am a lawyer, so I know how to get through that and go to what I need. However, most people don’t like reading 64 pages of contract.”
Even if you don’t receive medical information from these health care providers, you may still be subject to HIPAA regulations if you are receiving what is called Individually Identifiable Health Information or Personally Identifiable Information (PII). PII includes demographic information collected from an individual by a health care provider, health plan or employer that relates to the health or condition, the provision of health care or payment for health care, and that identifies the individual (or there is a reasonable basis to believe the information can be used to identify the individual).
For example, you may only receive the name of a patient and an ID number; this information is also protected if it came from a healthcare provider or health plan (insurance company or employer based health plan). Most information that is transmitted between health clubs and the insurance providers (i.e. Silver Sneakers) or physician (i.e. Physician Referral Programs) needs to be HIPAA protected.
“The misconception is that since they don’t get any medical information they don’t have to protect it,” said Howard. “But that is a mistake because that individual gave that information for health care services, whether it is for insurance or to receive medical treatment. Once that information falls into the category of protected information you have to also protect that person’s identity, which means their name.”
Another unknown fact regarding HIPAA is the severity of penalties that come along with violation. If fitness operators do not conduct proper legal reviews to fully understand what they are signing, they may be unaware of the rules they must follow. Many do not understand how heavy the penalties can be.
According to Howard, there are civil penalties and there are also criminal penalties. Civil penalties are calculated on per occurrence bases ranging from $100 to $50,000 for each failure to comply. Each electronic record breached, each piece of paper improperly disposed of is considered a separate “failure to comply.” Criminal penalties can range anywhere from $50,000 to $250,000 in fines, and anywhere from one to 10 years imprisonment, depending upon the type of breach that occurs. The fines are per occurrence, therefore a breach of 100 members could be a $25,000,000 fine.
Furia provided an example. A club emails a newsletter to the Silver Sneakers membership list because they are going to have a special program they want to promote to seniors. By doing so, they are using this information for profit, and that is one of the most serious offences according to HIPAA. It is something that could very easily occur if fitness operators are not aware of the rules.
“That is a typical thing that fitness centers will do,” said Furia. “They want to take those member lists and use them to target a specific group. It is just normal marketing protocol, but that is the worst offense according to HIPAA.”
HIPAA rules and protocols can seem very dense and confusing. The good news is there are tools and people to help.
The HIPAA advisory committee, of which Howard and Furia are both members, works to help gyms prepare for these new opportunities to bring traditional medical services onto their premises and forge partnerships with traditional medical providers, while being HIPAA compliant.
Howard and her business partner have also developed a software application, CON4MX, that makes HIPAA compliance more palatable for gyms if they decide to go into the medical fitness space.
The software has all of the HIPAA protocols and required policy templates. It allows clubs to go through a checklist and see their readiness in regards to HIPAA compliance.
“What it does is basically gives the clubs a package of templates of policies and procedures so that they utilize all of the policies and procedures,” explained Howard. “If they have to go through a government audit, they would be able to show they have these policies and procedures in place. It is a place for them to be able to log their compliance.”
The software does not only assist with HIPAA compliance. It also allows clubs to keep track of employee training, both regarding HIPAA compliance and fitness certifications.
Education is key. Not only should facilities prepare themselves to make sure they are protecting information, there is also a responsibility to train their staff so they understand how to handle that information.
“You want to make sure that your employees are receiving annual training and that they are trained within a certain number of days after being hired,” said Howard. “You want to make sure that the training occurs and no one falls through the cracks.”
While the fine print may seem daunting, medical fitness provides a great opportunity for health clubs, as long as all bases are covered.
By Emily Harbourne