Does HIPAA Apply to Health Clubs?

Businesses constantly seek new opportunities; health clubs are no exception. They are expanding into wellness and healthcare by providing:

• Membership benefits to insurers and managed care organizations (MCO) members. 
• Health risk assessments and other wellness services billed to insurers, MCOs and Medicare.
• Physical therapy. 

These arrangements place clubs squarely within the definition of HIPAA Covered Entities (CAs) or Business Associates (BAs), which means they  must comply with HIPAA.

Some of these clubs, nevertheless, are slow to accept they are subject to HIPAA. Others mistakenly believe they are HIPAA compliant because they obtained copies of policies and have a “secure” server. They get a reality check during pre-contract or annual HIPAA audits or assessments by insurers. These audits frequently request things clubs are unprepared to provide, such as:

• Adopted and implemented HIPAA policies addressing specific requirements. 
• Business continuity and disaster recovery plans.
• Documentation of ongoing data security and privacy — i.e. Protected Health Information (PHI) data flow mapping, risk assessments and security gap matrix.
• Evidence that employees received HIPAA and security awareness training upon hiring and annually thereafter.

Well-publicized breaches followed by “example making fines” have also caught the attention of club operators, causing them to recognize their protocols are insufficient and to worry about the cost of compliance and non-compliance.

Companies with low-risk tolerance should spend enough on compliance to significantly minimize risks. Those with higher tolerance for risks may choose to spend less. Regardless as to the risk tolerance, if a club is subject to HIPAA, not having a HIPAA compliance program is irresponsible and an unwise business decision. It puts reputation, revenue and customers’ information at risk. 

Assessing risk necessitates determining the likelihood of a breach or occurrence of a failed audit, and the potential impact if it does — i.e., fines, loss of business or harm to reputation. Understanding possible impact requires knowing the cost of noncompliance, which varies based on the level of negligence. 

Penalties for violations resulting from “willful neglect” could be as high as $50,000 per incident, multiplied by the number of customers impacted. Penalties when “reasonable diligence” is exercised could be calculated as low as $100 per violation.

Estimating the cost of a HIPAA program involves calculating expenses such as professionals to prepare training, readiness assessments, implementation plans, agreements, policies, forms, documentation, disaster recovery plans and network vulnerabilities scans. Reoccurring expenses include employees to handle privacy and security, shredder company, disaster recovery services and off-site storage for backup media, and printing and mailing of notice of practices. 

Capital expenses could include computer privacy screens; information system and network upgrades for audit trails and flags, intrusion-detection systems, virtual private networks, encryption software, and enhanced authentication methods; and physical security upgrades such as electronic “door locks,” surveillance equipment, shredders, backup generators, and secure fax machines or fax servers.

Although sharpening the pencil to reduce cost is sometimes necessary, compliance is not the place to be frugal. Those venturing into healthcare should budget for compliance. This will help them avoid unpredictable fines, business loss and reputational damage.

Linda Howard, JD, has over 30 years legal and regulatory experience and is the chief compliance consultant for ComplyIQ. She can be reached at lhoward@complyiq.com.