HIPAA: Health Insurance Portability and Accountability Act of 1996

"A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being"

HIPAA applies to an organization if it is considered to be a “Covered Entity” (A health care provider, a health plan or a health care clearing house who, in its normal activities, creates, maintains or transmits personal health information (PHI) and has a direct relationship to the patient) or a “Business Associate” (an organization that contracts with a Covered Entity to transact, store or transmit PHI on their behalf).

Does the HIPAA Privacy Rule apply to an elementary or secondary school?

"Generally, no.  In most cases, the HIPAA Privacy Rule does not apply to an elementary or secondary school because the school either: (1) is not a HIPAA covered entity or (2) is a HIPAA covered entity but maintains health information only on students in records that are by definition “education records” under FERPA and, therefore, is not subject to the HIPAA Privacy Rule."

"Thus, even though a school employs school nurses, physicians, psychologists, or other health care providers, the school is not generally a HIPAA covered entity because the providers do not engage in any of the covered transactions, such as billing a health plan electronically for their services.  It is expected that most elementary and secondary schools fall into this category."

We use the most advanced technology services through Amazon called Amazon Web Services (AWS). Amazon states, "Amazon Web Services (AWS) means you have a partner in security who has a vested interest in keeping your environment safe. Cloud adoption and operation on AWS enables you to protect your data, meet compliance requirements, and cost-effectively and securely scale up or down."

AWS has provided guidance on HIPAATeamSafe™Sports has carefully followed this guidance in order to be in alignment with HIPAA compliance requirements. The Department of Health and Human Services (HHS) is the federal body that determines compliance. HHS does not endorse or recognize the "certifications" offered by private vendors and requires that security requirements and standards be met and checked regularly.

Our application communicates only with the parents of the athletes and the youth sports organizations in which they play. Our application does not transmit any of the user's personally-identifiable health data entered into the app with any covered entities or any third parties. This is the test used to determine the necessity of HIPAA compliance.

Security: We follow AWS data protection guidelines to ensure the confidentiality, security and integrity of all data entered into our application.

Permissions: Who has access to data and specifically what data is that? Parents have viewable and editable access to their child's data only. Coaches have viewable and editable access to their own personal information. Coaches have viewable access to the athletes on their team (roster). Coaches do NOT have editable access to any athlete information entered by the parent. Administrators have viewable access to all the athlete's in their organization. Administrators provide final clearance (return to play) for injuries. Otherwise, administrators do not have editable access to any athlete's information.

Transparency: We have a clear and well-defined Privacy Policy.

Choice: We collect the minimum data necessary to keep the athletes safe.

Education: We maintain a baseline level of knowledge of data privacy and security requirements and best practices through annual employee training.

Third Parties: We do not provide third parties with students’ personal data for advertising, marketing, or other purposes unrelated to the functioning of the product in the manner for which it is being used by the organization.