When it comes to personal information, especially health data, maintaining privacy for the families you serve is of the utmost importance. As a youth recreation organization, you may only collect basic details like contact information and dates of birth, but you might also collect additional details like medical history, so that you can support your participants or players in a crisis.
Health information is considered personal information, which is highly sensitive as it’s information used to identify a specific individual, and can have negative consequences if it’s used or managed improperly. Being aware of the guidelines that the Health Information Portability & Accountability Act (HIPAA) sets out can ensure your organization gives the proper attention to privacy and security to ensure that data is always protected.
The Difference Between Privacy & Security
Whether you collect information through your recreation, member, or information management system, or through a system like ePACT, it’s important to ensure your organization is doing its part to protect data, and the privacy of the families you serve, while preventing the misuse of that data. Data privacy and security tend to be synonymous with one another, whether referencing personal information, email accounts, online banking, or social media. While the two go hand-in-hand, it’s helpful to know the difference between data privacy and security:
- Security: This is all the practices and processes that are in place to ensure data isn’t being used or accessed by unauthorized individuals or parties.
- Privacy: Privacy is the appropriate use of data, and includes controlling who is authorized to access information, and under what conditions that information may be accessed, used and/or disclosed to a third party.
Basic Rules of Privacy
With more information being stored and transmitted using online or computer systems, specific legislation outlines common guidelines to ensure organizations are doing their part to protect data, and to mitigate misuse of that information. As you collect health information, keep these basic rules of data protection in mind so that you can make sure your organization does its part to protect the privacy of your members.
- State the purpose for the information you collect from families so that they have peace of mind that their data isn’t going to be misused, and so that staff have guidelines to help them understand how to use information appropriately
- Make sure participant information is up-to-date and accurate and take reasonable steps to update information as soon as it changes
- Make it easy for participants to review their records and the information within them – using an online system can make this much easier, but even if you use paper, share your process with families so they know how to access their records when they need to
- Don’t share information collected with other organizations or third-parties without getting consent from families, even if it’s an organization closely connected with yours. Always take steps to get that consent either up front or as needed.
- Delete or destroy information when it’s no longer needed for the stated purpose
- Don’t send data to locations where you can’t guarantee the same levels of security, whether it’s participant or staff information.
- Don’t collect overly sensitive data, like religion, sexual orientation, or personal beliefs, unless it’s vital for a program or activity.
How to Protect Health Information in Your Organization
While youth recreation organizations, including YMCAs, Parks & Recreation Departments, sports associations, and even schools, aren’t covered under HIPAA, it comes into effect as soon as health information is shared with anyone at a point of care. So, it’s in your best interest to implement as many of its specific privacy and security measures as possible so that you can protect your organization against risks and liabilities associated with collecting and managing health information.
Administrative Safeguards
These are all the ways that you can physically prevent an unauthorized person from accessing information. Or, alternatively, you can look at these safeguards as the physical ways you can authorize someone to have access to your system.
- Ensure there is only authorized access to information, and be able to quickly remove access once it’s no longer needed
- Implement password protection on all the devices you use (in and out of the office), ensure that only authorized staff know those passwords, and update them regularly
- Create processes for transferring, removing, disposing of, and reusing electronic media (smartphones, tablets, computers etc.)
For the complete overview of Administrative Safeguards, click here.
Physical Safeguards
These are the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
- Consider who has access to workstations or devices that connect to your systems, and ensure that they are in a back office or behind a door that requires a PIN or passkey to access; for offsite devices, make sure that staff don’t leave them unattended and always return them at the end of the day
- If you have staff that work remotely, whether permanently or on occasion, set in place specific requirements for them to do so securely. i.e. they should be on a secure network and may even be required to only do so on hardware provided by your organization
- Implement data and system backups for emergencies like a fire or a natural disaster so that if physical hardware is destroyed, the data is not lost with it. It’s also important to have this in the case of a system malfunction
- If you use CCTV, alarm systems, or security services, these provide an additional layer of physical security to amplify anything you already have in place
For the complete overview of Physical Safeguards, click here.
Technical Safeguards
According to the HIPAA Security Rule, technical safeguards are “the technology and the policy and procedures for its use that protect electronic health information and control access to it.” An organization must use any security measures that allow it to reasonably and appropriately implement the necessary standards for protecting end user data, which include:
- Ensuring your organization has complete control over who has access to what information – this includes the use of unique user identifiers to identify and track user activity, the ability to securely access information in an emergency, automatic system log offs, and data encryption.
- Ensuring your organization has controls in place to review, monitor and record all activity related to health information
- Ensuring that health information isn’t altered or destroyed improperly
- Being able to confirm that, when anyone in your organization requests information for your participants, that they’re able to prove who they say they are, i.e. a program leader
- Using anti-virus software and firewalls to protect systems from software designed to exploit vulnerabilities in computers and other devices, as well as to prevent unauthorized users from accessing your system(s) in the first place
For the complete overview of Technical Safeguards, click here.
If you’d like to learn more about HIPAA, here are some additional resources:
- What is HIPAA Compliance? [Online Tech]
- Difference between privacy and security of health information [University of Miami]
- Summary of the HIPAA Security Rule [Department of Health & Human Services]
- Keep Protected Health Information Secure [Security Intelligence]
- Protecting Patient Health Information in Electronic Records [CMPA]
- Information Privacy Law [Wikipedia]
- HIPAA Certification: What it is and why you need it [Indigo Medical Training]
- HIPAA Compliance Checklist [Comparitech]
Terms and Conditions
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. This policy is subject to change at anytime.