HIPAA & MASSAGE LAWS

In April 2003, the US Department of Health and Human Services issued regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which may affect some ISPA members. Essentially, HIPAA's sweeping health information privacy rules are designed to ensure the protection and security of medical records and other personal health information and to protect an individual's right to privacy in matters involving their health care. Where an individual's health information is to be used or disclosed for specific purposes other than for treatment, payment or health care operations, a written authorization is required.

The HIPAA rules apply to all "Covered Entities," defined as health plans, health care clearinghouses and health care providers that transmit any health information in electronic form in connection with a list of specified transactions. ISPA members are not health plans or health clearinghouses. Importantly, however, they may be considered health care providers.

Because of the diversity of services provided by ISPA members, HIPAA's federal privacy requirements may not apply to every ISPA member. If your company does not furnish, bill or receive payment for health care in the normal course of business, then the HIPAA requirement does not affect you. For ease of determining whether your company should comply, follow the HIPAA Decision Tree below. 

Finally, if you/your company are not covered health care providers under the federal HIPAA requirements, please also be sure to check your state privacy laws and regulations to review what is required. As well, it is most wise for your company to develop a statement of privacy or confidentiality in any event, irrespective of whether HIPAA affects its operations.

More information

HIPAA Memorandum (PDF) -explains, in general terms, key points regarding the application of HIPAA to ISPA members.