If you’re a youth recreation organization that collects more than just basic registration details — medical history, allergy information or dietary requirements, for example — maintaining privacy for the families you serve is of the utmost importance.
Health information is considered personally identifiable information, and can have negative consequences if it’s used or managed improperly. To ensure that organizations do their part to protect this kind of information, legislation like the Health Information Portability & Accountability Act (HIPAA) sets out specific privacy and security requirements. For a brief overview of this legislation, watch this short video:
While youth recreation organizations, including park and recreation departments and YMCAs, aren’t covered under HIPAA, this legislation comes into effect as soon as health information is shared with anyone at a point of care; i.e., an on-site nurse or paramedic. So, it’s in your best interest to implement as many of HIPAA’s specific privacy and security measures as possible so that you can protect your organization against risks and liabilities associated with collecting and managing health information for your participants. We’ve provided a summary of each section, with additional resources included at the end.
Administrative Safeguards (overview here)
These are the ways to prevent an unauthorized person from accessing participant information. Or, alternatively, you can look at these safeguards as the ways you can authorize someone to have access to your system.
- Ensure that only authorized individuals can access the information they need and have a way to quickly remove access once it’s no longer needed (either when a program has ended or a staff member moves on from your organization)
- Implement password protection on all devices (in and out of the office), ensure that only authorized staff know those passwords and change them regularly
- Create processes for transferring, removing, disposing of, and reusing electronic media (smartphones, tablets, computers, etc.)
Physical Safeguards (overview here)
These are the “physical measures, policies, and procedures to protect…electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
- Consider who has access to workstations or devices that connect to your systems, and ensure they’re in a back office or behind a door that requires a PIN or passkey to access; for offsite devices, make sure that staff don’t leave them unattended and always return them at the end of the day
- If you have staff that work remotely, set in place specific requirements for them to do so securely; e.g., they should be on a secure network and may only use hardware provided by your organization
- Implement data and system backups for emergencies like a fire or a natural disaster so that if physical hardware is destroyed, the data is not lost with it. It’s also important to have this in case of a system malfunction
- If you use CCTV, alarm systems, or security services, these provide an additional layer of physical security to amplify anything you already have in place
Technical Safeguards (overview here)
These include “the technology, and the policy and procedures for its use that protect electronic health information and control access to it.” An organization must use any security measures that allow it to protect end user data, which include:
- Using unique user identifiers to track user activity, the ability to securely access information in an emergency, automatic system log offs, and data encryption
- Ensuring controls are in place to review, monitor, and record all activity related to health information
- Ensuring that health information isn’t altered or destroyed improperly
- Being able to confirm that, when anyone in your organization requests information for your participants, that they’re able to prove who they say they are; i.e., a program leader
- Using anti-virus software and firewalls to protect systems from software designed to exploit vulnerabilities in computers and other devices, as well as to prevent unauthorized users from accessing your system(s) in the first place
To learn more about how to make your organization HIPAA compliant, download ePACT’s free eBook, Helping You Become HIPAA Compliant.
If you’d like to learn more about HIPAA legislation, here are some additional resources:
- Summary of the HIPAA Security Rule
- What is HIPAA Compliance?
- Difference between privacy and security of health information
- Keep Protected Health Information Secure
- Protecting Patient Health Information in Electronic Records
ePACT Network is an online emergency network used to store and exchange information and access web and mobile communication tools for use in a crisis.