Type to search

Helping Recreation Organizations Become HIPAA Compliant


When it comes to personal data, maintaining privacy for families is of the utmost importance. Over the last decade, protecting data has shifted from a thing you “should do” to a legal necessity. It’s now become a legislative or industry licensing requirement to implement specific data protection standards.

As a youth recreation organization, you may only collect basic details, like contact information and dates of birth. You might also collect health history, medical conditions or allergies so you can support participants or players in a crisis. Any information  collected that could be used to identify an individual or used for malicious intent must be protected with specific practices.

Health data is highly sensitive personal information, and awareness of the Health Information Portability & Accountability Act (HIPAA) requirements can ensure your organization and the data you collect are always protected.

Administrative Safeguards

  • Ensure only select staff members are authorized to access information and given access to the data they need to view. For example, if they’re responsible for 25 children in a program, they should only have access to those individuals’ data.
  • Protect workstations or devices by ensuring only authorized individuals have access, and establish security processes for staff working remotely (don’t use unsecured wireless networks and provide work-use-only devices).
  • Create processes to securely transfer devices or electronic files when a staff member leaves or you hire new team members.
  • Implement data and system backups for emergencies, like fires or natural disasters, so information doesn’t get destroyed or lost.

Technical Safeguards

  • Use anti-virus software and firewalls to protect systems from software designed to exploit vulnerabilities or hack systems.
  • Ensure there are unique logins and passwords for each staff member. Encourage staff to change passwords regularly throughout the year to help prevent hacking — this is important.
  • For all devices, have an automatic sleep mode, turning off access and requiring passwords to unlock.
  • Implement unique user identifiers, provide ways to securely access information in an emergency, automatically log users off systems and encrypt data.
  • Implement controls to review and record all staff and user activity, so you can monitor and audit access.
  • If a staff member leaves your organization, you should be able to disable access for that individual, and prevent them from viewing or transferring any information or files.

Although recreation organizations like YMCAs and parks and recreation departments aren’t HIPAA-related, it does come into effect as soon as health data is shared at a point of care, such as a paramedic, doctor or ER staff. It’s in your best interest to implement HIPAA’s measures, and protect against risks associated with collecting and managing health data.


Michelle Kasmierski is the senior marketing manager at ePACT Network. Connect with her on ePACT’s social media networks (@ePACTNetwork) or visit epactnetwork.com.


Leave a Comment

Your email address will not be published. Required fields are marked *