Dennis Dodd of CBS Sports is reporting that federal privacy laws may have been violated in the NCAA’s investigation of Connecticut for violations in its recruiting of Nate Miles:
By discussing Nate Miles’ foot surgery and payment details, officials at the Tampa Bay Bone and Joint Center violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) according to the attorneys. The NCAA deemed that Miles’ foot surgery in 2008 was an extra benefit paid for by Josh Nochimson, a former UConn student manager and booster who ultimately became an agent. In its public infractions report dated February 2011, the NCAA infractions committee referred to contact being made with “the doctor who performed the procedure on [Miles].”
The article goes on to discuss the NCAA’s potential liability under the Health Insurance Portability and Accountability Act, which two attorneys say is unlikely and Jim Calhoun’s attorney says is possible. But the more important question in the current climate surrounding NCAA investigations is whether the NCAA should have had the information.
The NCAA claimed that a HIPAA release was not needed in an email to Calhoun’s lawyer. That sentiment is echoed by the attorney for the doctor who treated Miles. If a release was needed and was never granted by Miles, then the NCAA should take a large portion of the blame. The NCAA cannot claim ignorance about HIPAA or its counterpart the Family Educational Rights and Privacy Act (FERPA) which protects student records.
Each year the NCAA, as part of the Student-Athlete Statement, requires athletes to grant the NCAA a Buckley Amendment release for a laundry list of information protected by FERPA:
- This form;
- Results of NCAA drug tests and related information and correspondence;
- Results of positive drug tests administered by a non-NCAA national or international sports governing body;
- Any transcript from your high school, this institution, or any junior college or any other four-year institution you have attended;
- Precollege test scores, appropriately related information and correspondence (e.g., testing sites, dates and letters of test-score certification or appeal), and where applicable, information relating to eligibility for or conduct of nonstandard testing;
- Graduation status;
- Your social security number and/or student identification number;
- Race and gender identification;
- Diagnosis of any education-impact disabilities;
- Accommodations provided or approved and other information related to any education-impact disabilities in all secondary and postsecondary schools;
- Records concerning your financial aid; and
- Any other papers or information pertaining to your NCAA eligibility
In addition, schools are required to present to athletes a HIPAA release, although athletes are not required to sign it. That release grants the NCAA access to student-athlete medical records, stripped of identifying information, for use in NCAA research, like trends in student-athlete injuries.
The NCAA cannot claim ignorance with respect to the requirements of these two major federal privacy laws. If the NCAA obtained information that should not have been released according to HIPAA, the NCAA would be at the very least guilty of some degree of negligence in determining whether it should have the information. At worst, the NCAA induced someone to commit a violation of federal law to obtain information it knew it should not have access to.
Like the Miami investigation, so far it appears that the NCAA’s biggest problem is an unclear understanding of the limits of the enforcement staff’s power in this situation. A policy manual for enforcement cannot include every possible situation, but given the NCAA’s experience with FERPA and HIPAA, the association should leave no question to its staff on how to handle information covered by those two laws.