Last week, I was privileged to attend the 2011 Hospitality Law Conference in Houston. As always, the program at the conference was outstanding. (This was my third time attending the annual conference.)
One of the sessions I attended focused on issues related to operation of spas. The session included discussion of an issue that has repeatedly surfaced in my practice in the hospitality industry, with respect to spas and health clubs.
Many—probably most—spas require new guests to fill out forms that ask a few questions about the guests’ health or medical conditions. These questions range from “How are you feeling today?” to “Have you recently had any surgery or suffered any injury?” followed by “If so, please describe the surgery or injury including the areas of your body affected.” Some health and fitness clubs require prospective members to comment on their health when applying for memberships. (“Have you ever had a heart attack?” “Do you have high blood pressure?”)
Spa and health club operators may not realize that when completed, these forms may become subject to federal and/or state regulations on the storage of medical records. Chief among these laws is the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA, its implementing regulations (promulgated by the U.S. Department of Health and Human Services (HHS)) and similar state laws are designed to ensure the protection and security of medical records and other personal health-related information, and to protect individuals’ privacy in matters involving their health care.
The HHS regulations implementing HIPAA apply only to “Covered Entities,” which are defined to include “health care providers.” Depending on the services it provides, a spa or health club may or may not be a “health care provider.” For example, if a facility provides post-traumatic or post-operative physical therapy and/or rehabilitative services, there is a good chance that it falls under this definition and subject to these regulations. Some spas offer Botox treatments, which also likely bring them within this definition.
So, if a spa or health club is subject to HIPAA or related state laws, what kinds of requirements do these laws impose? The requirements are significant, and I won’t even attempt to summarize them. But I will provide a few examples. HIPPA regulations require a “Covered Entity” to notify clients/patients of the facility’s privacy practices. Upon request, a facility must provide a client/patient access to any “protected health information” that the facility maintains related to the client/patient. A Covered Entity also must designate an employee as a HIPAA Privacy Officer and train the rest of its workforce on certain HIPAA requirements. I won’t go on.
If you’re a spa or health club operator, you may be thinking, “Well, that’s easy; I’ll just stop asking my guests to fill out those forms.” But do you really want to do this? For example, if a guest has had a back injury, wouldn’t you want to know this before a therapist begins giving the guest a massage? If another guest has allergies that could make some aromatherapy inadvisable, wouldn’t you want to know this before your spa starts providing it? This is an area where often ignorance is not bliss. A spa or health club may incur much greater liability from providing certain services without asking any questions.
So, how should a spa or health club strike the balance between these competing concerns? Well, first let me say that it’s worth consulting with an attorney for specific advice with reference to the specific services offered by the facility in question, and the laws of the state where that facility is located.
Having made that disclaimer and pitch to support my noble profession, let me offer a few more thoughts . . .
* A health club that does not offer individualized training services, but only access to equipment and group exercise sessions, is probably going to have a lot less regulatory risk than one that offers one-to-one training, particularly to members who are training to recover from an injury or surgery. Across the pond in the United Kingdom, an association of health clubs called the Fitness Industry Association (FIA) has begun encouraging a “Health Commitment Statement” (HCS) as an alternative to the lengthier “Physical Activity Readiness Questionnaire” that the FIA used to encourage health clubs to require prospective new members to complete. Essentially, the HCS does not ask health-related questions, but requires a health club applicant to commit to being responsible for maintaining his or her own health. An obvious objective of the HCS is to relieve a health club of the burden of investigating and monitoring the physical well-being of each of its members who shows up to use its facilities. However, without having looked into it, I suspect that the FIA would encourage a health club to ask more questions of a member who wants individualized training, especially if the training is to overcome some injury or surgery.
* Returning to the United States, if it is part of the business model of a spa or health club to offer post-traumatic or post-operative physical therapy and/or rehabilitative services, or Botox services (and I don’t intend for this to be an exhaustive list), then the facility should take the steps necessary to comply with HIPAA and related state laws. If the facility doesn’t want to do that, then it should stop providing those services.
* What about services whose “health care” status under federal or state law is more questionable? If a spa is in no postion to comply with HIPAA or related state law, but it understandably does not want to close its eyes to guests’ conditions before providing treatments to them, what should it do? At the Hospitality Law Conference last week, I offered a suggestion to the group discussing this issue. What if the spa were to keep requiring guests to fill out the forms before receiving treatments, review the forms before giving the treatments, and then shred each form after each treatment? The attorneys leading the discussion liked this idea. One of them cautioned that it would not suffice to simply throw each form in to a garbage or recycling bin. There would have to be an actual shredder on the premises to destroy each form. Perhaps the forms themselves could instruct guests that a spa is not a medical facility and that completed forms will be destroyed immediately after treatments. Of course, there would be an obvious disadvantage to this strategy. If a guest were to sue a spa, claiming that he advised the spa of some injury and his advice was ignored, it would be helpful to the spa if it could produce a completed form in which the guest did not mention it. With the form, the spa might knock the case out on a summary judgment motion, but without it the case may have to go to trial. I’d be interested in hearing what others think about this proposal.
* What if the spa takes the shredder approach above, and a repeat guest complains about having to fill out the same form every time he or she drops in for a massage? Well, I don’t have an answer for everything.