Generally these inquiries come from people who work in the medical industry where nearly everyone is subject to HIPAA because either they are a "covered entity" or because they do business with one. Covered entities are defined under HIPAA as:
- a health care provider that conducts certain transactions in electronic form
- a health care clearinghouse
- a health plan
There are a series of handy flow charts that help walk through the process in detail. MotorsportReg.com meets none of these definitions and thus we are not subject to HIPAA.
Whether we are subject to HIPAA or not, we still must comply with PCI DSS and other data security laws and as privacy-minded citizens ourselves, we care a lot about keeping this information secure but accessible for its intended use: saving lives in the case of an emergency. In our system, participant medical information is accessible only in a single report formatted for use by the on-site ambulance or emergency crews. We restrict access to authorized administrators in the same way that paper forms would be protected.
Some organizations like the SCCA have stopped asking for medical information on their registration forms. I think it's a combination of risk management and advances in medicine. ALS crews reportedly don't trust the blood type written on a helmet because they can test it in seconds making collection a moot point. With concerns around identity theft and increased sensitivity towards privacy, we expect to see more clubs drop this requirement.