By Aloke S. Chakravarty and Nikhil A. Mehta, of Saul Ewing
The sports world is adapting to advancements in technology both on the field and off. Data science is being deployed in professional and quasi-professional sports in ways that directly affect the bottom line such as marketing, ticketing, and in some cases, on the field performance. The use of an athlete’s medical information for predictive analytics is a sensitive and complex issue governed by a combination of privacy laws, medical regulations, league regulations, contractual obligations and ethical standards. While there are no specific federal laws that were designed to govern the use of an athlete’s medical data for purposes of predictive analytics, there are several relevant laws and frameworks that should be considered when handling such sensitive information. This is an area in flux, with data analytics and artificial intelligence allowing for extrapolations and calculations far beyond that to be gleaned exclusively from an athlete’s personal medical information. This article examines some of the key legal and regulatory considerations when considering the use of health information to perform predictive analytics.
1. Health Insurance Portability and Accountability Act (HIPAA)
Overview: HIPAA governs the use and disclosure of protected health information (PHI) in the U.S. It applies primarily to healthcare providers, health plans, and healthcare clearinghouses, but also to their business associates (entities that process or analyze healthcare data).
Relevance to Athletes: When an athlete’s medical information is provided to a club or if such information is shared by a healthcare provider or team physician, HIPAA protections may apply. Under HIPAA, PHI cannot be disclosed without the athlete’s consent, except for specific purposes such as treatment, payment, or healthcare operations. For predictive analytics, if PHI is used, athletes must generally give consent or their information must be de-identified.
Key Compliance: If an organization is using an athlete’s health data for predictive analytics, it must ensure that the data is either sufficiently de-identified or that proper consent is obtained from the athlete prior to such data use.
2. State Privacy and AI/Automated Decision Making Laws
Overview: Many U.S. states have their own laws that govern the protection of personal data, including medical information, which may apply to entities even if they are not physically located in California. Increasingly, some states are also regulating automated decision making to avoid unfair discrimination algorithmically. For example, California’s Consumer Privacy Act (CCPA) provides protections for personal data of California residents, including health-related data, and these protections can apply extraterritorially and have regulations pertaining to automated decision making. Colorado similarly has passed its first-in-the-nation Colorado Artificial Intelligence (AI) Act to prevent unfair discrimination and requiring certain procurement diligence.
Relevance to Athletes: If the athlete is a resident of a state with strong privacy laws (like California), that state’s privacy laws may overlap with other laws governing how personal information is used, particularly if the data is linked to the individual and not anonymized.
Key Compliance: Organizations must identify whether specific onerous state data privacy laws apply to them and comply with applicable state privacy laws that protect personal information, including health data, ensuring that athletes’ rights regarding the collection, use and sharing of that data are respected.
3. Americans with Disabilities Act (ADA)
Overview: The ADA prohibits discrimination against individuals with disabilities and requires that medical information be handled confidentially by employers.
Relevance to Athletes: If predictive analytics involves the use of data that relates to an athlete’s disability status, the ADA may govern how that data is used, especially in the context of employment (such as with a professional sports team).
Key Compliance: Teams and organizations must ensure that they are not using an athlete’s disability-related medical data in a discriminatory way, and they must maintain the confidentiality of all medical records.
Key Distinction: An ordinary sports injury is unlikely to be considered a disability under the ADA. Instead, only pre-existing or new medical issues which are persistent and debilitating in nature will be considered a disability under the Act. In other words, any injury that can be “healed” is not likely to be considered a disability. For example, torn ligaments and other similar injuries would not appear to be disabilities under the ADA because they can be healed by a procedure or surgery. To the contrary, former PGA Tour golfer Casey Martin suffered from a degenerative leg disorder, which the U.S. Supreme Court ruled was a disability under Title III of the ADA and was grounds for an accommodation by the PGA Tour (in his case, the use of a golf cart during PGA Tour events).
4. Major League Baseball (MLB), National Football League (NFL), the Premier League & Other League-Specific Regulations
Overview: Professional sports leagues like the Premier League, MLB, NFL, NBA, and others often have specific rules governing the collection and use of player medical information.
Relevance to Athletes: These leagues typically require teams to maintain confidentiality about player health and medical information. For example, the NFL has a medical policy that requires teams to handle player health information confidentially and restricts disclosure to third parties without the athlete’s consent.
MLB: In addition, the Collective Bargaining Agreement (CBA) between the MLB and the MLB Players Association (MLBPA) lays out specific provisions about the handling of player health and medical data, including Attachment 18 which provides a general consent to use health information with the proviso that “The health information may not be utilized for any purpose other than that specified herein without my express written consent.” The CBA includes rules about:
Medical Privacy: Teams are generally required to keep medical records private and may only share certain information on a need-to-know basis within the organization.
Informed Consent: Players must consent to medical treatments and share relevant medical information with team personnel when necessary for their health and well-being.
Injury Reporting: Teams are required to report player injuries publicly, but there are limits on the specific medical details shared with the public, again balancing player privacy with team transparency.
Premier League: The Premier League also has rules regarding the collection and use of player medical information, though these are largely governed by a combination of league regulations, player contracts, and broader data protection laws (such as the UK’s Data Protection Act of 2018 and GDPR).
Key Compliance: If a league or team is using medical data for predictive analytics, they must adhere to league-specific medical privacy policies and may require the athlete’s specific informed consent before the data can be used for non-medical purposes, including analytics.
5. Data Privacy and Security Regulations
General Data Protection Regulation (GDPR): If the athlete is from the European Union (EU) or their data is processed in the EU, the GDPR applies. The GDPR sets strict guidelines for how personal data, including medical information, must be handled, including obtaining consent, ensuring data minimization, and protecting the data through security measures.
Relevance to Athletes: For European athletes or those whose data is stored in the EU, the GDPR requires that organizations obtain clear consent before using personal data for purposes like predictive analytics, and the data must be securely handled.
Key Compliance: Organizations must determine whether they are subject to EU regulations, including the GDPR, which has extraterritorial reach. If the organization is covered, they must ensure compliance with the GDPR’s many restrictions on the collection, use, export and sharing of data.
6. Informed Consent and Ethical Considerations
Overview: Informed consent is a cornerstone of medical ethics, and it could also be a touchstone for the use of athletes’ private medical data for predictive analytics. Athletes must be told how their private data will be used, the potential risks, and how their privacy will be protected. To the extent that non-private data is being used, this requirement becomes more grey, and the specific sources, combinations, purposes and uses of the data will all matter in the analysis.
Relevance to Athletes: Predictive analytics in sports often involves using an athlete’s medical data as well as other available data to assess future injury risks or performance metrics. Ethically, to the extent that their own private information is being used to conduct this analysis, athletes should have the opportunity to opt in or out of these processes, and their consent should be informed, voluntary, and revocable.
Key Compliance: Organizations should provide athletes with clear information about the purpose of data collection and ensure that consent forms are accurate and understandable. Consent should be actively obtained before any predictive analytics are conducted using the athlete’s private medical data.
7. Emerging Technologies
As technology like wearables (e.g., smart devices that monitor a player’s health), Hawkeye, Statcast and telematics become more common among amateur and professional athletes, some leagues have begun to outline clearer rules on how data derived from such devices is used. Because these data are not being collected by a health care provider and are not for treatment purposes, these data may fall outside of the protections of protected health information. Where there are league rules, they aim to ensure that such biometric data is used for performance and health monitoring, while also protecting players’ privacy and control over how their data is handled.
Some clubs and leagues may face heightened privacy concerns when using advanced technologies like biometric sensors which could collect personal health data (e.g., heart rate, sweat levels, etc.), and these clubs and leagues must ensure that any data collected in this manner is in compliance with privacy standards, player agreements and other relevant regulations.
8. Biometric Privacy Laws
Biometric Privacy: A growing trend among states is a broader regulation and enforcement of the collection of biometric data.
Illinois: The Illinois Biometric Information Privacy Act (BIPA) regulates the collection, use, and storage of biometric data, which includes identifiers like fingerprints, facial recognition, and voiceprints. BIPA has a robust enforcement history. While BIPA doesn’t specifically target health information, it can intersect with the use of health data if it involves biometric identifiers. In the context of professional sports teams, BIPA could be relevant if they use biometric data for player identification, health monitoring, or security purposes. For instance, teams might use biometric data to track a player’s health, manage security access, or authenticate medical services. This could raise legal issues under BIPA if the team collects, stores, or shares biometric data without adhering to the law’s requirements, which include obtaining informed consent, maintaining secure data practices, and providing a clear retention policy (among other things).
Other States: Many other states have laws that govern the collection and handling of biometric data, even if not expressly so designated. For example, under the Massachusetts Consumer Protection Act (Mass. Gen. Laws Chapter 93A), there are general protections for personal data, including biometric data, but unlike BIPA, many states do not have the same specific framework or requirements, but in practice have specific requirements for handling sensitive data. In addition, many states have taken a growing interest in category-specific data privacy in recent years, and are adopting biometric and genetic-specific laws such as Colorado’s 2024 Protect Privacy of Biological Data law, which includes protection of neural data among other types of biological data, which could include sport-related metrics.
9. Potentially Viable Predictive Analytic Streams and Alternative Practices
Analysis of Certain Data for Performance Projection : The restrictions above pertain to private personal and protected health information. Information available through other sources may remain viable as surrogates or proxies for protected information and may still provide meaningful athlete-specific analysis, particularly for draft, assignment, acquisition/release, free agency and trade decisions. For example, organizations may be able to use AI protocols to mine publicly available data when evaluating potential player acquisitions. Sources of publicly available data can include official injury reports filed by teams, injury information reported during press conferences, news articles, or other publicly reported information, including via social media. Analysis may also be done by extrapolations of de-identified data related to comparable or statistically meaningful cohorts. However, it is important to carefully consider and document the source and perceived validity of any reported information, as the quality and utility of the AI analysis is only as good as the quality of the data inputs which are used when performing such analysis. As some analysts have observed, “When the data is available and robust, the accuracy of AI prediction mechanisms is significant.”[1]
Use of Machine Learning to Predict and Prevent Injuries: Recent studies, including one published in the November 2024 issue of the Journal of Diagnostics found that machine learning has “demonstrated effectiveness in predicting injury risk due to its ability to learn from historical data and refine predictions with new inputs. AI algorithms can integrate data from various sources, including wearable devices, biomechanical assessments, performance metrics, and psychological factors, creating individualized profiles for athletes[2]. By analyzing these complex, multidimensional datasets, AI can detect subtle trends or anomalies that might indicate an increased risk of injury.”[3]
Conclusion: Key Steps for Compliance
Establish a Compliance Program: With business units increasingly finding new technologies set to improve their performance, organizations should consider a process to conduct risk-based assessments, consider the privacy and compliance implications, implement controls and mitigation, and to ensure a feedback loop that will identify whether the program is working.
Some of the issues that Compliance Program should consider include the following:
Obtain Explicit Consent: Athletes must provide informed, explicit consent before their medical or other sensitive data is used for predictive analytics.
Publicly Available Data: Procurement of relevant biometric or statistical data pertaining to an athlete is not inherently immune from privacy laws simply because it was obtained from publicly available sources. A careful analysis is required to determine whether the information is lawfully collected and can be used for the intended purposes.
De-identify Data: Where possible, organizations should use anonymized or de-identified medical data to avoid privacy concerns and reduce compliance risks.
Applicable Privacy Laws: Comply with relevant laws (HIPAA, state laws, GDPR) regarding the collection, storage, and use of medical data.
Confidentiality: Ensure that all medical and sensitive data is kept confidential and disclosed and shared securely only to authorized individuals or entities, and for specific, permissible purposes.
Monitor Ethical Standards: Adhere to ethical standards in data collection and analytics, ensuring that predictive analytics are used responsibly and that athletes’ rights are protected and that appropriate documentation is maintained.
Use of Emerging Technologies: The use of AI for performance prediction, preventative injury analysis, and injury recovery, is a development that can provide competitive advantages, but must be sourced and used properly with adequate controls.
By working within these legal and regulatory frameworks, organizations can mitigate the risks of using an athlete’s health information for predictive analytics and ensure that it is done in a way that is compliant with applicable laws and is ethically sound, while also leveraging the advances in data science to maximize the performance of the organization and the athlete.
[1] Bobby, Liv. Artificial Intelligence for Injury Prevention: the Economics and Effectiveness. September 13, 2023. Accessed at: https://sportsologygroup.com/articles/artificial-intelligence-for-injury-prevention-the-economics-and-effectiveness.
[2] Topol, Eric J. High-Performance Medicine: the Convergence of Human and Artificial Intelligence. 2019. Accessed at: https://www.nature.com/articles/s41591-018-0300-7.
[3] Musat, Carmina Liana, et al. Diagnostic Applications of AI in Sports: A Comprehensive Review of Injury Risk Predication Models. November 10, 2024. Accessed at: https://pmc.ncbi.nlm.nih.gov/articles/PMC11592714/#B7-diagnostics-14-02516.
