Personal trainers and non-medical fitness professionals are generally not considered covered entities under HIPAA. However, personal trainers may be subject to HIPAA regulations when they work with covered entities or participate in company wellness programs tied to group health plans.
However, according to FitLegally, “while personal trainers and non-medical fitness professionals are not ‘covered entities’ under HIPAA, there are still situations and circumstances where the Protected Health Information of your clients will make you subject to HIPAA guidelines and regulations.” These situations arise when personal trainers work with covered entities or participate in company wellness programs tied to group health plans.
Personal trainers are typically not subject to HIPAA regulations.
However, there are some scenarios in which a personal trainer may be considered a covered entity or business associate.
If personal trainers make claims on clients' health insurance or participate as wellness providers in company wellness programs connected to group health plans, they may be subject to HIPAA regulations.
Additionally, if a referral is made between a healthcare provider and a fitness professional, particularly with health insurance in the picture, the fitness professional may be considered a business associate for that client's protected health information (PHI).
Personal trainers can also be classified as covered entities if they have a contract with a healthcare provider, such as working for a doctor, chiropractor, physical therapist, or an aged care facility and are working with PHI.
Go deeper:
While personal trainers may not fall under the classification of covered entities, they must still safeguard their client's personal information and privacy.
To safeguard client privacy and maintain professionalism, personal trainers can take several practical steps:
Personal trainers collaborate with clients who share their health information, including medical conditions, fitness goals, and dietary preferences. Despite not always being subject to HIPAA, trainers must respect their clients' privacy and maintain confidentiality.
It is a best practice for personal trainers to obtain informed consent from clients before collecting and utilizing any health-related information.
Personal trainers may maintain records of clients' workout routines, progress, and health information. Safeguard this information to prevent unauthorized access. Additionally, personal trainers should consider electronic security measures such as HIPAA compliant email for any communication and data storage.
Beyond legal considerations, personal trainers should adhere to ethical and professional standards when handling client health information. The National Strength and Conditioning Association's Code of Ethics states, "Professionals shall respect the rights, welfare, and dignity of all individuals in the context of their professional practice. To that end, Professionals shall preserve the confidentiality of personal and privileged information of all individuals involved, while remaining accountable."
Document retention and destruction policies should be in place to securely dispose of physical and electronic documents containing sensitive client information, mitigating the risk of unauthorized access to sensitive data.
Fitness and health clubs are typically not considered HIPAA-covered entities. However, exceptions can arise when they are involved in wellness programs connected to group health plans, as they may collect and handle protected health information (PHI), necessitating compliance with HIPAA regulations to safeguard individuals' health data.
HIPAA applicability also depends on factors such as whether the facility is a covered entity, a business associate, and the type of information collected. If a club falls under these categories and handles PHI, it may need to adhere to HIPAA regulations.
Go deeper: Does HIPAA apply to fitness and health clubs
No, personal trainers are generally not covered by HIPAA because they are not healthcare providers or part of a healthcare plan.
HIPAA may apply if a personal trainer works in a healthcare setting or collaborates with a healthcare provider who shares protected health information (PHI), in which case they would need to comply with HIPAA.
No, the health or fitness information shared with a personal trainer is typically not considered protected health information (PHI) under HIPAA.
Even though HIPAA may not apply, personal trainers should still take steps to protect sensitive client information, such as keeping health details confidential and using secure communication methods.
Personal trainers don’t need a BAA unless they are handling PHI in partnership with a healthcare provider or organization that is covered by HIPAA.