While it is somewhat unclear exactly when HIPAA (The Health Insurance Portability and Accountability Act (42 United States Code § 1320d)) applies to fitness professionals, there is no doubt that it raised the stakes when it came to privacy. It is clear that client confidentiality is an area of concern in the fitness industry. HIPAA is not the only legal requirement that deals with privacy that may apply, or does apply, to the fitness industry and to the business practices of fitness professionals.
Fitness professionals are often given a great deal of personal information by their clients (and potential clients) including personally identifying information, health information including health history, potentially embarrassing information, as well as health goals and priorities. Your clients reasonably expect that you will keep all the information they provide to you as part of your professional relationship private and confidential.
But this isn’t just about the expectations of your athlete-clients. Your failure to protect the confidentiality of your clients, which encompasses client privacy, is a liability risk. If you fail to protect confidential client information you could suffer financial losses if loss of that information results in damage to a client or another person to whom you owe a duty of care. Confidentiality breaches can also damage your business in non-tangible ways including damage to your or the businesses’ reputation. In addition, most certification associations and authorities require adherence to specific confidentiality standards. The good news is that you can reduce your liability risk through a concerted effort and having the right systems in place.
Once you understand the obligations your fitness business has in terms of privacy and confidentiality, it is important to develop policies and procedures that actively protects the privacy of your clients and any other legal person to whom you owe a duty of care.
Review and revise client contracts, waivers and disclaimers to reflect your confidentiality obligations and policies.
These documents are not just to satisfy some legal requirement – it is essential that your contracts, waivers, disclaimers, and policy documents reflect the realities of your business. So be careful copying and pasting from someone else’s website. If you are unsure if your current documentation meets all of your legal obligations consult with you attorney about how to make sure you are best protecting the privacy and confidentiality of your clients.
Don’t forget your fitness business website.
Understand the Legal Obligations of your Fitness Business.
Understand if and how HIPAA might apply to your fitness business. As an associated business – if you are a service provider for a covered entity (a hospital, medical professional, health insurer) you may find yourself brought under the umbrella of HIPAA, but for most fitness professionals, including personal trainers HIPAA may not apply.
However, HIPAA is not the only set of legislation that addresses the obligations of fitness businesses to protect client information and privacy. State legislation varies, but often requires reporting of certain types of confidentiality breaches, and requires certain security precautions. In general, many states have laws which require information security technology to be implemented to protect certain types of data, including health information, and place limitations on collection and transmission. A compilation of state laws can be found here: www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx.
Conduct an information security assessment focused on client confidentiality
One of the best ways to determine your level of liability risk is to conduct an information security assessment. You may need to consult with a professional to ensure that you have adequate information to act upon. Common threats to information security you might examine include physical security, hacking, electronic information security, personnel-related confidentiality breaches, and inadequate staff training.
If you store confidential information or health data electronically you should consider how to ensure that your business infrastructure is protected from electronic “break-in,” and your protocol for responding to any breach. You should be clear on your legal responsibility to report such breaches. Common electronic information storage risks include default passwords, no firewall or enhanced data security, and allowing access to computers and other devices by untrained or cleared personnel.
All devices should be protected through applicable virus protection software, and other electronic security measures should be put in place to protect the business network. It is important that this is not set and forget – updates are necessary as will be a regular information security review or audit.
Train staff in your data security requirements as well as their confidentiality obligations.
Staff should be trained initially and then on a continuing basis, especially as new information arises or technological advances are made. It is especially important to develop a social media policy and to train staff about what should and should not be shared about clients on social media (including photos or videos), and how and when clients should or should not interact with clients on social media. A data breach on social media by one of your staff could implicate your fitness business and, by extension, you, so take this seriously. Fitness professionals rarely disclose client information maliciously, but a confidentiality breach in the form of gossip around the front desk or in the locker room could cause serious damage to your business.
Control Access to data.
Access should be segmented with “need to know” access levels to data depending on the duties of the employee. Wifi networks should be secured and passwords changed on a regular basis. Individual employees should be required to use unique passwords which are required to be changed regularly – consider counselling client or public facing staff against keeping their password close to their device or terminal and to be careful about securing their computer or device before leaving it unattended.
These principles can also be applied to physical security – with changing codes or door locks on confidential pre-defined dates. The installation of software should be limited to a network administrator who has been appropriately cleared to do so.
Using a Third Party isn’t always the answer.
Owners of Fitness Businesses need to be aware that using a third party service provider to manage data or with whom you share client information may not absolve you of responsibility with regard to client privacy and confidentiality. Your business can be held responsible for the actions of another entity if they are done on your behalf or as part of a service you have contracted. You should ensure that any agreement with a third party addresses confidentiality of all data prohibiting further disclosure and limiting use unrelated to their specific contracted scope of work, and indemnifies you in the case of an error or omission on the part of the service provider. Be aware that any indemnity might not prevent you from being sued as a result of a confidentiality breach but it may limit your liability exposure.