The Health Insurance Portability and Accountability Act (42 United States Code § 1320d), more often referred to by its acronym, HIPAA, is a complex piece of legislation that protects the health information of individuals. HIPAA specifies provisions for the security and privacy of Protected Health Information (PHI). PHI is defined as “any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual.” Does HIPAA apply to personal trainers?
While you might guess that personal trainer records such as medical waivers and fitness or health screening information “concerns health status,” the question stands, are personal trainers “covered entities?”
Case law thus far has not specifically held HIPAA as being applicable to gyms and fitness facilities, personal trainers, massage therapists, nutritionists or other non-medical fitness and wellness professionals.
Under HIPAA, the definition of health care under the regulations is quite broad. The definition of health care under the HIPAA legislation includes “preventive [care],” “rehabilitative [care]” and “maintenance” and “assessment” of “the physical or mental condition, or functional status of an individual that affects the structure or function of the body.” On its face, this could be interpreted to include fitness professionals.
However, the regulations and overall context of HIPAA define “covered entities” as providers of healthcare including: doctors, hospitals, dentists, podiatrists, pharmacists, laboratories, optometrists and the like.
One caveat is that where information is shared between “covered entities” and fitness professionals – for example in cases where a referral is made (especially if health insurance is involved) or information is shared at the request of a patient – the fitness professional may be brought under the umbrella of the “covered entity” in relation to the medical records of that patient (client). A fitness professional will also be a “covered entity” by extension, where they are under contract to a “covered entity.” For example, you are a personal trainer who works for a Doctor, Chiropractor or Physical Therapist, or aged care facility. If you have questions about the status of your fitness business as a “covered entity,” consult with an attorney who has a solid understanding of HIPAA and healthcare law in the context of fitness businesses. This flowchart may also be of assistance in determining the status of your business.
Doctors may not be willing to communicate with you directly. Because of the seriousness with which covered entities, like primary care physicians, take HIPAA and the surrounding privacy rules it is likely that a Doctor will not be willing to share information about a patient (client). In the case of completing a PAR-Q questionnaire or health screening, or even a medical waiver, it is usual practice for a doctor to complete a form in the presence of the patient (client), giving the completed form to the patient (client) to pass on to the non-covered entity. This means that the client is the party sharing the information with you, not the Doctor (or other covered entity). Be aware that partnering with a health professional to provide services to their patients (your clients) could give rise to additional information security requirements (and even bring you under the umbrella of a covered entity). Be sure to consult an attorney familiar with the fitness industry and healthcare law prior to entering into a contract with a “covered entity.”
Privacy (not just HIPAA) breaches can give rise to liability. There are also statutory requirements that require you as a fitness coach to protect the personal information (especially health) of your clients. In addition to ensuring that you have good policies and procedures in place to protect client data and information, your fitness business should consider completely regular reviews of your compliance. Specifically, it is important to review whether you are complying with your own policies and procedures.
Implementing a document retention and destruction policy may assist with mitigating liability in relation to privacy. If you are discarding documents, ensure that you do so in a manner that is secure. For example, crosscut shredding. It is also important that any retention and destruction policy also addresses electronic documents: their storage, their destruction or deletion, and their security.
You should also consider electronic security for any data held in the cloud. The Department of Health and Human Services (HHS) released guidance specifically related to ensuring the privacy of Protected Health Information from ransomware.
Some aspects related to privacy that you may want to consider for additional professional liability insurance coverage include: Privacy Act Violations, SPAM Act violations, and HIPAA Proceedings.
Insurance and Company Wellness Programs and HIPAA
One of the covered entities are health plans. This means that if you are making claims on the health insurance of your client you will likely be subject to HIPAA in relation to any of their PHI. So too, if you are a wellness provider for a company wellness program that is part of a group health, then you will likely be subject to HIPAA. There is specific sub-regulatory guidance on the applicability of HIPAA for corporate wellness programs that you should review if you are a provider for one of these programs. The wellness program administrator should also be able to provide you with information about the status of the program.
While personal trainers and non-medical fitness professionals are not “covered entities” under HIPAA, there are still situations and circumstances where the Protected Health Information of your clients will make you subject to HIPAA guidelines and regulations. This will largely because of your work with covered entities, or with health insurers as a provider or as a wellness provider as part of a corporate wellness program that is part of a group health plan.