Does Your Health Club Need to Comply with HIPAA?

If your club runs health and wellness programs you may need to comply with HIPAA, which regulates the use and sharing of health information.

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is United States legislation that outlines data privacy and security regulations for safeguarding medical information. When President Bill Clinton signed the act into law in 1996, it had three predominant goals—one of which was to standardize regulation of electronic data transmission while protecting the security and privacy of patient health information.

Article image

You may be asking yourself what this has to do with your business. You run a gym. HIPAA is for places like hospitals and clinics. That's true, but the information considered protected under the act means businesses one might not immediately associate with HIPAA would need to comply.

Many health clubs operating in the U.S. offer health and wellness programs, some of which may involve collecting health outcomes or collaborating with the medical community. Since HIPAA regulates the use and sharing of health information, some clubs that might be operating certain types of programs may need to consider whether HIPAA applies to their club.

Whether or not a club needs to be HIPAA compliant depends on several factors, including:

  • Who the club serves
  • What kind of data is collected
  • How data is stored

“Since HIPAA regulates the use and sharing of health information, some clubs that might be operating certain types of programs may need to consider whether HIPAA applies to their club.”

Are you wondering if this applies to your club? Consider the following examples.

Example 1: Medical Partners & Electronic Sharing

If your club partners with a hospital system or provider network and you share information about clients electronically, then your club may need to comply with HIPAA. If you are business partners with a hospital system but do not share client information electronically, then you likely do not need to comply with HIPAA.

Example 2: Dietitians & Physical Therapists

What if you offer members access to a dietitian or physical therapist on site? Then do you need to comply with HIPAA? That depends on if the dietitian or physical therapist is considered a covered entity under HIPAA regulations. If so, then you may need to comply; if not, then you likely do not need to comply.

If your gym needs to comply with HIPAA and fails to do so, you could be facing fines from the Office for Civil Rights (OCR). These fines can range from $100 to $50,000 per violation up to $1.5 million, and that's if you did not know you were in breach. These fines could add up quickly.

“If your gym needs to comply with HIPAA and fails to do so, you could be facing fines from the Office for Civil Rights.”

For a more in-depth look at HIPAA, you can read IHRSA’s e-book “Understanding HIPAA Regulations and How They Relate to Your Club.” Included in the e-book is a flowchart to help you understand if your business should be taking a closer look at HIPAA compliance. We also look at how HIPAA is triggered, some best practices for handling personal health information, and case studies and examples that could help your club.

Author avatar

Alexandra Black Larcom @ihrsagetactive

Alexandra Black Larcom, MPH, RD, LDN, is the Senior Manager of Health Promotion & Health Policy for IHRSA. She spends her days working on resources and projects that help IHRSA clubs offer effective health programs in their communities, and convincing lawmakers that policies promoting exercise are an excellent idea. Outside the office you'll most likely find Alex at the gym, running on the Charles River, or, in the fall, by a TV cheering on the Florida Gators.