Does Your Health Club Need to Comply with HIPAA?

If your club runs health and wellness programs you may need to comply with HIPAA, which regulates the use and sharing of health information.

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is United States legislation that outlines data privacy and security regulations for safeguarding medical information. When President Bill Clinton signed the act into law in 1996, it had three predominant goals—one of which was to standardize regulation of electronic data transmission while protecting the security and privacy of patient health information.

Personal Trainer Clipboard Column Width

You may be asking yourself what this has to do with your business. You run a gym. HIPAA is for places like hospitals and clinics. That's true, but the information considered protected under the act means businesses one might not immediately associate with HIPAA would need to comply.

Many health clubs operating in the U.S. offer health and wellness programs, some of which may involve collecting health outcomes or collaborating with the medical community. Since HIPAA regulates the use and sharing of health information, some clubs that might be operating certain types of programs may need to consider whether HIPAA applies to their club.

Whether or not a club needs to be HIPAA compliant depends on several factors, including:

  • Who the club serves
  • What kind of data is collected
  • How data is stored

“Since HIPAA regulates the use and sharing of health information, some clubs that might be operating certain types of programs may need to consider whether HIPAA applies to their club.”

Are you wondering if this applies to your club? Consider the following examples.

Example 1: Medical Partners & Electronic Sharing

If your club partners with a hospital system or provider network and you share information about clients electronically, then your club may need to comply with HIPAA. If you are business partners with a hospital system but do not share client information electronically, then you likely do not need to comply with HIPAA.

Example 2: Dietitians & Physical Therapists

What if you offer members access to a dietitian or physical therapist on site? Then do you need to comply with HIPAA? That depends on if the dietitian or physical therapist is considered a covered entity under HIPAA regulations. If so, then you may need to comply; if not, then you likely do not need to comply.

If your gym needs to comply with HIPAA and fails to do so, you could be facing fines from the Office for Civil Rights (OCR). These fines can range from $100 to $50,000 per violation up to $1.5 million, and that's if you did not know you were in breach. These fines could add up quickly.

“If your gym needs to comply with HIPAA and fails to do so, you could be facing fines from the Office for Civil Rights.”

Author avatar

Alexandra Black Larcom

Alexandra Black Larcom, MPH, RD, LDN, previously served as IHRSA's Senior Manager of Health Promotion & Health Policy—a position dedicated to creating resources and projects to help IHRSA members offer effective health programs, and promoting policies that advance the industry.