Protecting Your Health Club Members’ Health & Data Privacy

HIPAA protects the security and privacy of individuals’ health information. Does your health club need to comply with these regulations? Here’s what you need to know.

In statehouses across the U.S., legislators are increasingly focusing their attention on data privacy issues.

One important data privacy law that has been on the books for over two decades is the Health Insurance Portability and Accountability Act (HIPAA). In 1996, lawmakers passed HIPAA to ensure that employees could move between jobs without losing their health insurance and to protect the security and privacy of individuals’ health information. HIPAA also created regulations that standardize the exchange of electronic health information between healthcare providers, health insurers, and clearinghouses, while keeping patient information secure and private.

Article image

Technology is increasing the quality and quantity of health data available, and clubs are continuing to expand into allied health spaces—like nutrition counseling and physical therapy—which makes understanding HIPAA crucial. When planning your programs, it’s important to consider if any aspect of your program brings HIPAA into scope.

What Do You Need to Know about HIPAA?

HIPAA is triggered when protected health information is transmitted electronically in connection with a transaction for which the Department of Health and Human Services (HHS) has adopted a standard. The HHS defines these transactions as an “electronic exchange of information between two parties to carry out financial or administrative activities related to health care.” For example, a dietitian transmitting health information to an insurance provider for the purpose of payment for services provided qualifies as one of these transactions and is thus protected by HIPAA.

Additionally, clubs should consider HIPAA regulations when they perform certain functions or services with or for a HIPAA covered entity (acting on their behalf) and have access to protected health information to carry out those functions or services (making them a business associate). This could be, for example, a health club that creates a health risk assessment, receives physician referral forms, or sends updates to an HMO, which includes protected health information or personally identifiable information in connection with healthcare services.

It’s Always a Good Practice to Protect Member Health Privacy

Even if your club is not required to comply with HIPAA regulations, you can implement a few key best practices for dealing with—and protecting— personal health information. It is important to protect your members’ privacy and security, demonstrate your club’s understanding of privacy practices to medical partners, and protect your business.

Clubs Should Consider These Best Practices

Avoid talking about a member’s health or healthcare—including medical diagnoses like diabetes, medications, weight, etc.—with anyone other than the member without the member’s express consent. This includes other trainers and the client’s family.

Avoid discussing private, health-related information with your members—like their weight, medical conditions, medications, etc.—in public areas where other members might easily overhear you. Wait to talk with your members about any health-related topics, including prescriptions or illnesses, until you are in a private space away from other members.

“Technology is increasing the quality and quantity of health data available, and clubs are continuing to expand into allied health spaces—like nutrition counseling and physical therapy—which makes understanding HIPAA crucial.”

Keep records of private health information—such as waivers listing health conditions—in secure locations and limit access to those records. It is crucial that you keep and never remove any hard copy records that contain personally identifiable information from the secure area.

Know it’s never appropriate to email, text, or send personal health information via social media channels—including private messaging features.

Ask for help. Your clients come to you for help with their fitness and wellness goals. Reach out to qualified experts for help with implementing appropriate IT security and privacy controls for your club.

Implement appropriate IT security controls to protect personal information that is stored and transmitted electronically. Consult an IT security provider to assist you with implementing/outsourcing security controls for your organization, if you lack that knowledge in-house.

Encrypt personally identifiable information, including personal health information that is stored and transmitted electronically using industry-approved methods.

Limit your data collection to information that is necessary for and pertinent to the work you are doing.

Provide privacy and security awareness training to your staff regularly.

For more information about how HIPAA may impact your business, see our e-book Understanding HIPAA Regulations and How They Relate to Your Club.

Author avatar

Alexandra Black Larcom @ihrsagetactive

Alexandra Black Larcom, MPH, RD, LDN, is the Senior Manager of Health Promotion & Health Policy for IHRSA. She spends her days working on resources and projects that help IHRSA clubs offer effective health programs in their communities, and convincing lawmakers that policies promoting exercise are an excellent idea. Outside the office you'll most likely find Alex at the gym, running on the Charles River, or, in the fall, by a TV cheering on the Florida Gators.