IHRSA is now the Health & Fitness Association.

Protecting Your Health Club Members’ Health & Data Privacy

HIPAA protects the security and privacy of individuals’ health information. Does your health club need to comply with these regulations? Here’s what you need to know.

In statehouses across the U.S., legislators are increasingly focusing their attention on data privacy issues.

One important data privacy law that has been on the books for over two decades is the Health Insurance Portability and Accountability Act (HIPAA). In 1996, lawmakers passed HIPAA to ensure that employees could move between jobs without losing their health insurance and to protect the security and privacy of individuals’ health information. HIPAA also created regulations that standardize the exchange of electronic health information between healthcare providers, health insurers, and clearinghouses, while keeping patient information secure and private.

Smartwatch Health Data Protect Your Club Members Column Image

Technology is increasing the quality and quantity of health data available, and clubs are continuing to expand into allied health spaces—like nutrition counseling and physical therapy—which makes understanding HIPAA crucial. When planning your programs, it’s important to consider if any aspect of your program brings HIPAA into scope.

What Do You Need to Know about HIPAA?

HIPAA is triggered when protected health information is transmitted electronically in connection with a transaction for which the Department of Health and Human Services (HHS) has adopted a standard. The HHS defines these transactions as an “electronic exchange of information between two parties to carry out financial or administrative activities related to health care.” For example, a dietitian transmitting health information to an insurance provider for the purpose of payment for services provided qualifies as one of these transactions and is thus protected by HIPAA.

Additionally, clubs should consider HIPAA regulations when they perform certain functions or services with or for a HIPAA covered entity (acting on their behalf) and have access to protected health information to carry out those functions or services (making them a business associate). This could be, for example, a health club that creates a health risk assessment, receives physician referral forms, or sends updates to an HMO, which includes protected health information or personally identifiable information in connection with healthcare services.

It’s Always a Good Practice to Protect Member Health Privacy

Even if your club is not required to comply with HIPAA regulations, you can implement a few key best practices for dealing with—and protecting— personal health information. It is important to protect your members’ privacy and security, demonstrate your club’s understanding of privacy practices to medical partners, and protect your business.

Clubs Should Consider These Best Practices

Avoid talking about a member’s health or healthcare—including medical diagnoses like diabetes, medications, weight, etc.—with anyone other than the member without the member’s express consent. This includes other trainers and the client’s family.

Avoid discussing private, health-related information with your members—like their weight, medical conditions, medications, etc.—in public areas where other members might easily overhear you. Wait to talk with your members about any health-related topics, including prescriptions or illnesses, until you are in a private space away from other members.

“Technology is increasing the quality and quantity of health data available, and clubs are continuing to expand into allied health spaces—like nutrition counseling and physical therapy—which makes understanding HIPAA crucial.”

Keep records of private health information—such as waivers listing health conditions—in secure locations and limit access to those records. It is crucial that you keep and never remove any hard copy records that contain personally identifiable information from the secure area.

Know it’s never appropriate to email, text, or send personal health information via social media channels—including private messaging features.

Ask for help. Your clients come to you for help with their fitness and wellness goals. Reach out to qualified experts for help with implementing appropriate IT security and privacy controls for your club.

Implement appropriate IT security controls to protect personal information that is stored and transmitted electronically. Consult an IT security provider to assist you with implementing/outsourcing security controls for your organization, if you lack that knowledge in-house.

Encrypt personally identifiable information, including personal health information that is stored and transmitted electronically using industry-approved methods.

Limit your data collection to information that is necessary for and pertinent to the work you are doing.

Provide privacy and security awareness training to your staff regularly.

Related Articles & Publications

Author avatar

Alexandra Black Larcom

Alexandra Black Larcom, MPH, RD, LDN, previously served as IHRSA's Senior Manager of Health Promotion & Health Policy—a position dedicated to creating resources and projects to help IHRSA members offer effective health programs, and promoting policies that advance the industry.