HIPAA-tize Your Club: Protecting Your Members' Right to Privacy

For Gym Operators

HIPAA-tize Your Club: Protecting Your Members' Right to Privacy

When personal information is involved, maintaining member privacy is of the utmost importance. Here is how and why health clubs need to protect their members and themselves.

The following is a summarization of an education session from the 2014 IHRSA Convention, produced with full permission from IHRSA. The full-length video is available for purchase at ihrsastore.com.

About the Speaker

Linda Howard is the CEO at Alturnative Management.

The Wellness Industry

The wellness industry is valued at $1.9 trillion in the global market. The fitness, mind, and body sectors are a $390 billion dollar market.

Some reasons for this market growth include baby boomers wanting more health benefits, generation X being more aware of their health and fitness, a decline in health care, bad health habits, the social environment where celebrities are advocating wellness, and the political environment such as the First Lady’s Let’s Move initiative.

The wellness industry is multidimensional and holistic, integrating physical, mental, spiritual, and social aspects. It is complementary and proactive not only in treating illness, but also in preventing sickness and improving overall quality of life. It is a consumer-driven industry, relying on consumer choice rather than patient necessity.

 Protecting Your Members' Right to Privacy

Why Healthcare Privacy Policies Are Relevant in Wellness

The worlds of wellness, fitness, and medicine are merging to create a seamless selection of health services. Health clubs have to collect detailed personal information in order to deliver comprehensive wellness services.

Due to the Health Insurance Portability and Accountability Act (HIPAA), clients have grown to expect a certain level of privacy protections when sharing information to achieve a state of wellness. Privacy protection lessons learned from the healthcare industry are becoming increasingly relevant to the fitness industry.

Federal Privacy Laws: The Health Insurance Portability and Accountability Act

HIPAA requires certain individuals and entities to comply with very rigorous and prescriptive privacy rules. The penalties for non-compliance can be very severe.

In the US, privacy rights are reinforced with every healthcare visit. In most circumstances, HIPAA will not apply to health clubs, but if you are covered by HIPAA, you need HIPAA training.

Types of Information Requiring Protections

Individually identifiable health information or protected health information (PHI) are protected under HIPAA. Any protected health information that a covered entity creates, receives, maintains, or transmits in electronic form is known as electronic protected health info (ePHI).

HIPAA Privacy and Security Provisions

The goal is to ensure that PHI is properly protected while allowing the flow of health information needed to provide and promote high-quality healthcare and to protect the public's health and wellbeing.

HIPAA Basics: The Rules

  • Authorized use: HIPAA requires that the information only be used for the purpose that it was authorized for
  • Business associate agreements with special provisions that need to be included in that agreement
  • Protected data requires you to keep data secure from loss
  • Secure papers 
  • Only disclose the minimum information necessary
  • Members have to be notified about a breach of privacy
  • Access to records: maintain them properly
  • Process in place so clients can grant access to authorized information

Protecting Privacy

Privacy and electronic security protocols developed under HIPAA are some of the best for protecting privacy in healthcare. Protecting privacy makes good business sense. Protecting clients' privacy makes good legal sense.

What Is a Covered Entity?

Every healthcare provider (any person or organization that furnishes, bills, or is paid for health care), regardless of size, who electronically transmits health information in connection with certain transactions is a covered entity.

If you are not a covered entity, you could be a business associate or a person who works on behalf of a covered entity, other than a member of their workforce, who creates, receives, maintains, or transmits protected health information.

Ways a Health Club or Fitness Professional Can Become a Covered Entity or Business Associate

Traditionally, the fitness industry is not included in HIPAA’s definition of covered entity or business associate, but collaborating with a traditional health care provider could make you an agent, employee, or business associate of that provider. Offering services defined as wellness could also bring you underneath the heading of health care provider.

The Affordable Care Act (ACA) includes wellness in the definition of healthcare services. The ACA defines medical professionals as eligible to provide wellness visits; health educators, registered dietitians, physician assistants, and nurse practitioners.

Legislative Intent of HIPAA

It is clear that the intent of the legislation was to protect health information supplied or gathered in the course of an individual seeking healthcare services. It is not a far stretch to conclude that this protection should extend to the information that is communicated to wellness professionals that are: providing services at the request of physicians or providing services to a health seeker responding to a facility's representation that it provides wellness services.

Unauthorized Disclosure of Personal Information

There are different types of disclosures:

  • Intentional internal and external disclosures
  • Inadvertent disclosures
  • Employees viewing records unnecessarily should only view client information for a business purpose
  • Personal information stored in public view or discussed in public area


The offender can be sued for violating privacy as a facility and/or in an individual capacity. The offender can also be sued for defamation of character.

Federal Criminal Penalties

A person who knowingly obtains or discloses individually identifiable health information in violation of the privacy rule may face a criminal penalty of up to $50,000 and up to one year of imprisonment.

The criminal penalty increases to $100,000 and up to five years of imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years of imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm.

Train and discipline your staff regarding the handling of client files. Monitor and protect electronic communications. Use software that allows levels of permissions. Dispose of files properly by shredding them or placing them in locked or secure recycle containers. Hardware must be wiped clean of data.

By taking the necessary steps to ensure your members' privacy, you'll avoid the difficult consequences of violating HIPAA and keep your members' trust.