Fitness and health clubs are not considered covered entities under HIPAA. However, there are potential exceptions, like a wellness program under a group health plan, where PHI is collected.
Types of fitness and health clubs
To better understand the applicability of HIPAA to fitness and health clubs, the different types of clubs and the services they offer need to be considered.
Gym and fitness centers
These establishments primarily provide fitness facilities, equipment, and group exercise classes. They typically offer memberships and collect personal information from their members, such as contact details and health history, but are not typically subject to HIPAA requirements.
Medical fitness centers
Medical fitness centers, also known as hospital-based fitness centers, combine traditional fitness services with medically supervised programs. These centers often employ healthcare professionals, such as exercise physiologists or physical therapists, to provide specialized services to individuals with specific medical conditions and must be HIPAA compliant either as a covered entity or as a business associate.
Wellness centers
Wellness centers promote holistic well-being by offering nutrition counseling, stress management, and alternative therapies. They may collect personal health information to tailor their programs to individual needs. They may need to be HIPAA compliant, depending on whether they're considered covered entities.
Factors affecting HIPAA applicability
While the services offered by these fitness and health clubs overlap with healthcare to some extent, the need for HIPAA compliance depends on several factors unique to each establishment.
Is the facility a covered entity?
If the facility is a covered entity, the fitness program or health club will need to comply with HIPAA regulations.
If a fitness club or health program is not a covered entity, it won't be bound by HIPAA regulations.
Learn more: How to know if you're a covered entity
Is the facility a business associate?
If a club has a formal partnership or integration with a healthcare provider, such as a hospital or medical clinic, and shares PHI with them, they could be considered business associates. In this case, HIPAA compliance is required.
This is particularly relevant for medical fitness centers that offer medically supervised programs or wellness centers that collaborate with healthcare professionals.
Learn more: How to know if you're a business associate
Type of information collected
HIPAA specifically protects individually identifiable health information. PHI includes information related to an individual's physical or mental health, healthcare provision, or payment for healthcare services. If a fitness or health club collects and maintains PHI, it may be subject to HIPAA regulations.
For data to be considered PHI, the following two points must both be met:
- Data needs to be personally identifiable to the patient
- Data must be used by or disclosed to a covered entity during the course of care.
Note: If sharing any PHI, HIPAA compliant email or some other secure channel must be used. Additionally, a business associate agreement may be required.
Does HIPAA apply to personal trainers?
While personal trainers aren't typically considered "covered entities" under HIPAA, some scenarios can subject them to its rules. Similarly to health and fitness clubs, this can happen when working with healthcare providers, health insurers, or corporate wellness programs tied to group health plans. In these cases, trainers must adhere to HIPAA regulations by protecting clients' PHI.
Farah Amod
