Fitness and health clubs are not considered covered entities under HIPAA. However, there are potential exceptions, like a wellness program under a group health plan, where PHI is collected.
Furthermore according to the Health and Fitness Association, “Technology is increasing the quality and quantity of health data available, and clubs are continuing to expand into allied health spaces—like nutrition counseling and physical therapy—which makes understanding HIPAA crucial.”
To better understand the applicability of HIPAA to fitness and health clubs, the different types of clubs and the services they offer need to be considered.
These establishments primarily provide fitness facilities, equipment, and group exercise classes. They typically offer memberships and collect personal information from their members, such as contact details and health history, but are not typically subject to HIPAA requirements.
Medical fitness centers, also known as hospital-based fitness centers, combine traditional fitness services with medically supervised programs. These centers often employ healthcare professionals, such as exercise physiologists or physical therapists, to provide specialized services to individuals with specific medical conditions and must be HIPAA compliant either as a covered entity or as a business associate.
Wellness centers promote holistic well-being by offering nutrition counseling, stress management, and alternative therapies. They may collect personal health information to tailor their programs to individual needs. They may need to be HIPAA compliant, depending on whether they're considered covered entities.
While the services offered by these fitness and health clubs overlap with healthcare to some extent, the need for HIPAA compliance depends on several factors unique to each establishment.
If the facility is a covered entity, the fitness program or health club will need to comply with HIPAA regulations.
If a fitness club or health program is not a covered entity, it won't be bound by HIPAA regulations.
Learn more: How to know if you're a covered entity
If a club has a formal partnership or integration with a healthcare provider, such as a hospital or medical clinic, and shares PHI with them, they could be considered business associates. In this case, HIPAA compliance is required.
This is particularly relevant for medical fitness centers that offer medically supervised programs or wellness centers that collaborate with healthcare professionals.
Learn more: How to know if you're a business associate
HIPAA specifically protects individually identifiable health information. PHI includes information related to an individual's physical or mental health, healthcare provision, or payment for healthcare services. If a fitness or health club collects and maintains PHI, it may be subject to HIPAA regulations.
For data to be considered PHI, the following two points must both be met:
Note: If sharing any PHI, HIPAA compliant email or some other secure channel must be used. Additionally, a business associate agreement may be required.
While personal trainers aren't typically considered "covered entities" under HIPAA, some scenarios can subject them to its rules. Similarly to health and fitness clubs, this can happen when working with healthcare providers, health insurers, or corporate wellness programs tied to group health plans. In these cases, trainers must adhere to HIPAA regulations by protecting clients' PHI.
No, fitness and health clubs are generally not covered under HIPAA because they don’t qualify as healthcare providers or health plans.
HIPAA could apply if the club offers healthcare services, such as physical therapy, and bills health insurance. In that case, they would need to comply with HIPAA for those services.
No, most information collected by fitness clubs, such as workout routines or membership details, is not considered protected health information (PHI) under HIPAA.
Unless the fitness app or device is connected to a healthcare provider or plan, the information shared typically isn't covered by HIPAA.
Yes, it's a good practice for fitness clubs to have privacy and security measures in place to protect members' personal and health-related information, even if HIPAA does not require it.