If you are a health or wellness coach, you may wonder if you are subject to HIPAA privacy and security standards. Many coaches assume they are, but many of them would be wrong. That doesn’t mean HIPAA privacy and security standards should not play a role in your practice, but whether coaches are technically required to comply does play a role in how address privacy and security concerns of you and your clients.
If you are like most health and wellness coaches, you will likely collect private information from your clients. This may be health information, and will certainly be other personal information like contact information and possibly some financial information. For HIPAA “covered entities” (those entities that are indeed subject to HIPAA privacy and security rules), all that private information is considered “Protected Health Information” or “PHI” and must follow strict rules about how to protect it from improper use and disclosure.
Unfortunately (or fortunately, depending on how you look at it), the HIPAA privacy and security rules were written almost 20 years ago. The rules were updated in 2013 to include language about how to deal with HIPAA breaches and business associates, but the rules have not kept up with the new and varied health and wellness businesses that currently exist. As a result, health and wellness coaches often find themselves in between regulatory “cracks,” including with regard to HIPAA. The closest guidance we have received about HIPAA’s applicability to wellness is some guidance from the U.S. Department of Health and Human Services (DHHS) Office of Civil Rights (OCR), the federal agency with oversight over HIPAA compliance, about whether HIPAA privacy and security rules apply to workplace wellness programs depends on the way those programs are structured.
OCR HIPAA Guidance
According to OCR, workplace wellness programs that are part of a group health plan are subject to HIPAA because the group health plan qualifies as a HIPAA-covered entity. A wellness vendor for such a wellness program would be subject to HIPAA as a business associate. HIPAA places restrictions on the sharing of PHI between the group health plan and employer sponsor of the plan. Often, the employer as plan sponsor will be involved in administering certain aspects of the group health plan, which may include administering wellness program benefits (such as distributing incentives) offered through the plan. Where this is the case and absent written authorization from the individual to disclose the information, the group health plan may provide the employer as plan sponsor with access to the PHI necessary to perform its plan administration functions.
According to OCR, if a workplace wellness program is offered by an employer directly and not as part of a group health plan, the health information that is collected from employees by the employer is not protected by HIPAA privacy and security rules. However, this blanket statement by OCR does not account for the possibility that a workplace wellness program itself might qualify as a group health plan or health care provider (“covered entities” under HIPAA) if the wellness program provides “medical care.”. If the wellness program offers lifestyle improvement activities only, such as exercise or nutrition activities not tied to any specific, diagnosed disease improvement for an employee, then non-group health plan wellness programs would not be subject to HIPAA privacy and security rules. Lifestyle improvement activities do not qualify as medical care, which is a key ingredient for constituting a group health plan.
How OCR’s Guidance May Apply to Health and Wellness Coaches
Using the same arguments that most wellness services do not create a group health plan, one can also argue that most wellness services offered by health and wellness coaches would not create health care provider covered entity status under HIPAA. HIPAA defines “health care provider” as anyone who furnishes, bills or is paid for “health care” in the normal course of business.HIPAA defines “health care” similar to the definition of “medical care” as that term is used for determining whether something qualifies as a group health plan.Specifically, “health care” includes “preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, and counseling, serv ice, assessment or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body.”
Even though the HIPAA definition of “health care” includes activities such as “preventive” care and “assessment” of physical condition or functional status, which can encompass wellness program activities such as health risk assessments, vaccinations or biometric screens, those wellness program activities are not typically tied to a specific medical reason for the activity. The IRS does not consider activities to prevent disease as “medical” care (and therefore excludable from income tax) unless the person actually has the diseases or illness, or has an imminent probability of developing the disease or illness.In other words, the purpose of the preventive care or assessment must be to address a likelihood that the person is at risk for the disease or illness, which can only be determined by a licensed health care provider acting within their scope of practice. A wellness provider, such as a health or wellness coach, who is merely offering health risk assessments, biometric screens or nutritional or fitness information to general populations to arm those individuals with knowledge is not trying to diagnose that individual’s risk of disease or illness. A follow-up visit to a licensed physician to discuss an individual’s results and potential risk factors may qualify as “health care” under HIPAA, but the wellness activity leading up to that follow-up visit arguably would not.
Regardless of the technical accuracy or completeness of OCR’s statement regarding HIPAA privacy and security rule application to employer wellness programs, OCR’s position is important from an enforcement perspective. Because OCR is the enforcement agency for HIPAA privacy and security compliance, its views on when HIPAA applies in certain situations is important when determining compliance risk.
If HIPAA Doesn’t Apply, Then What?
Even if a health or wellness coach is technically not subject to HIPAA privacy and security rule compliance, clients may expect some level of HIPAA compliance. We often counsel our clients to adopt certain applicable HIPAA policies and procedures to give all those involved in delivering and receiving health and wellness services some assurance that private information is protected from improper use and disclosure. Our firm has drafted numerous HIPAA policies and procedures to help our clients protect the privacy and security of information they collect as part of their coaching business.
One of the typical policies we draft is a HIPAA authorization form and policy. Obtaining a client’s HIPAA-compliant written authorization may be necessary for some wellness professionals who need PHI from a participant’s healthcare provider. Wellness professionals such as dietitians and exercise physiologists may need to obtain medical information from a client’s healthcare provider in order to safely and effectively provide coaching services. This is especially true for clients who have diagnosed medical conditions and are taking certain medications. For example, it is important for an exercise professional to obtain from the client’s healthcare provider (e.g., physician, physical therapist, occupational therapist) any specific exercise recommendations and/or contraindications the professional should follow given the client’s medical condition(s). The exercise professional may also request the results of a graded exercise test (GXT) or blood pressure records, for example, of a client who indicated hypertension on his or her pre-activity screening device. For a client with hypertension, the exercise professional may want to send blood pressure records (e.g., a log of blood pressure readings taken by the exercise professional before, during, and after exercise) periodically to the client’s physician to keep the physician abreast of the client’s progress. In either case—whether the exercise professional is requesting medical information from a healthcare provider or sending medical information to a healthcare provider—the exercise professional should have the client sign a HIPAA-compliant authorization.
Health and wellness coaches should also be aware of Big Data, especially as it applies to subcontractors they may use. For example, subcontractors that receive PHI from health and wellness coaches should agree to limit further use or disclosure of the PHI to the purpose for which it was disclosed to the subcontractor. Given the growing capabilities of Big Data, the purposes for which PHI may be disclosed from a health and wellness coach to downstream entities are both vast and vague. For example, a purpose for the disclosure may be for data analytics. Data analytics in the world of Big Data and data brokers has a much different meaning, and much greater potential for abuse, than it did in 2003 and 2005 when HHS first required compliance with the Privacy and Security Rules. Absent a contractual provision by the health or wellness coach prohibiting certain uses and disclosures of PHI, HIPAA privacy rules could technically permit downstream entities to use and disclose PHI for data analytics purposes, such as consumer profiling, that have proliferated since the time HHS drafted the HIPAA Privacy and Security Rules.
Compliance with HIPAA privacy and security rules for health and wellness coaches is not always straightforward. Health and wellness coaches should rely on experienced wellness attorneys who understand the wellness industry and how state and federal laws apply specifically to that industry. The Center for Health and Wellness Law has such wellness lawyers on staff, and we are ready to help you reduce your legal risk and increase the success of your health and wellness coaching business. Contact us today for a free 15 minute consult.
 DHHS Office of Civil Rights Guidance, HIPAA Privacy and Security and Workplace Wellness
Programs, https://www.hhs.gov/hipaa/for-professionals/privacy/workplace-wellness/ (last visited
January 6, 2017).
 45 CFR § 160.103 (definition of “health care provider”).
 See Chapter 3; see also 42 USC § 300gg-91(a)(2) (defining “medical care” as amounts paid for the “diagnosis, cure, mitigation, treatment or prevention of disease, or amounts paid for the purpose of affecting any structure or function of the body.”
 45 CFR § 160.103 (definition of “health care”).
 See Chapter 5; see also IRS Information Letter 2010-075 (June 25, 2010).
 45 C.F.R. § 164.504(e)(4)(B)(ii)(B)(1).
The post HIPAA for Health and Wellness Coaches first appeared on Health,Corporate,Wellness Vendors and Lifestyle Coach.