HIPAA Compliance for Health Coaches: Do You Need It and How to Get Compliant

HIPAA Applicability to Health Coaches

HIPAA regulates how Covered Entities—health plans, most health care providers, and health care clearinghouses—and their Business Associates handle Protected Health Information (PHI). Most independent health coaches are not Covered Entities. HIPAA applies to you when you work for, or on behalf of, a Covered Entity and create, receive, maintain, or transmit PHI.

Common triggers include providing coaching inside a medical practice, accessing a clinic’s Electronic Health Records (EHR) to view patient data, coordinating care for a health plan’s members, or being embedded in an employer’s wellness program administered by a health insurer. In these cases, you function as a Business Associate and must follow the Privacy Rule, Security Rule, and Breach Notification Requirements through a signed agreement.

If you work directly with clients outside the health care system and do not handle PHI on behalf of a Covered Entity, HIPAA typically does not apply. However, the information you collect can still be sensitive and regulated by other federal or state privacy laws, so you should adopt strong confidentiality and data minimization practices regardless.

Business Associate Agreements and PHI Handling

A Business Associate Agreement (BAA) is the contract that defines how you, as a Business Associate, will safeguard PHI and use or disclose it only as permitted. You need a BAA when a Covered Entity engages you to deliver services that involve PHI—such as lifestyle coaching for a clinic’s patients or outreach to a health plan’s members. If you are a Business Associate, you must also execute BAOs with any subcontractors who handle PHI for you (for example, secure messaging or EHR-integrated platforms).

Principles for PHI Handling

• Minimum necessary: access, use, and disclose only the PHI required to perform the service.
• Access controls: issue unique logins, enforce strong authentication, and promptly terminate access when roles change.
• Secure transmission and storage: use encryption in transit and at rest, especially for EHR data, emails, backups, and mobile devices.
• Audit and monitoring: enable logs to track who accessed which records, when, and why.
• Retention and disposal: keep PHI only as long as required by policy or contract; dispose of it securely.
• Incident response: document a process to identify, investigate, mitigate, and report potential breaches according to breach notification requirements.

HIPAA Compliance Recommendations

If HIPAA applies to you

• Conduct a risk analysis to identify where PHI lives across people, processes, and technology; address risks with a written risk management plan.
• Implement administrative, physical, and technical safeguards under the Security Rule (policies, training, facility controls, device security, encryption, and contingency planning).
• Use HIPAA-capable tools for scheduling, messaging, telecoaching, file storage, and EHR integrations; sign BAAs with applicable vendors.
• Establish policies for minimum necessary use, access provisioning, mobile device use, and media disposal; review at least annually.
• Create a breach response plan aligned to the Breach Notification Requirements; practice it with tabletop exercises.
• Maintain documentation—risk assessments, BAAs, training records, and policy acknowledgments—for audit readiness.

If HIPAA does not apply to you

• Adopt privacy-by-design: collect the least data needed, store it securely, and give clients clear choices about communications.
• Use secure tools for client notes and messaging; avoid unencrypted email or SMS for sensitive details.
• Be accurate in your marketing—do not claim to be “HIPAA compliant” unless it truly applies; instead, describe your confidentiality safeguards.
• Align practices with the National Board for Health and Wellness Coaching (NBHWC) ethics and scope; obtain informed consent for services and data use.

HIPAA Training and Education

Covered Entities and Business Associates must train their workforce members on HIPAA policies relevant to their roles. Provide onboarding and periodic refreshers that explain PHI, permitted uses and disclosures under the Privacy Rule, safeguards under the Security Rule, phishing and password hygiene, and breach reporting steps.

Keep sign-in sheets or digital attestations as proof of completion. For professional development, seek continuing education that covers privacy, security, and documentation standards; NBHWC-aligned programs often include modules on confidentiality, boundaries, and informed consent that strengthen day-to-day practice.

Client Confidentiality Best Practices

• Set expectations at intake: explain what information you collect, why, how you secure it, and when it may be shared.
• Use secure platforms for scheduling, video, and notes; avoid storing sensitive details on personal devices without encryption and screen locks.
• Obtain written consent before sharing information with a client’s clinician or family; document every disclosure.
• Limit note content to what is necessary for coaching; de-identify examples used in case discussions or supervision.
• Ensure private environments for sessions; confirm the client’s location and privacy at the start of each call.
• Apply a data retention schedule and dispose of records securely when no longer needed.

Compliance with State and Federal Privacy Laws

Even when HIPAA does not apply, other laws may. Many states have consumer privacy or health data laws that govern collection, use, sale, and sharing of personal and health-related information and require disclosures or opt-out mechanisms. If you operate in multiple states or market nationally, design for the strictest applicable standard.

Digital health apps that fall outside HIPAA may still face the Federal Trade Commission’s rules on deceptive practices and certain health breach notification obligations. Coaches working in schools should consider FERPA, and those supporting substance use disorder treatment programs should be aware that 42 CFR Part 2 imposes heightened confidentiality for those records.

Avoiding Deceptive Health Data Practices

Be transparent and precise about your privacy and security practices. Do not imply HIPAA coverage if you are not a Covered Entity or Business Associate, and avoid sharing client data with advertisers or analytics tools without explicit, informed permission. Remove tracking technologies from pages where sensitive data is collected or viewed.

Use plain-language privacy notices, obtain meaningful consent for any data sharing beyond service delivery, and honor client choices. Regularly review marketing, websites, and apps to eliminate dark patterns, limit data collection, and align your promises with actual practices.

Bottom line: determine whether HIPAA applies to your coaching work, secure PHI with appropriate safeguards and BAAs when it does, and—whether HIPAA applies or not—embed strong confidentiality, transparency, and data-minimization practices into every client interaction.

FAQs.

When does HIPAA apply to health coaches?

HIPAA applies when you are part of a Covered Entity or provide services on behalf of one that involve PHI—such as accessing a clinic’s EHR, coordinating care for a health plan, or delivering coaching within a medical practice. In those cases, you act as a Business Associate and must follow the Privacy Rule, Security Rule, and Breach Notification Requirements under a BAA.

How can health coaches protect client confidentiality?

Collect only what you need, store it securely, use encrypted tools for messaging and video, control access with strong authentication, and document client consent for any sharing. Keep concise notes, verify private settings during sessions, train regularly on privacy and security, and follow a written incident response and retention policy.

What is a Business Associate Agreement and when is it needed?

A BAA is a contract that requires specific safeguards for PHI and limits how it is used or disclosed. You need a BAA when a Covered Entity hires you to deliver services that involve PHI. If you are a Business Associate, you must also sign BAAs with subcontractors that handle PHI for you; if you are not working with PHI for a Covered Entity, a BAA is generally not required.

Do independent health coaches need HIPAA compliance?

Usually not, unless you work for or on behalf of a Covered Entity and handle PHI. Still, you should implement strong confidentiality practices, choose secure tools, be transparent about your data use, and comply with relevant state and federal privacy laws that may apply to your business.