HIPAA Violations Health Coaches Should Know About (and How to Avoid Them)

HIPAA sets national standards for safeguarding Protected Health Information (PHI). While many independent health coaches are not automatically subject to HIPAA, certain roles and relationships can trigger obligations—and violations are costly. This guide highlights HIPAA violations health coaches should know about and shows practical steps to avoid them. It is general information, not legal advice.

HIPAA Applicability to Health Coaches

HIPAA applies to covered entities and their business associates. A health coach is a covered entity only in narrow situations—such as providing healthcare services and transmitting related data in standard electronic transactions (for example, billing insurers). More commonly, a coach becomes a business associate when performing services for a covered entity (like a clinic, telehealth practice, or group health plan) that involve access to PHI.

Protected Health Information includes any individually identifiable health information about a client’s past, present, or future physical or mental health, treatment, or payment, when it can be linked to an individual (for example, name, contact information, device identifiers, or appointment details). PHI can be paper, verbal, or electronic.

• You are likely a business associate if you handle client scheduling, messaging, habit-tracking, or coaching notes on behalf of a clinic or plan and can view PHI.
• You must sign a Business Associate Agreement (BAA) with each covered entity you support, and you may also need BAAs with vendors that process PHI for you (email, cloud storage, teleconferencing, e-fax, EHR).
• If you operate entirely direct-to-consumer without handling PHI for a covered entity, HIPAA may not apply—but state privacy laws and ethical duties still do.

Common HIPAA Violations for Health Coaches

• Using unencrypted email, SMS, or DMs to send PHI without appropriate safeguards or client authorization.
• Storing PHI in consumer cloud drives or apps that refuse to sign a Business Associate Agreement.
• Skipping a formal, documented Risk Analysis, leading to unidentified gaps in safeguards.
• Weak access controls: shared logins, no multi-factor authentication, or failing to terminate access for former staff or contractors.
• Lost or stolen devices that lack Data Encryption and screen locks.
• Oversharing beyond the minimum necessary standard, including social media posts, testimonials, or group coaching stories that reveal PHI.
• Improper disposal of paper notes or exported files containing PHI.
• Failure to implement and follow policies—no sanction policy, no change management, and no Incident Response Plan.
• No BAA with key vendors (telehealth platforms, CRM, e-sign, cloud storage, backup tools, email marketing when PHI is involved).
• Not verifying identity before releasing information or discussing a client’s status with family, employers, or other third parties.

HIPAA Compliance Requirements

Conduct a Risk Analysis

Map where PHI is created, received, maintained, or transmitted; identify threats and vulnerabilities; assess likelihood and impact; and document risk treatments. Revisit after major changes (new tools, remote staff, or expanded services).

Administrative Safeguards

• Written policies and procedures covering privacy, security, minimum necessary, device use, remote work, and sanction/discipline.
• Vendor management and BAAs for all services that handle PHI on your behalf.
• Contingency planning: data backup, disaster recovery, and emergency operations.
• Workforce security: onboarding, role-based access, and timely offboarding.
• Ongoing training and periodic security reminders tailored to coaching workflows.

Technical Safeguards

• Unique user IDs, strong authentication (preferably MFA), automatic logoff, and access based on least privilege.
• Audit controls: enable logs for logins, downloads, edits, and disclosures; review routinely.
• Data Encryption in transit and at rest wherever feasible; use secure portals or encrypted email for PHI.

Physical Safeguards

• Device protections: screen locks, secure storage, and asset tracking for laptops and mobile devices.
• Facility controls: private spaces for sessions; shred bins for paper records; clean-desk practices.

Policies, Notices, and Client Rights

• Covered entities must provide a Notice of Privacy Practices and honor client rights (access, amendments, and an accounting of disclosures).
• Use written authorization for marketing, testimonials, or any disclosure beyond permitted uses.
• Apply the minimum necessary standard to routine disclosures.

Business Associate Agreements

Execute a BAA with each covered entity you support and with any downstream vendors that create, receive, maintain, or transmit PHI for you. Keep signed BAAs and due-diligence records on file.

Incident Response Plan

Define how you detect, report, assess, and contain incidents; assign roles; set internal timelines; and document every decision. Test the plan annually.

Documentation and Retention

Maintain policies, training logs, risk analyses, incident reports, and BAAs for at least six years from the date created or last effective. Good records often make the difference in audits or investigations.

Training and Education for HIPAA Compliance

Train all workforce members (staff, contractors, interns) on day one and refresh at least annually. Focus on real coaching scenarios: telehealth etiquette, group sessions, social media boundaries, note-taking, and identity verification.

• Use micro-learning and simulated phishing to build habits.
• Document attendance, content, dates, and assessments; require attestations.
• Deliver just-in-time refreshers when you roll out new tools or change workflows.

Leaders should model compliance, celebrate near-miss reporting, and maintain an open door for privacy questions.

Breach Notification Requirements

The Breach Notification Rule applies when there is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. If encryption renders PHI unusable, unreadable, or indecipherable, notification may not be required.

Risk-of-Compromise Assessment

• Nature and extent of PHI involved (types of identifiers and sensitivity).
• Unauthorized person who used or received the PHI.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (for example, confirmed deletion).

Notification Timelines and Content

• Notify affected individuals without unreasonable delay, no later than 60 calendar days after discovery.
• For breaches affecting 500 or more residents of a state or jurisdiction, notify prominent media and the federal regulator within 60 days.
• For fewer than 500 individuals, log the incident and report to the regulator within 60 days after the end of the calendar year.
• Include what happened, types of PHI involved, steps individuals should take, what you are doing to mitigate harm, and contact information.

Coordination with Covered Entities and Vendors

Business associates must notify the covered entity without unreasonable delay so the covered entity can meet deadlines. Your Incident Response Plan should define how vendors escalate issues to you and how you escalate to the covered entity.

Privacy Obligations Without a License

Unlicensed health coaches are not automatically subject to HIPAA. However, if you handle PHI for a covered entity or sign a BAA, HIPAA obligations attach. Even when HIPAA does not apply, clients expect confidentiality, and state privacy laws and contracts still govern your conduct.

• Be explicit about scope: coaching, not medical diagnosis or treatment.
• Collect the minimum information needed and avoid storing sensitive details you do not need.
• Provide a clear privacy notice and informed-consent language in your intake process.
• Use secure tools; avoid mixing PHI with personal email or devices.
• Obtain written permission before using testimonials or sharing success stories.

State Privacy Laws and Ethical Standards

State laws add requirements that can apply to health coaches, especially in direct-to-consumer contexts. Depending on where you operate or where clients reside, you may face obligations around privacy notices, consent, access rights, data minimization, and breach reporting—separate from HIPAA.

• Comply with state breach-notification statutes for personal information, even when HIPAA does not apply.
• If you market to consumers, evaluate state consumer privacy laws that grant data rights and require disclosures.
• Be cautious with sensitive categories (mental health, reproductive health, substance use); stricter rules may apply.
• For minors, know parental consent and access rules in each state you serve.
• Align with ethical codes (for example, coaching competencies, confidentiality, role clarity, and boundaries) to reinforce trust.

Conclusion

Determine whether you are a covered entity or a business associate, complete a Risk Analysis, implement Administrative and technical safeguards (including Data Encryption), execute BAAs, train your team, and maintain an Incident Response Plan. These steps reduce risk, build client trust, and help you avoid HIPAA violations while delivering high-quality coaching.

FAQs.

What are the most common HIPAA violations for health coaches?

Frequent issues include using non-secure messaging for PHI, lacking a documented Risk Analysis, failing to sign a Business Associate Agreement with vendors, weak access controls (shared logins, no MFA), lost unencrypted devices, oversharing on social media or in testimonials, improper record disposal, and not having or following an Incident Response Plan.

How can health coaches ensure HIPAA compliance?

Confirm your role (covered entity or business associate), sign necessary BAAs, complete a Risk Analysis, implement Administrative, physical, and technical safeguards, encrypt devices and data, restrict access by role, provide initial and annual training, and document everything. Test your Incident Response Plan and update policies when your tools or services change.

What steps should be taken after a PHI breach?

Activate your Incident Response Plan: contain and investigate, perform the four-factor risk assessment, consult with any covered entity you support, document findings, and send required notices under the Breach Notification Rule within the applicable timelines. Mitigate harm (for example, reset credentials, remotely wipe devices, reinforce training) and record corrective actions.

Are unlicensed health coaches subject to HIPAA regulations?

Not by default. HIPAA applies if you are a covered entity or if you act as a business associate for a covered entity and handle PHI, typically evidenced by a Business Associate Agreement. Even when HIPAA does not apply, state privacy laws, contracts, and ethical duties still require strong confidentiality and security practices.