HIPAA Compliance for Health Coaches: What It Means in Practice

9 min read

A health professional reviewing handwritten notes at a clean desk with a laptop and glass of water in soft window light

Most health coaches are not legally bound by HIPAA, but working with medical clients and healthcare teams changes that. Here's the honest breakdown.

TL;DR

Most independent health coaches are NOT HIPAA-covered entities. HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses.
HIPAA does apply if you work as a business associate for a covered entity (like a hospital, clinic, or health plan).
Even without a HIPAA obligation, health coaches have strong ethical and practical reasons to protect client health information.
State privacy laws and GDPR may apply regardless of HIPAA status.
This article is general information, not legal advice. Consult a qualified attorney for your situation.

The question of HIPAA compliance for health coaches causes a lot of confusion, and the confusion makes sense. You're working with people on deeply personal health information. You know HIPAA exists as the privacy law for health data. It seems like it should apply to you.

But the connection is less direct than most health coaches assume. HIPAA's reach is specific, and whether it applies to your coaching practice depends almost entirely on who you work with and how.

Here's the clear breakdown.

What HIPAA Actually Is

HIPAA, the Health Insurance Portability and Accountability Act of 1996, established privacy and security standards for "protected health information" (PHI). PHI is individually identifiable health information held or transmitted by a covered entity or its business associates.

The critical term is "covered entity." HIPAA only directly applies to:

Healthcare providers who transmit health information electronically (doctors, hospitals, clinics, dentists, pharmacies, mental health practitioners)
Health plans (insurance companies, employer-sponsored health plans, Medicare, Medicaid)
Healthcare clearinghouses (businesses that process health information between providers and payers)

And it applies to business associates: companies or individuals who handle PHI on behalf of covered entities. A billing company, an EHR software provider, or a researcher who accesses a hospital's patient records would be a business associate.

If you're an independent health coach running your own practice, working directly with individual clients who found you independently, you are almost certainly not a covered entity. HIPAA does not directly govern your practice.

When HIPAA Does Apply to Health Coaches

There are real situations where HIPAA becomes relevant for health coaches:

Working with Healthcare Organizations as a Contractor

If a hospital, clinic, insurance company, or other covered entity contracts with you to provide health coaching services to their patients or members, you may become a business associate of that covered entity. Business associates are required to:

Sign a Business Associate Agreement (BAA) with the covered entity
Protect PHI using HIPAA-compliant security practices
Report breaches of PHI to the covered entity
Not use or disclose PHI beyond the purposes permitted by the BAA

This is an increasingly common scenario as healthcare systems recognize coaching as a complement to clinical care. Coaches working in hospital wellness programs, corporate health programs administered by insurers, or chronic disease management programs through health plans need to understand whether a BAA is required.

If a potential partner organization asks you to sign a BAA, take it seriously. It imposes real legal obligations.

Working as Part of an Integrated Care Team

Some health coaches work alongside licensed healthcare providers in integrated care settings. A functional medicine practice that employs both an MD and a health coach, a mental health clinic that offers coaching alongside therapy, or a physical therapy practice that includes lifestyle coaching components.

In these settings, the question of whether the health coach is acting as a business associate depends on whether they access or handle PHI created or maintained by the covered entity. If the coach uses the clinic's patient records, has access to the EHR, or discusses patient medical information as part of the care team, they're likely operating as a business associate.

The organization you work within is responsible for ensuring you have a BAA in place and understand your obligations. But knowing this applies to you is your responsibility too.

Referral Networks with Healthcare Providers

If a physician or therapist regularly refers patients to your coaching practice and sends you medical records or clinical notes about those patients, there's a HIPAA-adjacent question worth asking. Strictly speaking, the physician sending you records is the one with HIPAA obligations. But handling records from covered entities warrants some thought about your data handling practices.

In practice, most coaches in this situation just keep clinical records secure, return or destroy them after use, and treat them with the same confidentiality they'd apply to any sensitive client information.

What Health Coaches Should Do Even Without a HIPAA Obligation

Even if HIPAA doesn't directly apply to your practice, you're working with sensitive health information. The ethical and practical arguments for protecting it well don't disappear just because a federal law doesn't compel you.

Treat Client Health Information as Confidential

Session notes, intake forms, health history questionnaires, progress tracking data. All of this is sensitive. Clients are sharing it in a relationship of trust. The way you handle it says something about how seriously you take that relationship.

The coaching confidentiality agreement guide covers confidentiality in coaching more broadly. For health coaches, this is especially important to get right in your coaching agreement.

Secure Your Data Storage

Wherever you store client health information, apply reasonable security:

All-in-one coaching platform

Stop juggling tools. Start coaching.

Kaido brings your sessions, clients, programs, and payments together — so you can focus on coaching.

See how it works →

Password protection and two-factor authentication on any tool containing client data
Encrypted storage for sensitive files (most modern devices and cloud services encrypt by default if you have passwords and screen locks enabled)
No client health information stored in unsecured shared folders or sent over unencrypted email
A clear process for what happens to client data when the coaching relationship ends

This isn't HIPAA compliance. It's good professional practice.

Have a Clear Privacy Policy

Your website should have a privacy policy that explains what information you collect, how you use it, and how to request deletion or access. EU clients bring GDPR into the picture; California clients may have CCPA considerations. Even without those specific requirements, a privacy policy is a professional expectation.

For the full picture on data privacy for coaches, the GDPR for coaches guide covers what you need to know.

Be Clear About What You're Not

Health coaches are not healthcare providers. Your coaching is not medical advice, not diagnosis, and not treatment. This is an ethical and legal line that matters, and it should be explicit in your disclaimer and coaching agreement.

The coaching vs therapy boundary guide addresses this from a coaching and therapy perspective. For health coaches, the same boundary applies between coaching and medical care. Clarity about this protects your clients, directs them to appropriate care when they need it, and protects you legally.

HIPAA-Compliant Tools: Worth Using Regardless?

Many health coaches ask whether they should use "HIPAA-compliant" tools like Doxy.me for video sessions, or HIPAA-compliant versions of scheduling and documentation software, even if they're not technically required to.

The pragmatic answer: it depends on who you work with.

If you work with clinical clients referred by healthcare providers, operate in clinical settings, or anticipate working with healthcare organizations as clients, using HIPAA-compliant tools from the start makes sense. It signals professionalism, removes potential friction if you become a business associate, and makes a potential future BAA less disruptive.

If you're a general health and wellness coach working independently with clients who found you through your own marketing, the cost and complexity of HIPAA-specific tools may not be warranted. Strong security practices applied to standard tools achieve most of the practical protection.

The tools that come up most often in this context: - Video sessions: Doxy.me, Zoom Healthcare (more expensive than standard Zoom), Spruce Health - Scheduling: Many scheduling tools have BAA options for healthcare settings - Notes and records: Jane App, Practice Better, and similar coaching-adjacent practice management tools have HIPAA-ready versions or modes

State-Level Health Privacy Laws

HIPAA is federal, but state laws can impose additional privacy requirements that apply to health coaches even when HIPAA doesn't.

Several states have health data privacy laws that are stricter than HIPAA in scope:

California: The Confidentiality of Medical Information Act (CMIA) covers a broader range of entities than HIPAA, including some that are not covered entities under federal law. Health apps and services may fall under California's stricter rules.

Washington: The My Health MY Data Act (passed 2023) broadly covers consumer health data collected by entities that are not HIPAA-covered. This may apply to health coaches serving Washington residents.

Other states: The patchwork of state health privacy laws is growing. If you have significant practices in specific states, it's worth a quick check on state-specific requirements.

Practical Steps for Health Coaches

Work through this checklist:

Assess your position: Are you an independent health coach working directly with self-referred clients? Probably not a covered entity. Are you working with or within a healthcare organization? Possibly a business associate. Are you receiving clinical records from covered entities? Ask a lawyer.

Review your coaching agreement: Does it have a clear disclaimer about the nature of health coaching vs. medical advice? A confidentiality clause covering health information? If not, update it. The coach's legal toolkit has the full framework.

Secure your data: Even without HIPAA, handle client health data as sensitively as you'd want your own handled.

Know your referral relationships: If healthcare providers regularly refer clients to you and send health records, get clarity on your obligations.

If you're approached by a healthcare organization: Before signing anything, understand whether a BAA is involved and what it requires. Have a lawyer review it if you're uncertain.

The Real Question Behind the HIPAA Question

Most health coaches asking about HIPAA aren't really asking about a specific regulatory framework. They're asking: "Am I handling my clients' health information responsibly?"

The answer to that question doesn't live entirely in federal law. It lives in how you treat sensitive information, how you communicate your role and its limits, and whether your clients can trust that what they share with you stays between you.

Those standards apply regardless of whether HIPAA technically governs your practice.

Disclaimer: This article provides general information about HIPAA and health privacy as it relates to coaching. It is not legal advice. HIPAA applicability depends on specific facts and circumstances. State laws vary. Consult a qualified attorney for advice specific to your coaching practice and client relationships.

Get started today

Run your coaching business from one place

Kaido handles your sessions, clients, programs, and payments — so you can focus on coaching.

Get started for free See how it works