If you're a health or wellness coach working with client health information, HIPAA compliance isn't optional—it's essential. This guide breaks down what you need to know.
HIPAA Compliance Made Simple
The Health Insurance Portability and Accountability Act (HIPAA) can seem overwhelming, but understanding the basics is crucial for any coach handling health information. This guide will help you understand your obligations and how to stay compliant.
Understanding HIPAA
HIPAA establishes national standards to protect individuals' medical records and other protected health information (PHI). The law applies to covered entities and their business associates.
Who Needs to Be HIPAA Compliant?
You likely need HIPAA compliance if you:
✅ Work with healthcare providers or facilities
✅ Bill insurance companies for coaching services
✅ Handle medical records or health information
✅ Provide services considered healthcare
✅ Work with clients' PHI in any capacity
✅ Store or transmit electronic health records
Who Might Not Need HIPAA Compliance?
❌ Pure life or business coaches with no health data
❌ Coaches who never access medical information
❌ Executive or career coaches without health focus
❌ Financial coaches with no health-related data
When in Doubt: Consult with a healthcare attorney. Better to be compliant when not required than non-compliant when you should be.
Key HIPAA Requirements
HIPAA consists of three main rules that coaches need to understand:
1. Privacy Rule
Controls how PHI is used and disclosed.
Key Requirements:- Obtain client authorization before using PHI
- Provide Notice of Privacy Practices to clients
- Ensure minimum necessary use and disclosure
- Maintain privacy policies and procedures
- Designate a privacy officer
- Train staff on privacy requirements
2. Security Rule
Requires appropriate safeguards for electronic PHI (ePHI).
Three Types of Safeguards: Administrative Safeguards- Risk assessments
- Security policies
- Workforce training
- Incident response procedures
- Facility access controls
- Workstation security
- Device and media controls
- Access controls
- Audit controls
- Integrity controls
- Transmission security
3. Breach Notification Rule
Requires notification of breaches of unsecured PHI.
Notification Timeline:- 60 days to notify affected individuals
- 60 days to notify HHS (if 500+ individuals)
- Without unreasonable delay in all cases
Essential HIPAA Safeguards
Let's break down what compliance looks like in practice.
Administrative Safeguards
Risk Assessment- Identify where PHI is stored
- Evaluate potential threats
- Document vulnerabilities
- Create mitigation plan
- Update annually
- Privacy policies
- Security procedures
- Breach response plan
- Employee training program
- Sanctions policy
- Initial HIPAA training
- Annual refresher courses
- Role-specific training
- Document completion
- Test understanding
Physical Safeguards
Facility Access Controls- Secure office space
- Visitor log
- Alarm systems
- Lock filing cabinets
- Secure disposal
- Privacy screens
- Auto-logout after inactivity
- Positioned away from public view
- Clean desk policy
- Secure when unattended
- Inventory all devices
- Encryption enabled
- Password protected
- Remote wipe capability
- Disposal procedures
Technical Safeguards
Encryption- 256-bit AES encryption at rest
- TLS 1.3 encryption in transit
- Encrypted backups
- Encrypted emails
- Secure key management
- Unique user IDs
- Strong password requirements
- Multi-factor authentication
- Role-based permissions
- Automatic logout
- Log all PHI access
- Monitor for unusual activity
- Review logs regularly
- Investigate anomalies
- Retain logs for 6 years
Business Associate Agreements (BAA)
Any service provider that handles PHI on your behalf must sign a Business Associate Agreement.
Providers Requiring BAAs:
- Coaching platform (like Coachier)
- Email service provider
- Cloud storage service
- Payment processor
- IT support company
- Billing service
- Transcription service
What a BAA Must Include:
- Definition of PHI and permitted uses
- Business associate's obligations
- Security safeguards requirements
- Breach notification procedures
- Subcontractor requirements
- Term and termination provisions
- Return or destruction of PHI
Coachier BAA: All Professional, Advanced, and Custom plan subscribers automatically receive a signed BAA. Request yours at hipaa@coachier.com or download from Account Settings.
Choosing a HIPAA-Compliant Platform
Your coaching platform is critical to HIPAA compliance. Look for these features:
Essential Platform Features:
✅ Signed BAA Available- Offered to all customers
- Updated regularly
- Legally binding
- 256-bit AES at rest
- TLS 1.3 in transit
- Encrypted backups
- Unique user accounts
- Role-based permissions
- MFA available
- Automatic logout
- Track all PHI access
- Tamper-proof logs
- 6-year retention
- Exportable reports
- Automated daily backups
- Encrypted storage
- Disaster recovery plan
- Regular testing
- SOC 2 Type II
- ISO 27001
- Regular audits
- Penetration testing
Why Coachier: We meet all these requirements and more. Our platform is built with HIPAA compliance as a foundation, not an afterthought.
Your HIPAA Responsibilities
Even with a compliant platform, you have ongoing responsibilities:
Privacy Practices
Notice of Privacy Practices- Provide to all clients
- Explain how you use PHI
- Describe client rights
- Update as needed
- Maintain signed acknowledgments
- Only access needed PHI
- Limit sharing to essentials
- Train staff accordingly
- Document decision-making
- Access to records
- Request amendments
- Accounting of disclosures
- Request restrictions
- Confidential communications
Security Practices
Password Management- Use strong, unique passwords
- Change regularly (every 90 days)
- Never share credentials
- Use password manager
- Enable MFA everywhere
- Lock when unattended
- Encrypt all devices
- Update software regularly
- Use antivirus protection
- Secure WiFi connections
- Secure workspace
- Lock file cabinets
- Shred documents
- Position screens carefully
- Escort visitors
- Use encrypted messaging
- Avoid unsecure email for PHI
- Verify recipient identity
- Use secure fax
- Avoid public WiFi for PHI
Training Your Team
If you have staff, everyone must be trained:
Initial Training- HIPAA overview
- Privacy Rule basics
- Security Rule requirements
- Breach procedures
- Role-specific duties
- Review key concepts
- Update on rule changes
- Review incidents
- Test knowledge
- Document completion
- Training attendance records
- Test results
- Acknowledgment forms
- Certificates of completion
- Annual refresher proof
Breach Response Plan
Despite best efforts, breaches can happen. Have a plan:
Immediate Steps (Within 24 hours)
1. Contain the Breach
- Stop unauthorized access
- Secure affected systems
- Document everything
2. Assess the Scope
- What PHI was involved?
- How many individuals affected?
- How did breach occur?
- What's the risk level?
3. Begin Investigation
- Gather facts
- Interview involved parties
- Review logs
- Determine cause
Notification Requirements
Affected Individuals (Within 60 days)
- Written notice
- Description of breach
- Types of information involved
- Steps being taken
- What individuals should do
- Contact information
HHS (Within 60 days if 500+ affected)
- Online portal submission
- Detailed breach report
- Media notification if required
Business Associates (Without unreasonable delay)
- Notify of breach
- Provide relevant details
- Document notification
Post-Breach Actions
- Implement corrective measures
- Update policies if needed
- Retrain staff
- Document lessons learned
- Review incident response plan
HIPAA Compliance Checklist
Use this checklist to assess your current compliance:
Administrative
- [ ] Conducted risk assessment
- [ ] Designated privacy officer
- [ ] Designated security officer
- [ ] Written privacy policies
- [ ] Written security policies
- [ ] Breach notification procedures
- [ ] Employee training program
- [ ] Training documentation
- [ ] Sanctions policy
- [ ] BAAs with all vendors
Physical
- [ ] Secure facility access
- [ ] Workstation security measures
- [ ] Device inventory
- [ ] Media disposal procedures
- [ ] Visitor access controls
Technical
- [ ] Data encryption (at rest)
- [ ] Transmission encryption
- [ ] Access controls implemented
- [ ] Unique user IDs
- [ ] Audit logging enabled
- [ ] Log review process
- [ ] Automatic logout configured
- [ ] Password requirements enforced
Documentation
- [ ] Privacy policies
- [ ] Security policies
- [ ] Risk assessment
- [ ] Training records
- [ ] BAAs on file
- [ ] Notice of Privacy Practices
- [ ] Incident reports
- [ ] Log reviews
Common HIPAA Mistakes
Avoid these common pitfalls:
❌ Assuming you're too small - Size doesn't matter; if you have PHI, you need compliance
❌ Using personal email - Consumer email isn't HIPAA-compliant
❌ Skipping BAAs - All vendors accessing PHI need signed BAAs
❌ No risk assessment - Required and should be done annually
❌ Inadequate training - Staff must be trained initially and annually
❌ Poor documentation - If it's not documented, it didn't happen
❌ Ignoring mobile devices - Phones and tablets need same protections
❌ Unencrypted backups - All PHI backups must be encrypted
Staying Compliant
HIPAA compliance is ongoing, not one-time:
Annual Tasks
- Conduct risk assessment
- Review and update policies
- Train all staff
- Review BAAs
- Test breach response plan
- Update Notice of Privacy Practices if needed
Quarterly Tasks
- Review audit logs
- Test backups
- Review access controls
- Security incident review
- Policy compliance check
Monthly Tasks
- Review new team member training
- Check for software updates
- Review access permissions
- Incident documentation review
Continuous
- Monitor for security threats
- Respond to client requests
- Document everything
- Stay informed on rule changes
Resources and Support
Official Resources
- HHS Office for Civil Rights: hhs.gov/hipaa
- HIPAA Security Rule: Full rule text and guidance
- HIPAA Privacy Rule: Detailed privacy requirements
Professional Organizations
- NBHWC: National Board for Health & Wellness Coaching
- ICF: International Coaching Federation
- ICHWC: International Consortium for Health & Wellness Coaching
Coachier HIPAA Support
- Email: hipaa@coachier.com
- Security Team: security@coachier.com (24/7)
- Documentation: Help center articles
- BAA: Available in account settings
- Training: Webinars and guides
The Bottom Line
HIPAA compliance protects both you and your clients. While it requires effort and attention, it's not impossibly complex. With the right platform, policies, and practices, you can maintain compliance while focusing on what matters most—coaching your clients to success.
The key is to:
1. Understand if HIPAA applies to you
2. Implement required safeguards
3. Document everything
4. Train your team
5. Partner with compliant vendors
6. Stay current with requirements
Need a HIPAA-compliant coaching platform? Try Coachier free for 30 days and get access to all the security features and BAAs you need to stay compliant.