Quick Answer: HIPAA generally does not apply to independent running coaches, since coaches aren't "covered entities" (healthcare providers, health plans, or healthcare clearinghouses) under the law. HIPAA can apply in specific situations: if you bill a client's health insurance directly, work under contract with a healthcare provider (physical therapist, doctor), or participate in a company wellness program tied to a group health plan. Even when HIPAA doesn't legally apply, you're still expected to protect client health information under general privacy obligations, professional ethics codes, and your state's data privacy laws, and doing so is good practice regardless of what's legally required.
New coaches often either over-worry about HIPAA compliance or ignore data privacy entirely because "HIPAA doesn't apply to me." Both reactions miss the actual answer: HIPAA mostly doesn't apply, but that doesn't mean client health data handling doesn't matter.
Does HIPAA Actually Apply to You?
HIPAA's privacy rule applies specifically to "covered entities": healthcare providers, health plans, and healthcare clearinghouses, plus their "business associates" handling protected health information (PHI) on their behalf. Independent running coaches, personal trainers, and most fitness professionals fall outside this definition by default.
The exceptions where HIPAA can apply to a coach:
- You bill a client's health insurance directly for your services.
- You're contracted with a healthcare provider (a physical therapist's office, a doctor's practice) and handle PHI as part of that arrangement, making you a "business associate."
- You're a wellness provider for a corporate wellness program that's formally part of a group health plan.
Bottom line: For the large majority of independent running coaches working directly with individual paying clients, HIPAA simply doesn't apply. If any of the three exceptions above describes your situation, get specific legal guidance, since business associate status carries real compliance obligations.
Why "HIPAA Doesn't Apply" Isn't the Same as "Anything Goes"
Even without HIPAA, you're still collecting genuinely sensitive information: injury history, medical conditions, medications, sometimes mental health context relevant to training. A few things still apply regardless of HIPAA status:
- Professional ethics codes. Most certifying organizations' codes of conduct (RRCA, USATF, and similar bodies across the fitness industry generally) include confidentiality expectations as part of professional standards, separate from any legal requirement.
- General privacy law. Most states have some form of data privacy or breach notification law that can apply to any business handling personal information, not just healthcare-specific law like HIPAA.
- Your own liability exposure. A privacy breach (a leaked spreadsheet, a hacked email account with client medical disclosures) can itself become grounds for a claim against you, separate from any training-related injury claim.
- Simple client trust. Athletes share genuinely personal information with their coach. Treating it carelessly damages the coaching relationship even where no law is technically broken.
Bottom line: Skip the anxiety about HIPAA compliance you likely don't need, but don't skip basic data hygiene just because the strictest healthcare-specific law doesn't apply to you.
Practical Steps to Protect Client Data
A few concrete habits cover most of what matters for a typical independent coach:
- Use secure, reputable platforms for storing client information rather than scattering it across unsecured personal notes apps or shared documents with no access control.
- Limit what you collect. Only ask for health information that's actually relevant to coaching them safely (injury history, relevant medical conditions affecting training) rather than collecting broad health data you don't need.
- Don't request medical records directly from a client's physician. If a medical release is genuinely needed, the standard protocol is to have the physician give the information to the client, who then shares it with you, rather than you requesting it directly from the provider.
- Secure your communication channels. Be thoughtful about discussing sensitive health details over channels without basic security (be cautious with screenshots, group chats, or unsecured email for sensitive disclosures).
- Have a basic privacy policy, even informal, that explains to clients what information you collect and how you use it. This is good practice for any business collecting personal data, not just a HIPAA-specific requirement.
- Secure your devices and accounts with strong, unique passwords and, where available, two-factor authentication, particularly for whatever platform stores your client roster and program history.
Bottom line: None of this requires legal expertise or expensive compliance software. It's mostly disciplined basic practice: collect only what you need, store it securely, and don't share it carelessly.
What to Look For When Choosing Coaching Software
Since most coaches now manage client data through some kind of software platform rather than paper files, a few questions are worth asking about any platform you use:
- How is data encrypted, both in transit and at rest?
- What's the platform's data export policy if you ever need to leave it?
- Does the platform have a clear privacy policy explaining what it does with client data?
- Who has access to client information within the platform, just you, or shared more broadly?
Bottom line: You don't need a platform that advertises "HIPAA compliant" unless you fall into one of the exception categories above, but reasonable security practices (encryption, clear data policies, access control) matter for any platform storing genuinely sensitive client information.
Frequently Asked Questions
If a client mentions a medical condition during a session, am I now subject to HIPAA?
No. HIPAA's applicability depends on your status as a covered entity or business associate, not on the type of information a client happens to share with you. An independent coach hearing about a client's medical condition during a normal coaching conversation doesn't trigger HIPAA on its own.
Do I need a formal privacy policy on my coaching website?
It's good practice even though it may not be strictly required depending on your state and how you operate. A simple, clear statement of what data you collect and how you use it is a low-effort step that builds client trust and covers a reasonable baseline expectation.
What should I do if I accidentally share a client's sensitive information (e.g., a wrong-recipient email)?
Address it directly and promptly with the client involved, be transparent rather than hoping it goes unnoticed, and review how the mistake happened to prevent recurrence. Even without a legal breach-notification requirement applying to your situation, handling it honestly protects the relationship and your reputation.
Should I ever request a client's full medical records?
Generally no, and definitely not by contacting their physician directly yourself. If a medical clearance or release is genuinely needed for safety reasons, have the client obtain it from their provider and share it with you directly, rather than requesting records yourself.
Does coaching software handle data privacy for me automatically?
No platform fully removes your responsibility. Choosing a platform with reasonable security practices reduces risk, but you're still responsible for what you collect, how you discuss it with clients, and how carefully you handle access to it.
The Bottom Line
For the large majority of independent running coaches, HIPAA simply doesn't apply, but that's not a reason to handle client health information carelessly. Collect only what you genuinely need, store it on a secure platform, avoid requesting medical records directly from providers, and treat client disclosures with the same care you'd want for your own sensitive information. This isn't legal advice; if your situation involves insurance billing, a contract with a healthcare provider, or a corporate wellness program, get specific guidance on whether HIPAA applies to you.
Athletic Hybrid is built with reasonable data security practices for exactly this kind of sensitive client information, and it's free for unlimited clients with core Run, Strength, and Mobility programming included. Register free at athletichybrid.com.