In this series on Demystifying Health Coaching, we’re excited to offer clarity on some common misconceptions we often encounter in the health and wellness worlds. These articles are meant to generate important dialogues about the past, present and future of health coaching – and without conversation there is no dialogue! We look forward to thoughts from our community on these articles and suggestions for future topics.
Building a coaching business takes more than a certification, specialty and clients. When building your business, it’s important to create a system that works efficiently for you and your clients and protects you both from any liability. While much of this can be covered upfront in client contracts (check out our webinar with wellness lawyer Barbara Zabawa for more on that!), it’s also important to ensure you’re using the right tools and engaging in best practices to keep your client’s health data and personal information safe.
Here’s the thing – especially as of late, we’ve seen plenty of misinformation surrounding HIPAA compliance and data privacy in the health coaching world, so we want to, first and foremost, dispel those misconceptions.
What is HIPAA and who needs to comply?
HIPAA is a US federal law enacted in 1996 to help modernize the healthcare system and allow for safe exchanges of information. The primary goal of this law is to protect patient privacy information and set limits and conditions for its uses and disclosures, namely that they require patient authorization when information is passed beyond the patient and provider.
Here’s where we get into the nitty gritty. HIPAA currently applies to healthcare providers (a certified healthcare provider with a National Provider Identification Number), health plans, healthcare clearing houses and business associates (those who process billing, claims, etc. on behalf of the aforementioned entities). Health coaches are not presently considered a covered entity, unless they otherwise are a healthcare provider like an RN, clinician etc. (see here for comprehensive list) and therefore they are not mandated by law to comply with HIPAA.
Even without HIPAA, you must protect client information.
Although health coaches are not technically required by law to abide by HIPAA, health coaching certification entities like the NBHWC still recommend that coaches familiarize themselves with the general principles and best practices for storing and protecting patient information – and we agree wholeheartedly!
Overall, when beginning to work with your clients, it’s important to understand the measures you’re taking to protect their data, which includes personal info like email addresses and phone numbers, as well as health data like client notes, prescriptions diagnoses and other health information they disclose to you. You may want to consider incorporating a clause in your contract about your client privacy practices and counsel your clients on how you plan to keep their data safe.
What can I do to protect my client’s data?
Especially as more coaches operate in remote or hybrid environments post-pandemic, most of us are incorporating digital tools within our practice, and many of us are using YourCoach to centralize the process! First and foremost, if you are not using a platform such as YourCoach, whenever you’re using digital tools to communicate with clients, take notes, communicate via email or messenger, exchange photos and more, it’s important to understand the risks of each and every tool. If you’re storing client notes on your computer, you’ll have to secure your WiFi and encrypt your hard drive in order to take necessary safety measures to secure your data and connection. If you’re using other tools, like Gmail, WhatsApp, or exchanging messages on your phone, you’ll also have to consider their privacy policies and secure your passwords.
Beyond technology, it’s important you’re following general best practices to honor your clients’ privacy. This includes taking video or phone calls in a quiet place, outside of earshot of others, avoiding working in public spaces where possible, and utilizing a screen protector and locking your computer when around others, and maintaining confidentiality between you and your clients.
What is YourCoach doing to protect my data?
One of the many great parts about YourCoach is that we think through all of this for you! Instead of having to evaluate the security of multiple tools – decentralizing your practice and creating an organizational minefield for you and your clients – we’ve created a safe space to communicate with clients, aggregate written and voice notes, exchange content and more. We are HIPAA compliant, and are constantly evaluating the latest risks to ensure we keep your info and your client’s info safe.
We use industry-standard security measures designed to protect the confidentiality of personally identifiable information under our control and appropriately limit access to it. We have taken physical, electronic, and administrative steps designed to safeguard and secure the information we collect from users of the Platform. Even better, we never download data to your devices, so unless you’re screenshotting client info, this data should never leave your virtual home, our platform.
- Where do they store your info?
- Do they sell or share the data, if yes then with who ?
- Do they have BAA with their respective vendors ?
- Do they conduct vulnerability and penetration testing of their platform ?
- Has everyone in their organization passed HIPAA training?
- Do they implement the top 10 OWASP principles for the security considerations?
- Do they have Information security policies that everyone in their organization is familiar with?
Sometimes, it takes a village to build a business, and we’re here every step of the way to empower you with the knowledge you need to run your health coaching practice. As your virtual home for health and wellness coaching, our number one goal is to create a safe space for you and your clients so that you can focus on the things that matter most – their health goals!