view raw
Select Page
The wellness industry in the United States continues to grow with consumers flocking to visit massage locations, spas, and fitness facilities across the nation. The health and wellness industry is a growing market for franchises and while many of these businesses may not offer services that one might consider as healthcare, all attract customers seeking to address specific health needs and concerns. So how does the Health Insurance Portability and Accounting Act (HIPAA) and the applicable state laws designed to protect health information, apply to these franchises?

The HIPAA Privacy Rule

HIPAA gives healthcare consumers the legal right to know the privacy policies of their healthcare providers. It also entitles them to know their privacy rights under the law, especially about their personal health information (PHI).

HIPAA requires health insurance companies and other plans and care providers to distribute notices to consumers about their privacy policies and practices. PHI consists of nearly everything an insurer or service provider knows about a patient, including financial as well as medical information and the normal, basic intake information, and related notes.

The Privacy Rule is to limit the release of patient medical information without proper authorization.

For example: as a routine part of processing claims for disability benefits, the Social Security Administration makes many requests to doctors, clinics, hospitals, and other providers for patient medical records. After HIPAA passed, SSA had to revise its standard authorization form to comply with the new law.

Covered Entities

The Privacy Rule applies to what the law terms “covered entities.” As a general rule, they are:

  • Healthcare services providers
  • Entities that process data about healthcare
  • Health insurance companies and others such as Health Maintenance Organizations (HMO) and employer plans

In general, HIPAA defines healthcare traditionally, applying it to:

  • Doctors
  • Dentists
  • Hospitals
  • Pharmacies
  • Medical Laboratories
  • Chiropractors
  • Clinics

Therefore, as a general rule, HIPAA does not apply to gyms, health clubs, wellness centers, weight-loss clinics or spas.


However, that’s only a general rule. Reality is more complicated.

Hybrid Entities

Some businesses contain covered divisions, so they are hybrid entities. For example: a supermarket has a pharmacy. The pharmacy is a covered entity and, therefore, must comply with HIPAA. However, HIPAA does not apply to information about what kinds of food the shopper buys at the regular supermarket checkout.

If a gym contracts with a sports medicine doctor to offer services to injured members, the government might consider it a hybrid entity like a supermarket with a pharmacy. That also goes for a weight-loss center with a doctor prescribing medication or a spa with a physical therapist or nurse on staff.

According to Lannan Legal PLLC, practicing in the hospitality industry, a spa or club that offers healthcare services is a covered entity. When they ask customers to complete questionnaires about their past and current medical conditions, including a standard Physical Activity Readiness Questionnaire (PAR-Q), that may become PHI covered by HIPAA.

The HHS [U.S. Department of Health and Human Services] regulations implementing HIPAA apply only to “Covered Entities,” which are defined to include “health care providers.” Depending on the services it provides, a spa or health club may or may not be a “health care provider.”

State Laws

Every state has its own laws governing the privacy of medical and healthcare information. Therefore, every business and franchise in the wellness space needs to understand the state laws governing it. These could be stricter or broader than the federal HIPAA law. Many states include laws against the unauthorized release of confidential information by a business regardless if they are a HIPAA “covered entity” or not.

For example: a client hires a personal trainer. He tells the trainer about the lingering effects of an automobile accident he was in several years ago, so the trainer recommends exercises intended to help the client compensate for those effects, though the personal trainer is not post-surgical or intended as rehabilitation. A professional personal trainer must keep such information confidential.

The National Law Review found that the definition of what makes up a health and fitness facility varies by state and warns that, “…the failure to understand which statutes apply to your business could result in fines and other penalties down the road.”

Electronic Privacy

A key aspect of maintaining privacy is the electronic transmission and storage of information. Every business needs to use modern database protection to safeguard all their customer information even if it is just their name, address, and what product they bought. Every business dealing with health and wellness issues must secure all their data, even something seemingly unimportant. If someone buys St. John’s Wort at a vitamin shop, this might show they suffer from symptoms of depression, which is a detail that should be kept private to the consumer.

HIPAA’s Security Provision requires covered entities to have:

  1. Security policies and procedures
  2. Safeguards for physical space and equipment
  3. Technical security issues
  4. Security services

Use Technology to Protect Everybody Concerned

Every business that transmits or stores personal information, especially any data related to its health, can protect itself by maintaining the physical and technological security of its computer systems. They must use the most up-to-date methods of database security and cloud integrity to protect themselves against data breaches. By protecting the PHI of their customers and clients, these businesses also protect themselves from government action.

Tie National, LLC helps businesses rate and manage their technological solutions. Contact us today for a free consultation (630) 518-9600

Michael R. Durante

Michael Durante spent his teenage years into his early 20s climbing the ladder in a branch of a successful banking firm, starting as a teller and ending as a Sr. Branch Manager within 6 years. In 2003, he left the banking world to join his father and create TIE National, a telecom company 60 years in the making. Together, they grew the company from a two-man operation solely working on telephones to a multi-million dollar international business with employees in over a dozen states, covering everything from phone systems to cloud products and computer systems. You can find Michael on LinkedIn.