HIPAA gets a bad rap for being confusing and intimidating. For most health coaches, it’s a hazy, looming thing, something you know you should care about, but where do you even begin? In coaching, people either make HIPAA too complicated or ignore it altogether. Neither works.
Let’s cut through the mess and focus on the parts that matter for your everyday practice. No legalese, just the real stuff.
Does HIPAA apply to you?
It’s the question most people get wrong. Here's the answer: not always.
You need to follow HIPAA if you work with a clinic, hospital, or insurance provider and handle protected health information (PHI) for them, or if you are part of a larger care team that provides medical services. In those cases, HIPAA likely applies.
What if you’re an independent health coach, working with your own clients, outside of any medical system, not billing insurance, not providing clinical care? Most of the time, HIPAA doesn’t technically apply.
But this is where things get a bit trickier. Even if HIPAA doesn’t apply to you, your clients still expect privacy, security, and a professional way of handling their data. This is especially true if you work with sensitive information, such as heart rate, sleep, or other personal data. People do care about this.
So the real question you should ask isn’t just, “Do I have to be HIPAA compliant?” it’s,“Am I doing what’s needed for my clients to trust me with their data?”
This is where many coaches often fall short
It’s common to send client updates on WhatsApp, swap sensitive info over email, jot down notes in Google Docs, or send screenshots back and forth. It works until something goes wrong. And then you’re not just facing legal headaches, but risking your reputation too.
One of the easiest ways to step things up: how you communicate. Using regular SMS, WhatsApp, or email? Well, everyone does it, but these tools weren’t designed for health data. You have no real control over how that info is stored or who might see it.
Secure, in-app messaging makes a difference
It’s encrypted. Access is controlled. The data lives inside the platform, not scattered across different apps and devices. Even if HIPAA doesn’t strictly apply, you’re reducing risks, looking more professional, and keeping everything tidy in one place.
Take a platform like CardioMood. It puts all of this in one environment:
- Secure messaging between you and your client, so you’re not jumping between apps;
- All the data, notes, and reports are stored together, which keeps things organized and reduces the chance of leaks;
- Only authorized users get access, no gray areas;
There’s encryption
It sounds technical, but the point's simple: your data is locked up (both when it’s sitting on a server and while it’s being sent back and forth) so only the right people can see it. Even if someone got their hands on it, it would look like gibberish.
Modern platforms handle all this “at rest” (in storage) and “in transit” (on the move, when being sent). CardioMood does both, so you don’t have to stress about the details.
Client consent
It's less about the technology and more about the approach. You need a clear explanation of what you collect, how you use it, and where it’s stored. This sets expectations, builds trust, and protects you if questions arise. If a client might be surprised by what you do with their data, tell them upfront.
Keep your documentation simple:
Basic consent forms, clear terms of service, and a short privacy notice. Consistency is more important than a bunch of legal jargon.
Step back, and you start to see this isn’t just about checking compliance boxes. It’s really about professionalism and trust. Clients who trust how you handle their data open up more, stay engaged, and stick with you longer.
Bottom line
You don’t need a law degree to keep client's data safe. You just need to know when HIPAA lands on your plate, how to use solid tools, and have honest conversations about data. Do that, and you’re already ahead of most.
Not sure if your current setup is secure? See how CardioMood handles client data protection.