fbpx Skip to content

Client Confidentiality Is Crucial

5 tips to better protect your clients' privacy and reduce your liability risks.

As a fitness professional and a business owner, you often develop close working relationships with your clients, and you learn a great deal about their lives, health, medical conditions, goals and fears. Your clients have every right to expect that such information will be kept confidential. It is in your best interests to ensure that it is protected.

Here are just a few of the many reasons why client privacy should be prioritized:

  • In the United States, physicians are subject to very stringent health privacy laws, contained notably in the federal Health Insurance Portability and Accountability Act of 1996, or HIPAA. While personal trainers generally are not subject to the same privacy laws as doctors, in certain contexts trainers and facility owners may be subject to laws about privacy and/or data security. For more information, see the sidebar “Free Data Security Resources.”
  • Most certification groups require that fitness professionals respect client confidences.
  • Fitness professionals who fail to maintain client privacy can suffer damage to their professional reputation and even financial losses to their business.

To protect against potential legal risks, liabilities and negative consequences, you need to understand privacy and confidentiality obligations—and you need to have a solid plan in place for ensuring that they are met. This article explores the top five issues to consider when you’re striving to protect client privacy and confidentiality:

1. Consider the Impact of Client Agreements and Policies

When evaluating whether various mechanisms are sufficient to protect client confidentiality, direct your attention to the agreements and policies that govern the client relationship. This includes personal training, client or membership agreements. Be sure that these agreements outline the terms and conditions of the relationship and that they clearly state any limitations or exclusions to client confidentiality. Also, if you operate a website that allows client interaction, the website should display a privacy policy that explains how clients’ data might be collected, used and disclosed. At a minimum, be mindful of the commitments clients have made in these policies and agreements, in order to ensure full compliance with the terms thereof.

If no agreements and policies are in place, now is the time to consider implementing them. The policies and agreements should explain the extent of confidentiality obligations and/or any limitations to those obligations. This can also help clients feel more comfortable when they’re exchanging pertinent information with you. Design your agreements to address the realities of your situation. Sample agreements and policies can be found on the Internet. RocketLawyer (www.rocketlawyer.com) provides access to customizable forms and policies. In addition, Direct Marketing Association (www.the-dma.org/privacy/privacypolicygenerator.shtml) and TRUSTe (www.truste.com/labs/PPG/demo1.html) offer privacy policy generators.

Note that once a privacy policy is posted or an agreement is executed, it becomes a binding legal obligation. Making sure that such policies and agreements accurately reflect your policies and procedures—not someone else’s—is essential.

2. Examine and Understand Applicable Law

While HIPAA’s rules are detailed and strict, they apply only to covered entities: healthcare providers, health insurers and healthcare clearinghouses. To a lesser extent, the requirements of HIPAA apply to companies known as business associates—the service providers to the covered entities. For most personal trainers, the strict requirements of HIPAA will not come into play. However, at the state level, a patchwork of laws protects various aspects of personal information and, among other requirements, mandates the reporting of certain breaches of information. These laws also require the implementation of technological security measures for certain types of data, and they place limitations on the collection and use of certain types of data and information. For more about these laws, see the compilation assembled by the National Commission of State Legislatures at www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx.

3. Protect Against Common Threats to Privacy and Confidentiality

Your next steps are to evaluate the common threats to client privacy and confidentiality and then to implement mechanisms to reduce the risks of those threats. For many companies, the threats include hacking and other forms of electronic intrusion. If you maintain information electronically, be prepared to protect yourself against such attacks, and know how to respond quickly if you fall victim to them. Common vulnerabilities arise through the sharing of computers and other devices and reliance on vendor-default passwords.

When implementing an information security program, apply the following:

  • Train your employees on data security.
  • Protect information, computers and networks from cyber attacks by installing virus protection software and firewall security and by staying current on all updates.
  • Secure all mobile devices.
  • Control physical access to your computers, and create a user account for each employee.
  • Secure your Wi-Fi networks.
  • Limit employee access to data and information.
  • Limit who has authority to install software.
  • Implement good password policies by requiring employees to use unique passwords and to change passwords on a regular basis.

See the sidebar “Free Data Security Resources” to learn more about how to protect your business from unwanted online intrusions.

4. Have a Social Media Action Plan

As social media has created new opportunities for exchanging information, resources and ideas, it has also led to new privacy risks. Have you thought about how you and your employees should interact with clients through social media? Common considerations include

  • the extent to which trainers and their clients should be encouraged to interact on social media,
  • information that you can and cannot share on social media regarding your clients, and
  • the permissibility of sharing of photographs and videos involving clients through social media.

Adhering to social media parameters will help you maintain a professional appearance, and it can ward off any interactions that might negatively affect your business.

5. Provide Employee Training, and Manage Your Service Providers

Business owners will have additional compliance challenges, particularly with respect to managing staff and service providers. For example, whenever you share client information with a third-party service provider or vendor, it is essential to ensure that this third party is bound by stringent confidentiality agreements. Consider a database engineer who has been hired to update your software. If the engineer has access to data—such as client or customer contact information, training details and health information—that service provider should be subject to a written agreement that prohibits using and/or disclosing the information for any purposes not related to the software upgrade.

Another challenge is to ensure that employees respect confidentiality obligations. Fitness professionals rarely disclose client information for nefarious purposes. However, trainers and other facility employees occasionally get caught up in gossip, or otherwise breach client confidences unintentionally. Reduce the likelihood of such infractions by requiring that all employees adhere to written agreements to maintain the confidentiality of that information. More important, conduct comprehensive training upon employee on-boarding, with regular updates as needed, to ensure that all employees are aware of the extent and the importance of their obligations.

Even a seemingly small and completely unintentional disclosure of client information can negatively impact your business. However, it does not take significant effort to reduce the risks of breaches of confidentiality. In recognition of the potentially serious consequences, protect your clients’ privacy by implementing systems without delay.

SIDEBAR: Free Data Security Resources


Jacqueline Klosek

Jacqueline Klosek is an attorney with Goodwin Procter LLP in New York City. She is the author of numerous privacy books, including Protecting Your Health Privacy (Praeger 2010). She may be reached for comment at jklosek@goodwinprocter.com

Related Articles