Does HIPAA Apply to Coaches? The Covered Entity Test for Mental Health and Life Coaches
HIPAA generally does not apply to mental health coaches or life coaches, because HIPAA regulates only Covered Entities and Business Associates as defined at 45 CFR § 160.103, and a coach who never bills insurance electronically and never handles PHI for a covered healthcare provider is neither. Two facts complicate that clean answer. First, specific business arrangements can pull a coach inside HIPAA. Second, falling outside HIPAA does not mean falling outside the law: the FTC Health Breach Notification Rule and state consumer health data statutes now cover much of the territory HIPAA leaves open, and they have produced real penalties.
TL;DR: Quick answer
- HIPAA applies to Covered Entities (health plans, clearinghouses, and providers that transmit health information electronically in standard transactions) and their Business Associates, per the definitions at 45 CFR § 160.103; coaching by itself fits neither category.
- A coach becomes regulated by working for or with a Covered Entity (as a Business Associate under § 164.308(b), with a signed BAA) or by billing health insurance electronically for services that count as health care.
- The FTC Health Breach Notification Rule covers health apps and records vendors outside HIPAA; GoodRx paid a $1.5 million civil penalty in the rule's first enforcement action (2023), and 2024 amendments made unauthorized ad-tech disclosures an explicit breach.
- Washington's My Health My Data Act (effective March 31, 2024, with a private right of action) and California's CMIA as expanded by AB 2089 reach "consumer health data" and mental health app information that coaches routinely collect.
- Client expectations do not track legal categories: session notes about anxiety, medication, or trauma deserve encrypted, access-controlled handling whether or not a regulator requires it.
The applicability test under 45 CFR § 160.103
HIPAA does not regulate professions, topics, or data types in the abstract. It regulates two kinds of organizations. A Covered Entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with a HIPAA standard transaction (insurance claims, eligibility checks, and similar). A Business Associate is a person or company that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a Covered Entity.
Run a coaching practice through that test. Coaching is generally unlicensed, is rarely billable to health insurance, and most coaches take direct payment. No standard electronic transactions means no Covered Entity status. No work performed for a Covered Entity means no Business Associate status. The same notes about a client's depression that would be PHI in a therapist's hands are simply sensitive personal information in a coach's hands, because PHI is defined by who holds the data, not what the data says.
When does a coach actually fall under HIPAA?
Three arrangements change the answer:
- Working for or with a Covered Entity. A coach embedded in a therapy practice, hospital wellness program, or employer health plan who receives PHI to do the job is a Business Associate. The Covered Entity must execute a BAA under § 164.308(b) and § 164.504(e), and the coach inherits Security Rule obligations: safeguards under § 164.308, § 164.310, and § 164.312, plus breach duties under §§ 164.400-414.
- Billing insurance electronically. Some health coaches working under physician supervision or within integrative practices bill payers for covered services. Electronic claims submission is a standard transaction, and a provider who furnishes health care and submits them becomes a Covered Entity in their own right.
- Dual-licensed practitioners. A licensed therapist who also offers "coaching" does not exit HIPAA by relabeling sessions; if the practice is a Covered Entity, counsel should treat the coaching arm with great care rather than assuming it is carved out.
The analysis parallels the one we walk through for alternative health practitioners and for naturopathic doctors: the trigger is always transactions and relationships, never the job title.
The real exposure for most coaches: FTC and state law
Coaches who conclude "HIPAA does not apply to me" often stop the analysis a step too early. Federal and state regulators built a second fence around exactly the kind of health-adjacent data coaching generates.
FTC Health Breach Notification Rule
The HBNR covers vendors of personal health records and related entities that are not regulated by HIPAA, which is where many coaching apps, habit trackers, and client portals sit. The FTC's first enforcement action, against GoodRx in February 2023, produced a $1.5 million civil penalty for sharing user health information with advertising platforms without authorization and failing to notify users. The 2024 amendments to the rule made the point explicit: an unauthorized disclosure of identifiable health information to a third party, including ad networks and analytics tools, is a reportable breach. A coach whose intake platform leaks client data to a tracking pixel has an HBNR problem, not a HIPAA problem, and the FTC has shown it will pursue it.
State consumer health data laws
Washington's My Health My Data Act took effect March 31, 2024 (June 30, 2024 for small businesses). It covers "consumer health data" broadly, including mental health information and even inferences about health, requires opt-in consent for collection and sharing, and carries a private right of action, meaning clients themselves can sue. California's Confidentiality of Medical Information Act, expanded by AB 2089, now treats mental health application information, including inferred mental health status, as medical information when collected through mental health digital services. Several other states have followed with consumer health data statutes. A coach with clients in those states is inside their scope regardless of HIPAA status.
Why HIPAA-grade infrastructure still makes sense for coaches
The practical takeaway is that the safeguards are worth having even when the statute that names them does not apply. Encryption at rest and in transit, unique logins, audit logging, and access controls (the controls HIPAA enumerates at § 164.312) are also the controls that satisfy MHMD's "reasonable security" expectations, reduce HBNR breach risk, and protect a practice's reputation when a laptop disappears. Three concrete moves:
- Intake forms. A coaching intake form asking about anxiety, medications, or sleep should not email submissions in plaintext through a consumer form plugin. The mechanics are identical to the therapist scenario in making therapist contact forms compliant.
- Site hosting. If client health information flows through your website at all, host it on infrastructure with encryption, logging, and a provider willing to sign a BAA, so the setup survives a future move into Business Associate territory. Our breakdown of who needs HIPAA-compliant hosting includes the not-technically-covered case.
- Vendor inventory. Know which tools (scheduling, notes, video, email) hold client health information and what each vendor's terms say about it. Under MHMD-style laws, sharing with an analytics vendor can require consent you never collected.
Disclosure: hipaacomplianthosting.com provides managed HIPAA hosting, including for practitioners who want HIPAA-grade safeguards without being covered themselves; that is our business. The broader requirements are covered in our complete HIPAA-compliant hosting guide.
Frequently asked questions
Does HIPAA apply to life coaches?
Almost never directly. A life coach who takes direct payment and has no contracts with healthcare providers is neither a Covered Entity nor a Business Associate under 45 CFR § 160.103. State consumer health data laws and the FTC HBNR can still apply.
Does HIPAA apply to mental health coaches?
Not by default, but mental health coaching sits closest to the line. Working inside a therapy practice, receiving referrals with records attached, or billing insurance can each create HIPAA obligations, and mental health data is exactly what AB 2089 and Washington's MHMD were written to cover.
Can a coach voluntarily become HIPAA compliant?
A coach can adopt HIPAA's safeguards (encryption, access controls, audit logging, signed BAAs with vendors) without being a regulated entity. There is no certification to obtain; no official HIPAA certification exists for anyone. Voluntary adoption is good practice and useful marketing only if described honestly.
What should a coach do before signing a contract with a clinic or therapist?
Expect a BAA, and understand that signing one makes you a Business Associate with direct liability under the Security Rule and Breach Notification Rule. Price the compliance work (secure systems, policies, a documented risk analysis under § 164.308(a)(1)(ii)(A)) into the engagement.
Is client coaching data legally unprotected if HIPAA does not apply?
No. The FTC Act and HBNR, Washington's My Health My Data Act, California's CMIA, and a growing list of state statutes protect consumer health data held by non-HIPAA businesses, several with private rights of action.
This article is general information, not legal advice. Whether HIPAA, the FTC HBNR, or a state statute applies to your practice depends on facts a qualified attorney should review; base any safeguards on a documented risk analysis. Reviewed June 2026.