Privacy and security for yoga teachers (HIPAA compliance)

Privacy and security for yoga teachers (HIPAA compliance)

Yoga teachers’ responsibilities concerning private student information
Yoga teachers and yoga therapists often handle student information that is considered private and sensitive. According to the Health Insurance Portability and Accountability Act (HIPAA), which became law in the U.S. in 1996, protected health information (PHI) is defined as “any individually identifiable health information relating to the past, present, or future health condition of the individual regardless of the form in which it is maintained (electronic, paper, oral format, etc.).”

PHI includes any health-related information that you receive or create during your work with the student if it contains individually identifiable information, such as a name, address, email address, medical record number, IP address, facial photos, or any other unique identifiers or codes. For example, if the student emails you a lab report, a physical therapy exercise sheet, or a doctor’s recommendations, and the document contains a name, email address, or other identifiable information, it’s PHI, and you’re responsible for keeping it safe. Moreover, any notes you take, whether paper or electronic, in the process of working with your student in which you identify your client in some way are considered PHI. Remember: HIPAA protects any data viewed as PHI.

According to the HIPAA, as a yoga teacher or therapist, you’re a covered entity, i.e., in a direct relationship with the individuals whose PHI you retain. As a covered entity, you bear certain responsibilities under the law that fall under two main categories: the HIPAA Privacy Rule and the HIPAA Security Rule. The HIPAA Privacy Rule focuses on protecting all PHI from a people perspective, and the HIPAA Security Rule establishes minimum safeguards for electronic PHI in terms of technological standards.

Under the HIPAA Privacy Rule, as a yoga teacher or yoga therapist, you’re required to do the following:

  • Avoid sharing private client information with anyone, even in casual or educational environments, unless it’s necessary for operating your practice.
  • If you must share a client’s PHI as a necessary part of operating your practice, you need to take two precautions:
    – Share the minimum amount of information necessary to perform the task.
    – Ensure that the businesses or people you share this information with (accountants, scheduling services, recordkeeping services, email/hosting companies, marketing services, IT firms, etc.) are HIPAA-compliant.
  • Never leave private records lying around; keep paper records locked in a cabinet and electronic records stored under password protection.
  • Always log out of websites and accounts before leaving your computer unattended.
  • Use a secure email service when sharing PHI.
  • Keep PHI records for at least six years.
  • Dispose of unnecessary records properly (shred paper records and erase electronic records completely).
  • Notify clients about any improper use or disclosure of records.
  • Make all records available to clients upon request.


Under the HIPAA Security Rule, as a yoga teacher or therapist, you’re required to set up the following safeguards to protect PHI:

Administrative safeguards: Contingency plans for emergencies (floods, fires, theft, etc.) and procedures for reporting security incidents to clients
Physical safeguards: Door locks and cabinet locks to protect paper records and computers, and data backups stored off-site
Technical safeguards: Encrypted computer hard drives (not required, but recommended), usernames and passwords, firewalls, and other access controls that discourage hackers and protect information from malware and viruses

In addition, as a yoga teacher or therapist, you need to do the following:

  • Provide all students with a HIPAA notice of privacy practices (and follow the responsibilities outlined in that document).
  • Store and transmit records securely (following the physical and electronic security requirements outlined above).
  • De-identify records by removing any identifiable information when using them as case studies or teaching examples.
  • Have action protocols for potential security breaches.
  • Ensure that organizations you use to manage students’ data are HIPAA-compliant and sign a business associate agreement with each organization.
  • (Recommended) Take HIPAA awareness training to understand the law’s intricacies more thoroughly.

These measures might seem overwhelming, but in reality, they are common sense and are already implemented in other industries. All our students should feel assured that whatever information they share with us is handled carefully and stored securely. It’s always better to be prepared than to be caught off guard.

How to ensure that an organization you work with is HIPAA compliant

If you need to share your students’ PHI with others (accountants, scheduling services, recordkeeping services, email/hosting companies, marketing services, IT firms, etc.) to operate your yoga business, you must ensure that each of these businesses is HIPAA-compliant.

Any third party that you must share PHI with to operate your business is viewed as a business associate who does not have direct contact with your students, but receives, maintains, transmits, or stores their PHI on your behalf. Business associates are regulated directly and are required to be HIPAA-compliant (i.e., have proper safeguards in place to protect PHI).

To establish a relationship with a third party that will handle your students’ PHI, you must enter into a business associate agreement, which is written assurance that a business associate will safeguard PHI that was entrusted to them appropriately. This agreement also outlines the business associate’s obligations; it can be either a new contract or an addendum to an existing service contract.

In addition, to become HIPAA-compliant, an organization must implement several key components to abide by the HIPAA Privacy Rule and Security Rule.

To comply with the HIPAA Privacy Rule, an organization must do the following:

Appoint a compliance officer, who will take responsibility for implementing and overseeing HIPAA privacy compliance at the organization.
Conduct regular HIPAA awareness employee training to instruct employees on proper handling of PHI.
Maintain formal documents and controls that protect PHI. These documents should include formal policies and procedures, patients’ rights documents, business associate agreements, breach notifications, and employee sanction policy.

To comply with the HIPAA Security Rule, an organization must do the following:

  • Appoint a security officer who will be responsible for implementing and overseeing HIPAA security compliance at the organization.
  • Conduct regular HIPAA Security Employee Training for compliance and security officers, as well as IT staff.
  • Conduct HIPAA security risk assessments to compare the organization’s information technology standards with federal IT standards for HIPAA security to identify and fix any deficiencies.
  • Maintain formal documents and controls that protect electronic PHI (e-PHI), including formal policies and procedures, security protocols, contingency plans, data backup policies, results from security risk assessments, and steps taken to fix deficiencies.


Whenever you decide to entrust your students’ PHI to an organization, you need to ensure that their records stay protected and secure. You should ask a series of questions concerning the above items to confirm that the organization is HIPAA-compliant. Asking questions about the organization’s HIPAA compliance and entering into a business associate agreement attest that both parties agree to abide by HIPAA and do their part in protecting PHI.

Sequence Wiz HIPAA compliance

At Sequence Wiz Student Management System, we take our responsibilities relating to HIPAA compliance very seriously. All new and existing members are required to enter into a Business Associate Agreement as part of the regular Service Agreement, which clearly outlines the responsibilities of the yoga teacher or therapist as a covered entity and Sequence Wiz as a business associate. We have appointed a compliance officer and a security officer, and our staff regularly undergoes HIPAA awareness training and HIPAA security training. We maintain all required documents and controls that spell out the formal policies and procedures for handling PHI.

Sequence Wiz has also implemented a number of technological safeguards that meet and surpass industry standards to facilitate your compliance with HIPAA: patient/client information is transferred using 168-bit SSL encryption, accounts require secure login with optional two-factor authentication, the production environment is protected by stand-alone firewalls with access limited to authorized personnel via encrypted channels, and offsite backups are made daily and stored in an encrypted state. We also offer a sample HIPAA Notice of Privacy Practices to govern the use and disclosure of protected health information between you and your students. You can read our full HIPAA statement here >