Yoga teachers and therapists often handle student information that is considered private and therefore bear certain responsibilities under the HIPAA. It is the personal responsibility of every yoga teacher and yoga therapist to be HIPAA compliant. In addition, if you need to share your student’s Protected Health Information (PHI) with others (accountants, scheduling services, recordkeeping services, email/hosting companies, marketing services, IT firms, etc.) to run your yoga business, you must ensure that each one of those businesses is HIPAA compliant.
Under the HIPAA, you are considered a Covered Entity, which means that you are in a direct relationship with the individuals whose PHI you retain. Any third party that you must share PHI with to run your operations is considered a Business Associate. A Business Associate does not have direct contact with your students but receives, maintains, transmits, or stores their PHI on your behalf. Business Associates are directly regulated and required to be HIPAA compliant (i.e., to have the proper safeguards in place to protect PHI).
To establish a relationship with a third party that will be handling the PHI of your students, you must enter into a Business Associate Agreement with them. A Business Associate Agreement is a written assurance that a Business Associate will appropriately safeguard PHI that was entrusted to them. This agreement also outlines the obligations of a Business Associate; it can either be a new contract or an addendum to an existing service contract.
In addition, to become HIPAA compliant, an organization must implement several key components to abide by the HIPAA Privacy Rule and the HIPAA Security Rule.