Trainerize and HIPAA

What is HIPAA?

HIPAA is the United States federal Health Insurance Portability and Accountability Act, which seeks to protect the confidentiality and security of healthcare information. Under the HIPAA Privacy Rule, "covered entities" (including health plans, health care providers, and health care clearinghouses) are required to use appropriate safeguards to protect the privacy of PHI.  

When a covered entity uses a service provider - a “Business Associate” -  such as a software provider to process PHI, it must make sure that the service provider agrees to properly secure PHI on behalf of the covered entity. This is typically achieved by contractually obligating the service provider to adhere to HIPAA privacy and security rules through use of a Business Associate's Agreement (BAA) or Business Associates Contract. 

Will Trainerize sign a BAA?

The majority of businesses we serve are gyms and corporate wellness companies, or personal trainers, nutritionists and other fitness professionals. They do not fall under the scope of HIPAA.

Complying with HIPAA has two components - privacy protocols and infrastructure security. We already conduct routine security audits for vulnerabilities and have a strict data security process in place, which covers many of the best practices as outlined by HIPAA. 

Entering into a BAA will require us to hire an accredited accounting firm to perform costly HIPAA audits every year, which we will need to ultimately pass on to our end users.

As such, we will not sign BAAs as most of our user base are not HIPAA covered entities.

If you do require HIPAA compliance, we advise you seek out a HIPAA compliant solution specific for your industry. Or, you need to seek legal advice from a licensed attorney with appropriate expertise and authorization to practice in your jurisdiction what your exposure to HIPAA is and if continued use of Trainerize is coherent with your HIPAA risk profile to a business of your size.

Security and Privacy at Trainerize

Your data’s security and privacy is extremely important to us. You trust Trainerize every day to keep your business's information secure, and responsible custodianship is very important to use.

  • To review our contract with you and your clients, please see our Terms of Service.
  • For additional information on the information we collect and how it may be used, please review our Privacy Policy.

Our Infrastructure

We run Trainerize on the leading cloud platform Amazon Web Services, the same platform that powers Netflix, Disney, Airbnb and NASA to name a few. For more information about their certification and compliance, please visit the AWS Security website and AWS Compliance website.

Encryption and Data Privacy

All data transmitted between the web/mobile app and cloud are secured via HTTPs. Each business’s data via API is strictly partitioned so another business cannot access your information.  

Access to our production data and systems is highly constrained to key personnel. It is our policy that data does not leave AWS onto anyone’s local computer to completely eliminate any data leaks. 


We understand that you rely on the Trainer services to work and derive income for your coaching services. We're committed to making Trainerize a highly-available service that you can count on. You can review our current availability on our status page. Our infrastructure runs on AWS systems that are fault tolerant and for failures of individual servers. Our managed hosting team staffs an around-the-clock on-call team to quickly resolve unexpected incidents.

Network Protection

In addition to sophisticated system monitoring and logging. Firewalls are configured according to industry best practices and unnecessary ports are blocked by configuration with AWS Security Groups.

Disaster Recovery

We have well-tested backup and restoration procedures, which allow recovery from a major disaster. Customer Data and our source code are automatically backed up nightly. The operations team is alerted in case of a failure with this system. Backups are fully tested at least every 90 days to confirm that our processes and tools work as expected.

External Security Audits

We contract with respected external security firms who perform regular audits of the Trainerize services to verify that our security practices are sound and to monitor the Trainerize services for new vulnerabilities discovered by the security research community. In addition to periodic and targeted audits of the Trainerize services and features, we also employ the use of continuous hybrid automated scanning of our web platform.

If you have any questions that are not covered in these documents, or you need additional information, please contact us directly by submitting a request above. 


Related Articles

This article was last updated on

Have more questions? Submit a request


Article is closed for comments.