Why Coaching Practice Software Needs to Be HIPAA-Grade (Even If You're Not a Therapist)

Let me tell you what a coaching client actually tells you.

Not the version they put on LinkedIn. The real version. They tell you about the business that's failing and what it's going to cost them if they can't turn it around. They tell you about the marriage that's deteriorating while they work eighty hours a week. They tell you about the drinking that started after the last layoff. They tell you about the anxiety that's gotten so bad they've started avoiding phone calls. They tell you that they haven't felt like themselves in three years and they don't know who to talk to.

That's what happens in a coaching relationship. That's what happens when you create genuine psychological safety and a client finally stops performing.

Now let me ask you something. Where is that conversation stored?

If you're using a generic CRM, a consumer-grade scheduling tool, or a project management platform that someone repurposed for client notes — the honest answer is that you don't fully know. And neither do they. That's the problem we need to talk about.

The Legal Reality (and Why It Doesn't Protect You)

Here's the part that makes coaches feel comfortable: HIPAA doesn't apply to you.¹ You are not a covered entity under the Health Insurance Portability and Accountability Act. You don't bill insurance. You don't treat diagnoses. Your session notes are not protected health information in the legal sense. You can exhale.

But here's what I need you to sit with: your clients don't know that. When someone tells you about their depression, their substance use, their suicidal ideation last October — they are trusting you with something they have never told another person. They are trusting that the infrastructure holding that information is as protective as the relationship itself.

The legal exemption is not an ethical one. And in 2026, with enterprise clients scrutinizing every vendor in their supply chain for data handling practices, it's not a practical one either.

The International Coaching Federation's Code of Ethics is unambiguous: coaches must maintain confidentiality and have appropriate safeguards for client information.² What the ethics code doesn't do is define what "appropriate" looks like architecturally. That gap is where a lot of coaching practices are quietly exposed.

What Your Clients Actually Bring Into the Room

Let's get specific, because the abstract version of this argument doesn't land.

The 2023 ICF Global Coaching Study found that the vast majority of coaching engagements involve topics that, in a clinical context, would generate protected health information.³ We're talking about leadership development, work-life balance, career transitions, personal development, and relationship dynamics — categories that in practice mean: mental health struggles showing up in professional performance, addiction and substance use affecting leadership decisions, grief, trauma history, family system dysfunction, financial ruin and the shame attached to it.

According to SAMHSA's 2022 National Survey on Drug Use and Health, approximately 57.8 million adults — roughly one in five Americans — experienced a mental illness in the past year.⁴ Your clients are a high-achieving subset of the general population, which does not make them immune to these numbers. If anything, research consistently shows that high performers are particularly vulnerable to unaddressed mental health challenges, precisely because their external functioning masks internal distress for longer.⁵

The executive who hired you to work on his leadership presence is also the one who told you, in month three, that he's been prescribed something for anxiety and is worried about what happens if his board finds out. The life coach client who came in for "clarity on priorities" is now two sessions into telling you about the relationship that ended after the miscarriage no one else knows about.

This is not edge-case material. This is Tuesday.

What Generic Software Is Doing With That Data

Generic CRMs and scheduling platforms are built for sales pipelines and appointment booking. They weren't designed with the assumption that the notes field would contain anything more sensitive than "follow up on Q3 forecast." Their privacy policies reflect that origin.

Verizon's 2024 Data Breach Investigations Report documented 10,626 confirmed breaches in the previous year — a significant portion of which involved small and medium-sized businesses using third-party SaaS tools with inadequate access controls.⁶ IBM Security's 2023 Cost of a Data Breach Report put the global average cost of a breach at $4.45 million, with small businesses disproportionately affected because they lack the legal and communications resources to manage the aftermath.⁷

For a coaching practice, the cost isn't just financial. It's the client who finds out that their session notes — their disclosures about their mental health, their family, their failures — lived on a server that got breached. It's the executive coaching client whose Fortune 500 employer discovers sensitive personal information was stored in a tool that doesn't meet their vendor compliance requirements. It's your reputation, built over years of earning trust one conversation at a time, collapsed in a single news cycle.

There are three specific infrastructure failures that make generic tools dangerous for professional coaching practices:

No encryption at rest for session content. Many consumer-grade tools encrypt data in transit (the lock icon in your browser) but store data on their servers without encryption at rest. If their database is accessed — whether by a breach, a rogue employee, or a government subpoena — the content is readable as plain text.

Unclear or absent Business Associate Agreements. Even if a tool uses modern cloud infrastructure, the absence of a BAA with each sub-processor means you have no contractual guarantee about how your client data is handled. Under HIPAA, covered entities require BAAs with every vendor who touches PHI. You're not a covered entity — but the framework exists because it works. It creates accountability in the data supply chain.⁸

AI training on session content. Several major CRM and scheduling tools have updated their terms of service to allow use of user data for improving AI features. Your session notes — the client disclosure that stayed in the room — may be processed by models being trained on your data. Most coaches don't read the terms of service update emails. They should.

The Compliance Pressure Coming From Your Enterprise Clients

Executive coaches and organizational coaches are learning this the hard way. Enterprise clients — particularly in regulated industries like healthcare, finance, and defense — are extending their vendor due diligence down to every tool in their supply chain. What started with SOC 2 Type II requirements for software companies is increasingly showing up as procurement questions for professional service providers.⁹

If you're coaching leaders at a healthcare organization, their compliance team may ask about your data handling practices. If you're deploying coaching across a financial services firm, their information security office wants to know where employee session data lives and who has access to it. "I use a scheduling tool" is not an answer that closes enterprise contracts.

The California Consumer Privacy Act (CCPA) extends data rights to any California resident regardless of where the business is headquartered.¹⁰ If you have clients in California — and if you coach anyone remotely, you almost certainly do — your clients have legally enforceable rights around how their personal information is collected, stored, and shared. The GDPR creates parallel obligations for clients in the European Union.¹¹ These aren't hypothetical. They're operative today.

The NIST Cybersecurity Framework 2.0, updated in 2024, provides the most current guidance on what responsible data governance looks like for organizations of any size.¹² The Federal Trade Commission's resources for small business cybersecurity make clear that professional service providers handling sensitive personal information are expected to implement reasonable safeguards — or face liability when they don't.¹³

What HIPAA-Grade Actually Means (and Why It's the Right Standard)

HIPAA-grade infrastructure isn't marketing language. It's a specific set of technical and administrative safeguards that exist because, over decades, the healthcare industry learned what happens when sensitive personal information is handled carelessly. The standard was built for the most sensitive category of personal data humans generate. Applying it to coaching infrastructure isn't overkill — it's using the best available framework for the job.

Here's what the standard actually requires in practice:

Encryption at rest and in transit. Session content, client records, and all associated data should be encrypted at rest using AES-256 or equivalent, and encrypted in transit using TLS 1.2 or higher. This is table stakes — non-negotiable. If your current tool can't tell you its encryption standards, that's your answer.

Business Associate Agreements with every data sub-processor. Every cloud provider, AI vendor, email service, and analytics tool that touches your client data should have a signed BAA with the platform you use. This creates a chain of accountability.⁸ Without it, you have a privacy policy that offers words instead of guarantees.

Access controls and audit logging. Minimum-necessary access is a foundational HIPAA principle that makes clinical sense for coaching too. Who can see which client's notes? When was a record accessed? If there's an incident, can you reconstruct what happened? Audit logs aren't bureaucracy — they're how you protect your clients and yourself.

No AI training on session content. Your client's disclosure is not training data. Full stop. The platform you trust with coaching conversations should have explicit, contractual prohibitions on using session content for model training — not just a privacy policy you hope nobody updates.

Structured data model. FHIR R4 — the Fast Healthcare Interoperability Resources standard developed by HL7 International — provides a clinical-grade framework for structuring health-adjacent data.¹⁴ Coaching data isn't clinical data, but the data model matters: it determines how data can be queried, exported, anonymized, and eventually deleted on request. A coaching platform built on FHIR R4 is built for a world where data rights matter.

The Business Case Is as Strong as the Ethical One

I've been making the ethical argument, but I want to be direct about the business argument too, because coaching is a business and you deserve to know where the ROI is.

The enterprise coaching market — organizational development, leadership development, executive coaching contracts — is where the significant revenue is for solo coaches who want to scale past a certain ceiling. Enterprise clients don't do vendor relationships on a handshake. They do them with contracts, compliance questionnaires, and vendor security assessments. A solo coach who can walk into that conversation with documented HIPAA-grade infrastructure, executed BAAs, and a structured data architecture closes contracts that their competition can't. That's not hypothetical. That's a $15,000 organizational contract that someone else isn't getting because they're using a scheduling tool and a Google Doc.

Coaching organizations — companies that franchise, license, or deploy coaching methodology at scale — face this even more acutely. When a coaching organization deploys coaches across multiple enterprise clients, the data governance story has to be airtight before the first contract is signed. White-label coaching platforms are only viable for enterprise deployment if they meet enterprise security standards.

The International Association of Privacy Professionals noted in its 2024 State of US Privacy report that privacy compliance is increasingly a competitive differentiator, particularly in professional services where client trust is the product.¹⁵ Coaches who build their practices on enterprise-grade infrastructure are not just doing the right thing. They're building a moat.

What to Look For When You Evaluate Coaching Software

This is not a situation where you can rely on the vendor to volunteer this information. You have to ask for it. Here's what actually matters:

Ask for their BAA list. Every cloud provider, every AI integration, every email delivery service — each one should have a signed Business Associate Agreement. If they can't produce the list, they don't have it.

Ask about encryption at rest. The protocol matters. AES-256 is the current standard. Ask where the encryption keys are stored and who controls them. If the vendor controls your keys, the vendor can access your data.

Read the AI terms of service. Specifically, look for language about whether your data is used for model training or improvement. The clause is often buried in a section about "improving the service." If you find it, ask for a contractual carve-out — or find a platform where the prohibition is already baked in.

Ask about breach notification protocol. How quickly will they notify you if there's a breach? HIPAA requires 60 days for covered entities — even if you're not subject to HIPAA, that's the standard you should demand. A vendor who can't answer this question hasn't thought seriously about what happens when things go wrong.

Ask about data export and deletion. You should be able to export all client data in a structured, portable format. You should be able to delete it completely when a client requests it. If your platform can't do both — if your client data is, effectively, locked in — that's a vendor dependency risk and a data rights problem.

The Conversation You Never Want to Have

I want to end with something concrete, because sometimes the abstract argument doesn't hit until you imagine the specific scenario.

Imagine you get an email from your current software provider. There's been a security incident. User data was accessed by an unauthorized third party. They're working with law enforcement. They'll send more information as it becomes available.

Now imagine you have to call your clients and tell them. Not the clients who shared professional goals or quarterly targets. The ones who, over eighteen months of consistent work, told you things they've never told anyone. The executive who talked about the drinking. The coach client who shared the details of the affair that ended her marriage. The high-performer who finally admitted, in your office, that he doesn't think he can keep going.

That call is one of the worst calls a professional can make. The only thing that makes it worse is knowing you could have prevented it with infrastructure choices you made when the risk felt abstract.

You're not a therapist. HIPAA doesn't require you to do any of this. But you're sitting across from people who are trusting you with the most important work of their lives — and the infrastructure you build around that trust is a reflection of whether you're actually trustworthy.

Build it accordingly.

---

Matthew Sexton is a Licensed Clinical Social Worker (LCSW) and the founder of Mental Wealth Solutions Inc., the company that builds CoachesCheck, HealthcareCheck, VibeCheck, TransplantCheck, and VeteranCheck. He brings clinical infrastructure thinking to the coaching vertical. To discuss CoachesCheck for your practice or organization, book a 30-minute call.