11.3 Scope of Practice, Legal/Ethical Standards, Liability/Negligence, Informed Consent & Professional Organizations (ACSM/AACVPR/AHA)
Key Takeaways
- A CEP's scope of practice covers assessment, testing, exercise prescription, and education under physician referral, but excludes diagnosing disease, independently interpreting diagnostic tests, and prescribing medication.
- A negligence claim requires all four elements — duty, breach, causation, and damages — to be proven; missing any one defeats the claim.
- Informed consent must be obtained before testing/training begins and must cover purpose, procedures, reasonably foreseeable risks, benefits, alternatives, and the right to stop at any time.
- HIPAA's minimum necessary standard limits PHI access/use/disclosure to what is needed for the purpose, while the ACSM Code of Ethics imposes an independent confidentiality duty.
- Objective, timely documentation is the CEP's primary legal protection; liability waivers do not protect against a finding of negligence in most states.
Scope of Practice, Legal/Ethical Standards, Liability/Negligence, Informed Consent & Professional Organizations
Quick Answer: A CEP practices within the boundaries defined by their credential's knowledge, skills, and abilities — assessing, testing, and prescribing exercise for patients under physician referral, but never diagnosing disease, interpreting diagnostic tests independently, or prescribing medication. Negligence requires four proven elements (duty, breach, causation, damages); informed consent must be obtained before testing or training begins; HIPAA and the ACSM Code of Ethics both govern confidentiality; and objective documentation is the CEP's primary legal protection.
The legal and professional half of Domain VI is where a CEP's clinical skill meets accountability. Understanding scope of practice, liability, consent, and confidentiality protects both the patient and the professional.
Scope of Practice
A CEP's scope of practice is defined by the knowledge, skills, and abilities (KSAs) tied to the credential: patient assessment, exercise testing, exercise prescription and programming, and patient education for individuals with cardiovascular, pulmonary, metabolic, and other chronic conditions, working under physician referral or in collaboration with the medical team. Explicitly outside that scope: diagnosing disease, independently interpreting diagnostic test results for medical decision-making, prescribing or adjusting medication, and providing medical treatment beyond exercise-related first aid. Practicing outside scope increases legal exposure regardless of a CEP's actual competence — when a sign or symptom exceeds the defined scope, the correct action is to refer or escalate to the supervising physician, not to manage it independently.
Standard of Care & Negligence
The standard of care is what a reasonably prudent CEP with similar training and certification would do under similar circumstances, defined by ACSM's clinical guidelines, professional practice standards, and facility policy. A negligence claim requires all four of the following elements to be proven:
- Duty — a professional relationship existed that obligated the CEP to provide care
- Breach — the CEP's action or inaction fell below the accepted standard of care
- Causation — that breach actually and proximately caused the harm
- Damages — the patient suffered real, provable injury or harm
Malpractice is negligence committed by a credentialed professional acting in their professional role. Missing any single element defeats a negligence claim. The most common liability exposures for a CEP include inadequate preparticipation screening or risk stratification, failing to obtain or document informed consent, delayed EAP activation, exercising a patient outside their prescribed limits, inadequate monitoring/supervision during a session, and failing to promptly communicate a change in patient status to the referring physician.
Informed Consent
Informed consent must be obtained before exercise testing or training begins. It must be voluntary, given in language the patient understands, signed and witnessed, and documented in the medical record. A complete informed consent process covers:
- Purpose and nature of the test or program
- Procedures involved, in plain terms
- Reasonably foreseeable risks, including rare but serious possibilities such as abnormal blood pressure or heart rhythm changes, and — in rare cases during maximal testing — myocardial infarction or cardiac arrest
- Expected benefits
- Alternatives to the proposed test or program
- Right to stop at any time, for any reason, without penalty or loss of ongoing care
- Opportunity to ask questions before signing
Consent covers reasonably foreseeable risks that were actually disclosed — it is not a blanket waiver. A signed consent form does not excuse care that itself falls below the standard of care.
HIPAA, Confidentiality & Documentation
The HIPAA Privacy Rule protects protected health information (PHI) and requires covered entities to apply the minimum necessary standard — limiting access, use, and disclosure of PHI to what is actually needed for the purpose at hand. Disclosures between providers for treatment purposes are exempt from the minimum-necessary requirement but still require appropriate safeguards; most non-treatment disclosures require the patient's authorization. Confidentiality is also an independent ethical duty under the ACSM Code of Ethics, which applies even in relationships or settings not formally governed by HIPAA.
Accurate, objective, timely documentation — often in SOAP-note format — is the CEP's clearest protection if care is ever questioned. Every EAP activation, adverse event, deviation from the prescribed exercise plan, and communication with the referring physician should be recorded. The operating risk-management principle: care that is not documented is very difficult to defend as having occurred.
Professional Ethics & Governing Organizations
The ACSM Code of Ethics commits certified professionals to competent, evidence-based practice within their defined scope; integrity and honesty about their qualifications and limitations; responsibility to the public; and confidentiality of patient and client information. A CEP should be able to identify the organizations that shape practice standards:
| Organization | Role |
|---|---|
| ACSM | Certification standards; publishes the clinical exercise guidelines (GETP) |
| AACVPR | Program certification standards for cardiac/pulmonary rehabilitation |
| AHA | CPR/ECC science and cardiovascular practice guidelines |
| American Red Cross | CPR/BLS/first-aid training curricula |
| Joint Commission (JCAHO) | Hospital-based program accreditation |
| OSHA | Workplace and exposure safety regulation |
| ADA | Facility physical accessibility requirements |
Risk Management & Business Standards
Beyond individual patient encounters, sound risk management means maintaining current certification and continuing education, carrying professional liability insurance, and using written waiver/assumption-of-risk forms — while recognizing that in most states such waivers do not protect against a finding of negligence. The real protection is proper risk stratification, competent supervision, and consistent adherence to the standard of care, backed by facility standards (accessibility, equipment maintenance, staffing) that stay current.
A patient sues a CEP after an adverse event, alleging the CEP failed to properly risk-stratify her before a maximal exercise test. The CEP did in fact skip the required screening step, but an independent review concludes the adverse event would have occurred regardless of screening. What is the most accurate assessment under the four elements of negligence?
Which of the following best describes what must happen before a CEP begins a patient's exercise test?
You've completed this section
Continue exploring other exams