If the term HIPAA causes you confusion, you’re not alone. HIPAA is complex – even for large healthcare organizations. Not all nutrition private practices will be subject to HIPAA requirements, but in order to determine if yours will be, you need to spend some time educating yourself.

This article covers essential terminology and concepts related to HIPAA compliance. Additionally, it contains links to helpful tools and resources.

What is HIPAA?

Let’s break down what exactly HIPAA is so you can understand how to prepare your nutrition private practice. First, HIPAA stands for Health Information Portability and Accountability Act. Often it is mistakenly referred to as HIPPA. Perhaps this is a new type of animal but has nothing to do with running your nutrition practice. Don’t make the beginner mistake, use the correct acronym, HIPAA!

HIPAA is a law that established national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also defines requirements for the privacy and security of protected health information (PHI).

Health care providers (yes, even RDNs), health plans, payers, and other HIPAA-covered entities must comply with this law. The requirements apply to all providers who conduct electronic transactions, not just providers who accept Medicare or Medicaid.


HIPAA Training Materials

HIPAA Basics for Providers

Center for Medicare and Medicaid Services HIPAA and ACA

The HIPAA Privacy Rule (and Security Rule)

This rule gives individuals the right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information (PHI). Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices.

The security rule is a closely related topic, but specifically addresses safeguards for electronic PHI (ePHI). Because most RDNs use electronic health records or interact with patients using digital mediums, it is important to understand the requirements.


Health IT Privacy Resources for Providers

Summary of the HIPAA Security Rule

HIPAA Security Rule Guidance

What is a Covered Entity?

HIPAA applies to health care providers that conduct certain transactions in digital form. If you conduct any of these, you are a “covered entity.” These covered transactions relate to billing insurance and making inquiries with insurance such as statements of benefits.

Often there is a statement made that unless you accept insurance, you don’t need to comply with HIPAA. While it is typically true that HIPAA applies only to those performing covered transactions, the code of ethics for Registered Dietitians have explicit language that you should be familiar with and follow.  For example: “The dietetics practitioner protects confidential information and makes full disclosure about any limitations on his or her ability to guarantee full confidentiality.”


The Center for Medicare and Medicaid Services Covered Entity Guidance Tool

Am I a HIPAA-Covered Entity? How Much Does it Matter if I am or Not?

Is My Cash Practice a HIPPA-covered Entity?

Academy of Nutrition and Dietetics Code of Ethics for the Profession

Notice of Privacy Practices:

The HIPAA Privacy Rule requires health plans and covered health care providers to develop and distribute a notice that provides a clear, user friendly explanation of individuals rights with respect to their personal health information and the privacy practices of health plans and health care providers.


Health IT Privacy and Security Resources

Sample Notice of Privacy Practices

What is Business Associate?

A business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Common business associates include electronic health records (practice management tools) and email providers.


Sample Business Associate Agreement

What is a HIPAA Business Associate?

What is a Security Risk Assessment?

HIPAA requires that a covered entity conduct a security risk assessment. A risk assessment helps you ensure compliance with HIPAA’s administrative, physical, and technical safeguards. It also helps reveal areas where protected health information (PHI) could be at risk. A convenient tool is available to assist you in completing the assessment. It has been specifically designed for small practices.


Security Risk Assessment Tool

How to Create and Use HIPAA Security Policies and Procedures

HIPAA Compliance for Nutrition Private Practice

It can feel overwhelming to tackle the topic of HIPAA compliance, however with the right tools and resources, you can feel confident that your practice has the correct elements in place.


  1. Determine if you are a covered entity and subject to HIPAA requirements.
  2. Conduct a risk assessment determine risks in policies, processes and systems. (identify administrative, technical and physical risks).
  3. Implement safeguards to mitigate risk (or plans/policies).

Looking for tools to launch your private practice?

Curated materials, resources, templates, forms and more to help you build the private practice of your dreams! When you’re just getting started, there is typically a lot of time invested up-front to create new client intake forms, HIPAA agreements, client policy forms, etc. But RD2RD already has all of these high-quality items for your use – there’s no need for you to start from scratch!
Megan Boitano

About the author: Helping dietitians leverage their expertise and generate passive income with digital products. Hi, I'm Megan, the founder of RD2RD, a digital marketplace for RDNs to purchase and sell original, digital goods such as nutrition handouts, presentations, webinars, books and more. In my private practice, I specialize in pediatric nutrition and sensory-based feeding issues.

One comment

Leave a Reply