You might not give much thought to HIPAA when you’re the patient in a medical office, signing document after document after document. But if you’re a nutrition business owner, or about to launch your private practice (go you!), you have to learn the Health Information Portability and Accountability Act (aka HIPAA) basics to protect your client’s privacy and run your business securely.
Don’t worry: we are here to help. Grab a cup of coffee, we’ll walk you through everything!
If the term HIPAA causes you angst or confusion, you’re not alone. HIPAA is complex – even for large healthcare organizations.
It’s possible that your nutrition private practices will not be subject to HIPAA requirements, but in order to determine if yours will be, you need to spend a bit of time in research mode. We’ll cover who is subject to HIPAA regulations in a bit.
This article covers essential terminology and concepts related to HIPAA compliance. Additionally, it contains links to helpful tools and resources.
Pssst: if you’re getting started on launching your private practice, you’re going to want to save our 10 Essentials for Starting Your Booming Nutrition Private Practice article for later.
What does HIPAA stand for?
Let’s break down what exactly HIPAA is so you can understand how to prepare your nutrition private practice. What does HIPAA stand for? H-I-P-A-A stands for Health Information Portability and Accountability Act.
Often it is mistakenly abbreviated H-I-P-P-A (with two P’s). Don’t make the beginner mistake: use the correct acronym – HIPAA – (with two A’s).
HIPAA is a law that established national standards for electronic health care transactions for providers, health plans, and employers. It also defines requirements for the privacy and security of protected health information (PHI). Examples of PHI include your patient or client’s:
- Name
- Address
- Date of birth
- Social security number
- Lab data
The purpose of HIPAA is to protect privacy. While it might feel like one more hurdle to jump over, the purpose of the law is to protect your clients’ privacy and personal information, and therefore, the integrity of your business.
Health care providers (yes, even RDNs), health plans, payers, and other HIPAA-covered entities must comply with this law. The requirements apply to all providers who conduct electronic transactions, not just providers who accept Medicare or Medicaid.
Resources:
- HIPAA Training Materials
- HIPAA Basics for Providers
- Center for Medicare and Medicaid Services HIPAA and ACA
HIPAA Compliance for Nutrition Private Practice
It can feel overwhelming to tackle the topic of HIPAA compliance, however, every big project can be broken down into smaller steps. With the right tools and resources, you can feel confident that your practice has the correct, required elements in place.
And remember: if you can memorize the Krebs cycle for an O-chem exam, you can successfully tackle HIPAA compliance, too.
Three Main Steps to Ensure Your Private Practice is HIPAA Compliant
Step 1: Determine if you are a covered entity and subject to HIPAA requirements
Step 2: Conduct a risk assessment to determine risks in policies, processes and systems. (Identify administrative, technical and physical risks).
Step 3: Implement safeguards to mitigate risk (or plans/policies).
Step 1: Who does HIPAA apply to?
HIPAA applies to “covered entities” – are you one?
What’s interesting about HIPAA is that it applies based on what you do as much as who you are.
As more and more healthcare providers are providing care, answering questions and documenting their care online, it is necessary to protect private client data.
HIPAA is designed to protect patient and client data, especially data that is held online. HIPAA applies to healthcare providers – including registered dietitians – who are doing certain transactions online.
If you conduct any of the following digital transactions, congratulations: you are a covered entity and must establish HIPAA policies and practices in your business.
These covered transactions relate to billing insurance and making inquiries with insurance such as statements of benefits. Examples of covered HIPAA transactions include:
- Payment and remittance advice to clients
- Premium payments
- Coordination of benefits
- Claims and claims status
- Referrals
- Authorizations for services
Dietitians often assume that unless you accept insurance, you don’t need to comply with HIPAA. While many of the covered transactions for HIPAA are related to insurance, not all of them are. Plus, the code of ethics for Registered Dietitians has explicit language that you should be familiar with and follow.
For example: “The dietetics practitioner protects confidential information and makes full disclosure about any limitations on his or her ability to guarantee full confidentiality.”
It is hard to imagine a dietitian or other healthcare provider having a private practice that does not conduct the electronic transactions covered in the HIPAA guidelines. If in doubt: assume that you’re a covered entity.
Resources:
- The Center for Medicare and Medicaid Services Covered Entity Guidance Tool
- Am I a HIPAA-Covered Entity? How Much Does it Matter if I am or Not?
- Is My Cash Practice a HIPAA-Covered Entity?
- Academy of Nutrition and Dietetics Code of Ethics for the Profession
Next step: conduct your security risk analysis.
Step 2: What is a Security Risk Assessment?
You’ve determined that you are a covered entity. Next step: conduct your security risk assessment.
HIPAA is not a one-size-fits-all guideline. HIPAA requires that a covered entity conduct a security risk assessment to find the best plan for your private practice. A risk assessment helps you ensure compliance with HIPAA’s administrative, physical, and technical safeguards.
Pretend you were a thief and wanted to steal the secret gems in your office and computer. Look at your business with that mindset and see how you can protect your client’s data.
HIPAA also helps reveal areas where protected health information (PHI) could be at risk. A convenient tool is available to assist you in completing the assessment. It has been specifically designed for small practices.
Resources:
Step 3: Implement Your HIPAA Plan
Now: onto the meat of the matter. What planning, papers, and procedures do you need to have in place in order to ensure HIPAA compliance? Let’s dive in!
Inform your clients and patients about your procedures
There are two specific rules to know and understand: the HIPAA privacy rule and the HIPAA security rule.
The HIPAA Privacy Rule
Your clients and patients have the right to be informed of the privacy practices of their health plans and of their healthcare providers, as well as to be informed of their privacy rights with respect to their PHI.
Health plans and covered healthcare providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. See below for example notices.
The security rule is a closely related topic that specifically addresses safeguards for electronic PHI (ePHI).
The HIPAA Security Rule
The HIPAA security rule is what most of us think of in regards to HIPAA: the rule refers to private information and how it is created, received, used, or maintained by the healthcare provider. We have to keep that information safe, both electronically (in our electronic communications and documentation) and physically in our office.
Because most RDNs use electronic health records or interact with patients using digital media, it is important to understand the requirements.
Resources:
- Health IT Privacy Resources for Providers
- Summary of the HIPAA Security Rule
- HIPAA Security Rule Guidance
Notice of Privacy Practices:
Now that you are establishing your HIPAA procedures, you need to have a few specific documents to share with your clients.
The HIPAA privacy rule requires health plans and covered healthcare providers (that’s you, RDNs!) develop and distribute a notice to patients that provides a clear, user-friendly explanation of an individual’s rights with respect to their PHI and the privacy practices of health plans and healthcare providers.
Good news: we have these notices ready for you to use today! You don’t need to reinvent the wheel.
Example HIPAA Forms for Registered Dietitians
- Notice of Privacy Policies & HIPAA Release Form
- Complete Set: 9 Getting Started Forms, Including HIPAA
- HIPAA and PHI Forms
Do you work with interns in your practice? We have an Intern Onboarding Toolkit that includes the HIPAA form for them to sign.
Whether you work with interns, health insurance providers or hire a virtual assistant, read the next section about ensuring business associates are HIPAA-compliant.
Looking for tools to launch your private practice?
Include your Business Associates
Outside of yourself, are there other people who contribute to your business?
HIPAA applies also to business associates: a person or organization – other than you – that handles client data. They need to protect client data, too.
Business associates, organizations or platforms need to be HIPAA-compliant. They include :
- Electronic health records (practice management tools)
- Email providers
- Your employees
- Your virtual assistant (VA)
- Your interns
- Your medical biller
Resources:
Is Zoom HIPAA Compliant?
HIPAA-compliant telehealth is more important than ever.
If you will be meeting with your clients virtually, the platform that you use must be secure to be compliant with HIPAA. Is Zoom HIPAA compliant? Zoom can be HIPAA compliant, but it is not the free version. Find out the details for HIPAA complient zoom options for healthcare providers, here.
Or consider a different solution. Many practice management tools include HIPAA- compliant video conferencing as a platform feature. This can ease client scheduling because the link to join the virtual nutrition counseling session is generated while the client books!
Check it out: for guidance on the best software and coaching platforms available for dietitians, read our Best Nutrition Coaching Software article.
Who Enforces HIPAA?
The Department of Health and Human Services’ Office for Civil Rights (OCR) enforces HIPAA. If you are found to not be in compliance with HIPAA guidelines, you could be subject to fines. (And not knowing the rules does not exclude you from being subject to them).
Additional Tips for HIPAA Compliance for Dietitians
What else might you consider? Think through all of the ways that you communicate with your clients, about your clients, and store that data: is it safe? Is it secure?
Do you text, email or fax your clients? Do you store information on the cloud? Do you lock your filing cabinets with physical papers? Thinking through all of the moving parts of your nutrition business will allow you to have a solid plan in place to be able to protect it.
HIPAA Summary for Private Practice Dietitians
If you’re a dietitian in private practice you are privy to private information regarding your clients. It is your responsibility to protect that data. To save you time and energy, don’t reinvent the wheel; check our our ready-to-go resources to use as your get your practice HIPAA complient!
- Notice of Privacy Policies & HIPAA Release Form
- Complete Set: 9 Getting Started Forms, Including HIPAA
- HIPAA and PHI Forms
If you are transmitting that information online, chances are you are subject to HIPAA guidelines. Bookmark this blog post as a reference as you are establishing your safe and secure practice.
2 comments