HIPAA Compliance For Private Practice Dietitians 101 (Part 1)

Most of us have at least heard the acronym HIPAA and probably are aware it is something to do with the security and privacy of patient information. But What is HIPAA? Are registered dietitians required to comply? What does HIPAA Compliance actually mean and what does it require?  What happens if I fail to meet HIPAA? 


Even though it is pronounced hip-pa, the National privacy and security act issued U.S. Department of Health and Human Services is called HIPAA. The acronym HIPAA standing for Health Information Portability and Accountability Act.

What is HIPAA?

When discussing any topic, I like to start with a definition. Definitions help to check that we’re all on the same page before progressing further.

Health Information Portability and Accountability Act (HIPAA) requires healthcare providers such as Registered Dietitians (covered entities) and their business associates (like Kalix) to establish and follow procedures and practices that ensure the confidentiality and security of Protected Health Information (PHI) when it is transferred , received, handled, or shared.

Covered Entities

HIPAA-covered entities include health plans, clearinghouses (process and submit claims), and certain health care providers (including RDs) who participate in the electronic exchange of healthcare information (e.g. claims, payments, remittance advice, referrals and encounter information) between two parties for financial or administrative activities related to healthcare.

Business Associates

Covered Entities often use third parties to provide certain health and business services. If these activities or services involve the use or disclosure of protected health information on behalf of a covered entity, the third party is considered a business associate.

Protected Health Information

Is any identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual. This includes information related to the provision or payment of health care services to an individual by a covered entity (health care provider, health plan, employer, or health care clearinghouse). PHI includes (but is not limited to): name, address, appointment dates and details, phone numbers, email addresses, SSN, insurance details, full face photos and any unique identifying number.

Why is HIPAA important?

HIPAA penalties for non-compliance are expensive. They can range from $100 to $50,000 per violation. A single violation due to willful neglect results in automatic $50,000 fine. The fines and charges are broken down by type as shown below.
Categories of Violations and Respective Penalty Amounts Available

Violation category—Section 1176(a)(1) Each violation All such violations of an identical provision in a calendar year
(A) Did Not Know $100-$50,000 $1,500,000
(B) Reasonable Cause $1,000-$50,000 $1,500,000
(C i) Willful Neglect-Corrected $10,000-$50,000 $1,500,000
(C ii) Willful Neglect-Not Corrected $50,000 $1,500,000

Below are the most common common compliance issues listed by Department of Health & Human Services.

  • Unlawful use and disclosure of protected health information
  • Lack of safeguards for protected health information
  • Lack of patient access to their protected health information
  • Use or disclosure of more than the minimum necessary protected health information
  • Lack of administrative safeguards of electronic protected health information.

Next Time

In Part two I will discuss your responsibilities as health care professions and how to run a HIPAA Compliant practice. I will hence explore the administrative, physical and technical safeguards needed to ensure the safe transmission and storage of protected health information.

How Choose to the Right HIPAA Compliant Email Provider For Your Private Practice

Kalix’s Messaging functionality allows you to securely communicate clients and contacts. Messages can be automated to remind and notify about upcoming appointments, as a reminder to pay outstanding bills, to collect client information via online forms and electronic paperwork), to communicate with other healthcare providers, as well as on an ad hoc basis.

It is important to note, that the sending, receiving and storage of any Protected Health Information is subject HIPAA Compliance. Hence, when choosing your practice’s email provider, HIPAA Compliance must be at the top of your checklist for requirements.

There are lots of solutions out there, we suggest that your number one priority should be when choosing a solution, is to select the product from a company that will enter into a business associate agreement with you. By entering into a business associate agreement, the company takes responsibility for the privacy and security of email storage and transmission. If a breach happens, they are legally responsible, not you.

Relating to security, the larger companies are often the best, as they have the most money to spend on technology and infrastructure. They can also be the most affordable. Below are some options what we recommend:

Microsoft Office 365

Office 365 has security certifications for HIPAA compliance such as FISMA, ISO 27001, and SSAE 16. They will enter into a Business Associate Agreement with you, click here for further details. You can pay for full access to Microsoft products including Word, Excel, PowerPoint, OneNote, Outlook, Publisher, and Access. Office 365 is compatible with PCs or Macs, tablets and smartphones. Alternatively, you can just pay for an email only plan. Click here for more info.


Similarly, Google has the security certifications for HIPAA compliance and will enter into a Business Associate Agreement with users that have an Administrator account with Google Apps.The BAA covers services including Gmail, Google Calendar, Google Drive, and Google Apps Vault services (Google’s online documents, spreadsheets, and presentations). For more info, please click here.


There are many other solutions out there. We highly recommend you read the following review of HIPAA compliant email services, click here to read.

Important Note

Regarding email security breaches, most are related to the hacking of email passwords. Emails solutions will not cover you if this happens. We have written an article about password security it is worth a read, click here to view.

It is also worth knowing that HIPAA does not prohibit the use of email to transmit electronic protected health information (ePHI). Instead, the HIPAA Security Rule requires covered entities (you) to implement administrative, physical and technical safeguards if engaged in the transmission of ePHI (email). A big part of this is getting your clients’ to sign a consent form (or Privacy Notice) before sending PHI via email.

Legal Considerations When Using Online Electronic Signatures

Kalix makes it easy for your practice to go completely paperless. Being able to securely share paperwork and collect electronic signatures online is now paramount for the modern healthcare practice. Kalix’s extensive template library includes many electronic agreements and notices including HIPAA forms, practice policies and Advanced Beneficiary Notices of Noncoverage (ABN). Alternatively, set up your own contracts using our blank templates. Through Kalix, share online patient agreements with only a few clicks of the mouse.

Unlike collecting and witnessing a written signature during an office visit, sending and collecting patient signatures online, can hold some additional legal considerations. This article will discuss these further.

Legal Considerations

What is an Electronic Signature?

An electronic signature is any electronic means that indicates either that an individual agrees to the contents of an electronic document, or that the person who claims to have written a document is the one who wrote it.

A signature can be any symbol made with the intent to authenticate a record or contract that is both:

(a) attached to or logically associated with a contract, e.g., service contract, form, e.g., consent form or record, e.g., chart note; and

(b) executed or adopted with the intent to sign the record.

This means that an electronic signature can be (without limitation):

  • typed;
  • clicking a checkbox
  • stylized script e.g., a written signature
Are Electronic Signatures Valid?

Most US states give electronic signatures the same legal effect as traditional signatures.

We suggest you all the following statements on your forms to show that there is an intent to conduct their relations electronically:

You agree that the electronic signatures included in this [form/ consent/contract] are intended to authenticate this writing and to have the same force and effect as manual signatures.

Electronic signature means any electronic sound, symbol or process attached to or logically associated with a record and executed and adopted by a party with the intent to sign such record, including (without limitation) typing a name or clicking a checkbox.

Proper Processes and Controls

The complication of using electronic signatures is authentication of the person signing. You need to satisfy yourselves of “non-repudiation” – i.e., ensuring that data really is from the designated client, not someone else, so that the client cannot deny signing the document in the future.

Please remember, you need to verify the identity of the client signing
This can be by asking multiple questions in the form, such as the patient’s date of birth, mother’s maiden name, social security number, driver’s license number or demographic information. You should then compare the answers in the submitted online form against another source, e.g., referral letter, driver’s license, health insurance card.