Nutritics has added extra features free of charge to support you working from home during COVID-19 - find out more.

Nutritics Blog

< back

HIPAA and You

We take your privacy very seriously. Understand your responsibilities and how Nutritics is here to help.
28th Sep 2020

Introduction to The Health Insurance Portability and Accountability Act of 1996 (HIPAA) 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes Regulations protecting the privacy and security of certain health information. To fulfill this requirement, The U.S. Department of Health & Human Services published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI)

How HIPAA protects Information 

The HIPAA Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI), as explained in the Privacy Rule. The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing. 

General Rules 

The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must: 
  1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; 
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information; 
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and 
  4. Ensure compliance by their workforce. 
The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on demand by an authorized person. 

The Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources. Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider: 
  • Its size, complexity, and capabilities, 
  • Its technical, hardware, and software infrastructure, 
  • The costs of security measures, and 
  • The likelihood and possible impact of potential risks to e-PHI. 
  • Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment. 

How are Nutritics meeting the requirements of HIPAA? 

Nutritics will function as a ‘Business Associate’ for any client choosing to use Nutritics to assess nutritional needs of patients. Nutritics is designed in such a way that pseudo-anonymisation is facilitated throughout the platform to enable better management of e-PHI. We highly recommend that PHI is not disclosed unnecessarily. However, if PHI is maintained within the platform, we ensure that obligations under privacy and security rules are adhered to by implementation of rigorous administrative, physical and technical safeguards. 

We welcome our users to request a business associate contract and we are committed to our business associate obligations defined by the HITECH Act of 2009. 

Should you have any questions in relation processing e-PHI using Nutritics, how we can support you with requirements under HIPAA, or if you wish to request a business associate contract please contact