Operator-honest answers from a working SEO/AI shop in Encinitas to the questions registered dietitians & nutritionists actually ask: when you have to be HIPAA compliant, what to fix this week, what it costs, and which mistakes the OCR fines the fastest. California Board of RD/RDN (Department of Consumer Affairs) aligned. No fluff, no scare tactics, no $5K "compliance package" upsell.
Short answer: yes, in 2026, almost certainly.
You are a HIPAA Covered Entity the moment any one of these is true:
Operator translation: if you are running anything besides a 100% cash, paper-records, phone-call-only dietetics practice in 2026, you're inside HIPAA scope.
Registered Dietitians & Nutritionists-specific risk: Meal-tracking apps, food diary screenshots emailed by clients, and continuous glucose monitor (CGM) data integrations are all PHI when associated with an individual client. Many RDs use consumer MyFitnessPal or Cronometer free-tier without realizing the moment you receive a client's data through that channel, you've created a HIPAA risk.
Dietitian-specific HIPAA EHRs that sign BAAs: Practice Better, Healthie, That Clean Life (clinical tier), Nutrium. For meal-tracking with BAA: Healthie's built-in food log, Practice Better's food journal. Generic SimplePractice + Cronometer-Pro-with-BAA also works.
This is the stack most solo and 2-3 clinician dietetics practices in 2026 actually run:
| Layer | Vendor (one of) | Cost / mo | BAA included? |
|---|---|---|---|
| EHR + Notes + Billing | See vendor cheatsheet below | $49-$99 | Yes (auto on signup for paid plans) |
| HIPAA Email | Paubox · Hushmail · Google Workspace + BAA | $10-$25 | Yes (Google requires active BAA sign) |
| Telehealth (if used) | EHR-integrated · Doxy.me · Zoom for Healthcare | $0-$25 | Yes — NOT consumer Zoom |
| Texting / SMS | Spruce · OhMD · EHR portal | $15-$30 | Yes |
| Cloud backup (optional) | Google Workspace · Box for Healthcare | $0-$15 | Yes (active BAA required) |
| Total · solo practice | — | $80-$150/mo | — |
30 min. Anything sent from yourname@gmail.com with a client's first name + appointment is a HIPAA breach. Upgrade to Google Workspace + BAA, Paubox, or Hushmail. Same for Zoom — switch to Zoom for Healthcare or use your EHR telehealth.
45 min. Make a folder (Drive folder works). Save signed BAA from EHR, email host, telehealth, scheduling, billing service, cloud backup. If a vendor cannot give you a BAA, they cannot legally hold PHI.
20 min. Most EHRs auto-include this in intake flow. If yours doesn't, use the HHS template at hhs.gov · Model NPP. Every new client signs that they received it.
20 min. EHR · email · cloud storage · password manager. Use authenticator app (Authy · 1Password), not SMS where possible.
10 min. Mac: System Settings → Privacy & Security → FileVault → On. iPhone: 6+ digit passcode auto-encrypts. This converts a stolen laptop from "reportable HIPAA breach" to "stolen laptop" (OCR safe harbor).
45 min. Required by HIPAA Security Rule. Solo practice = one-page is defensible. Free HHS interactive tool: healthit.gov SRA Tool. Re-do once a year.
| Pattern | Typical fine range | How to avoid |
|---|---|---|
| 1. Texting clients from a personal phone | $25K-$100K | Spruce, OhMD, or EHR portal |
| 2. Sending PHI from Gmail (not Workspace + BAA) | $50K-$250K | Workspace + BAA, Paubox, or Hushmail |
| 3. Consumer Zoom or FaceTime for telehealth | $50K-$150K | Zoom for Healthcare or Doxy.me or EHR telehealth |
| 4. No Notice of Privacy Practices on file | $10K-$50K | HHS template + EHR intake flow |
| 5. Lost / stolen unencrypted laptop with PHI | $50K-$300K | FileVault / BitLocker · 10 min one-time |
Dietitian-specific HIPAA EHRs that sign BAAs: Practice Better, Healthie, That Clean Life (clinical tier), Nutrium. For meal-tracking with BAA: Healthie's built-in food log, Practice Better's food journal. Generic SimplePractice + Cronometer-Pro-with-BAA also works.
| Category | Vendor | BAA process |
|---|---|---|
| Google Workspace | Self-serve in admin console · MUST sign actively | |
| Paubox | Auto with subscription · encrypts outbound by default | |
| Hushmail for Healthcare | Auto with subscription · cheap solo tier | |
| Telehealth | Doxy.me | Auto with any tier · including free |
| Telehealth | Zoom for Healthcare | Active BAA setup required · consumer Zoom is NOT compliant |
| Texting | Spruce | Auto with subscription · HIPAA-eligible 2-way SMS |
| Cloud storage | Google Workspace Drive | Auto if Workspace BAA signed · personal Drive is NOT |
| Cloud storage | Dropbox HIPAA | Auto with Business plan + BAA · sign actively |
SideGuy is a one-operator AI + SEO + compliance shop in Encinitas, CA. For private-practice registered dietitians & nutritionists:
| Tier | Price | What |
|---|---|---|
| SideGuy Hour | $150 one-time | One hour, async-friendly · walk your stack · 2-3 gaps that matter · written one-page fix-list |
| Operator Audit | $250 one-time | 3-5 day signal-quality audit · full setup · written PDF + 30-min walkthrough |
| Practice Compliance Sprint | $2,000 one-time | 10 days · audit + cleanup + missing-document drafts + vendor migrations + re-usable annual SRA |
Yes if you bill insurance electronically, use an EHR, store client food logs / lab values / CGM data in cloud software, or use telehealth. Cash-only nutritionists without insurance billing and paper-only records may technically fall outside scope, but any cloud meal-tracking app integration triggers HIPAA. Most active RDs are in scope by 2026.
~$80-150/month total: HIPAA-eligible EHR + HIPAA-eligible email + signed BAAs. Add telehealth tier if you do telehealth.
Texting clients from a personal phone, sending PHI from non-Workspace Gmail, and consumer Zoom for telehealth. OCR fines $25K-$250K.
Yes. Free HHS template. Most EHRs auto-generate one. Every new client signs that they received it.
A contract with any vendor that touches your PHI. If a vendor cannot provide one, they cannot legally hold PHI for you.
Yes. HHS OCR Breach Reports portal shows names, dates, and dollar amounts publicly.
Yes — CMIA, CA AB-2013 AI disclosure, CCPA if you hit thresholds, and California Board of RD/RDN (Department of Consumer Affairs) record-keeping rules. California regulates RDs through the Department of Consumer Affairs. The state does not require licensure to use the title 'nutritionist' (only RD is protected), so HIPAA scope depends on whether you electronically transmit PHI for billing — most insurance billing dietitians do.
Only with a signed BAA from the AI vendor. Anthropic offers BAAs for Claude Enterprise. OpenAI for ChatGPT Enterprise. Google for Gemini through Workspace. Free / consumer tiers do NOT come with BAAs.
Not legal advice. Operator-grade reference written by working SEO/AI operators in Encinitas, CA. Not attorneys. For licensure-specific or breach-specific questions consult a healthcare attorney. HHS OCR is the federal HIPAA enforcement authority. California enforces CMIA + state-board rules.