Nourish Help Center
In this article
Nourish does not have a Business Associate Agreement (BAA) with MFP or other consumer appsMixing personal/professional accounts is not allowedPatient permission or consent does NOT fix the HIPAA problemRisk ScenariosHIPAA-compliant alternativesHIPAA Trainings
Home
Clinical Approach & Expectations
RD Expectations & Best Practices
Standard Operating Procedures (SOPs)

Patient Privacy and Social Media SOP

Edited

As part of the hiring process, all Nourish employees, including RDs, are required to read and sign the employee handbook (linked at the bottom of this doc), which contains the following provisions related to social media:

Social Media pertains to all means of communicating or posting information of any sort on the Internet. All policies outlined in this handbook apply to Social Media.

  • Employees must make sure their audience knows they are an employee of the Company and they must never represent themselves as a spokesperson for the Company.

  • Employees should refrain from using Social Media to express dissatisfaction with the Company, fellow employees, clients, vendors and/or partners.

  • Employees should never post information that they know to be false about the Company or its clients, vendors and/or partners.

  • Any social media breach or suspected account breach should be reported to the People Team immediately.

  • You are legally and ethically obligated to maintain patients' privacy and confidentiality rights in the workplace and on social media

  • Avoid transmitting patient information or images that could infringe upon clients' rights to confidentiality or privacy. This is particularly important regarding information or images that clients may find embarrassing or offensive.

  • Employees should never post information that may reveal the identity of a client or make reference to any client conversation or interaction. This includes posting to social media and sharing with friends via text or email.

  • Never refer to clients in a disparaging manner online, even if you do not identify these clients.

  • Use your best judgment on interacting with clients on your personal social media account and be mindful of issues that may arise

RDs, like all health care providers, have a duty to protect patient information at all times, consistent with HIPAA. On occasion, patients may request that RDs “friend” or connect with them on consumer apps like MyFitnessPal (MFP) to enable RDs to view food logs or other data.

However, doing so is likely a HIPAA violation for the following reasons:

Nourish does not have a Business Associate Agreement (BAA) with MFP or other consumer apps

  • HIPAA requires that any platform used to access, transmit, or store PHI must have a BAA.

  • Nourish does not have BAAs established with consumer apps, including MyFitnessPal. As a result, PHI cannot be exchanged through it.

  • If you “friend” a patient for the purpose of professional treatment, the food logs you access or discuss become PHI.

  • Because MyFitnessPal is not a HIPAA-compliant service, using it in this manner violates the Security Rule.

Mixing personal/professional accounts is not allowed

Using a personal MyFitnessPal or similar account to monitor patient logs creates compliance and privacy risks:

  • Protected health information (PHI) may pass through a non–HIPAA-compliant system, which lacks required access controls and an audit trail.

  • Data exchanged through personal accounts is not encrypted to HIPAA standards.

  • Patient–provider relationships may be publicly visible, creating the potential for an inadvertent privacy breach.

Patient permission or consent does NOT fix the HIPAA problem

  • Patients cannot “waive” HIPAA requirements by consenting to an insecure channel.

  • The burden is on the provider, not the patient.

  • Even if the patient wants to share logs this way, you cannot initiate or use a non-compliant channel for treatment purposes.

Risk Scenarios

  • Reviewing a patient’s logs on a 3rd party app = accessing PHI

  • Commenting in a 3rd party app = exchanging PHI

  • Being “connected” in a way that identifies them as your patient = privacy violation

  • If your account gets breached, logs are compromised (which may be a reportable breach)

All of these violate HIPAA unless the platform is covered by a BAA.

HIPAA-compliant alternatives

To review meal logs safely, use Nourish platform tools (e.g., food logs) and document patient information within our HIPAA-compliant system (i.e., the Provider Portal). It is acceptable for a patient to initiate sharing their logs, as long as it’s done on our system.

For example, you could say:

“If you want to share screenshots or exports of your logs with me through our approved platform/portal, you’re welcome to do so.”

This keeps compliance responsibilities on our secure system, rather than a 3rd party app.

HIPAA Trainings

All Nourish employees are required to review HIPAA trainings in Vanta on an annual basis; in addition, relevant policies can be found in the Employee Handbook (below). RDs are expected to be uphold these policies and ensure that care provided on the Nourish platform meets HIPAA standards.

Nourish_Employee_Handbook.pdf
473KB

Was this article helpful?

Sorry about that! Care to tell us more?

Thanks for the feedback!

There was an issue submitting your feedback
Please check your connection and try again.