Summary: The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that requires health care providers — including doctors of optometry and optometry practices — to protect the privacy and security of patients’ protected health information (PHI).

1. What HIPAA Does

• HIPAA’s Privacy Rule restricts how patient information can be used and shared.
• HIPAA’s Security Rule requires practices to safeguard electronic protected health information (ePHI) with administrative, technical, and physical protections.
• Patients have specific rights over their health information, including:
  • Requesting copies of their records
  • Requesting corrections
  • Knowing who their information has been shared with and why

2. Who Must Follow HIPAA

If your optometry practice electronically transmits health information for certain transactions (like billing or eligibility checks), you are a “covered entity” under HIPAA and must comply.
This includes common activities such as:

• Submitting claims electronically
• Checking patient eligibility or referrals
• Coordinating benefits

3. What Counts as Protected Health Information (PHI)

PHI is information that identifies a patient or could reasonably be used to identify them. It includes things like:

• Names
• Addresses
• Birthdates
• Medical records
• Photos or facial images

PHI must be protected whether it’s oral, written, or electronic.

4. Notice of Privacy Practices (NPP)

• Your practice must provide patients a Notice of Privacy Practices.
• This notice explains how you may use and disclose PHI, and what rights patients have regarding their information.
• You must:
  • Give the notice at the first service date
  • Display it prominently in your office
  • Post it on your practice website (if you have one)
  • Make it available on request

5. Business Associates

• A business associate is a non‑employee (like a billing service or IT vendor) that handles PHI on your behalf.
• You must have a written agreement with every business associate requiring them to properly safeguard PHI and notify you of breaches.

6. Electronic Communications & ePHI

HIPAA allows secure electronic communication if reasonable safeguards are in place. Safeguards could include:

• Passwords or encryption
• Secure email practices
• Protecting mobile devices used to access PHI

Patients can also object to certain electronic communications and ask for alternatives.

7. What to Do if a Breach Happens

Under HIPAA’s Breach Notification Rule:

• You must notify affected individuals as soon as possible if unsecured PHI is improperly accessed or disclosed.
• You may also need to notify the U.S. Department of Health and Human Services and, in some cases, the media.
• Notices must include:
  • A brief description of the breach
  • Steps individuals can take to protect themselves
  • What your practice is doing in response
  • Contact information for your practice

8. What This Means Practically for Your Practice

✔ Train staff on privacy and security policies.
✔ Perform regular risk assessments of how ePHI is stored and shared.
✔ Maintain up‑to‑date NPPs and security safeguards.
✔ Have signed business associate agreements with vendors.
✔ Act quickly and transparently if a breach occurs.

When to Get Help

This overview is for general understanding only. HIPAA compliance involves detailed legal and technical requirements. You should work with legal counsel or HIPAA compliance professionals to ensure your practice meets all federal and applicable state requirements.

For more information and for access to a complete list of AOA HIPAA resources, please visit this link.