HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Compliance for Optometrists

For most optometry professionals, HIPAA compliance for optometrists is mandatory. However, responsibility for optometry compliance can vary depending on whether the professional is a solo practitioner or works in a group practice; and, if the optometrist works in a group practice, whether patient records are individually “owned” or pooled between practitioners.

HIPAA compliance for optometrists is relatively easy to understand, but not always easy to apply. The challenges of optometry compliance exist because optometrists mostly work in public-facing environments – where it is easy to disclose individually identifiable health information impermissibly – and because patient notes are often written on paper before being transferred to an EHR.

It is also the case that optometry practices are increasingly being attacked by cybercriminals to extract patient data. The Department of Health and Human Services´ Breach Report currently shows dozens of optometry and ophthalmic practices under investigation for successful hacking attacks and IT incidents that have exposed the unsecured Protected Health Information of millions of patients.

The HIPAA Rules of Optometry Compliance

The HIPAA Rules optometrists have to comply with can be found in the Administrative Simplification provisions. These include the General Requirements, the Privacy Rule, the Security Rule, and the Breach Notification Rule. In some states, local laws pre-empt HIPAA by providing patients with more rights, requiring more stringent security measures, or by mandating shorter notification periods. Optometrists are advised to check which rules apply in their area via the state´s Board of Optometry.

The Administrative Requirements

The Administrative Requirements include standards relating to such operations as eligibility and claim status transactions, referral certifications and authorizations, and code sets used in billing. While most optometry professionals will be familiar with these standards, it is a good idea to ensure the standards are being applied correctly in transactions with health plans and Medicare/Medicaid to avoid delays in the provision of treatment to patients and payment for the treatment provided.

The Privacy Rule

The Privacy Rule governs permissible uses and disclosures of Protected Health Information (including oral disclosures that could be overheard in a public-facing environment), patients´ rights, and conducting due diligence on Business Associates with whom Protected Health Information is shared before entering into a Business Associate Agreement. The Privacy Rule is one of the key areas of HIPAA compliance for optometrists and most of it will apply to optometry practices.

The Security Rule

The Security Rule governs the safeguards optometrist practices must implement to protect the confidentiality, integrity, and availability of electronic Protected Health Information when it is in transit and at rest. Importantly, the Security Rule mandates ongoing risk analyses and risk management, and ongoing security and awareness training for all members of an optometrist´s workforce regardless of their access to electronic Protected Health Information.

The Breach Notification Rule

The Breach Notification Rule itemizes the procedures optometrists must follow if unsecured Protected Health Information is potentially exposed to a third party. These include notifying the affected individual(s), HHS´ Office for Civil Rights, and – in certain cases – local media. The failure to comply with the Breach Notification Rule will exacerbate any penalty imposed by HHS´ Office for Civil Rights for the HIPAA violation that caused the data breach.

Who is Responsible for HIPAA Compliance for Optometrists?

As mentioned in the introduction, the responsibility for optometry compliance can vary depending on the structure of the practice. Naturally, in circumstances in which an optometrist is a solo practitioner they are the Covered Entity (even if they employ assistants) and are solely responsible for HIPAA compliance and must designate the roles of Privacy and Security Officer to themselves.

When an optometrist is co-partner of, or employed by, a group practice, but “owns” patient records, the optometrist is solely responsible for complying with HIPAA for the records they “own”, even though the group practice is the Covered Entity and some optometry compliance measures may be shared between the group (for example, the physical safeguards of the Security Rule).

When an optometrist is co-partner of, or employed by, a group practice and patient records are pooled, the group practice has to appoint a Privacy Officer and a Security Officer or designate the roles to existing members of the workforce. The Privacy and Security Officers (which can be the same person) are responsible for HIPAA compliance for optometrists.

HIPAA Compliance for Optometrists: FAQs

Why is optometry compliance mandatory for most, but not all, optometrists?

Some optometrists do not fulfil the criteria to be HIPAA Covered Entities. For example, if an optometrist practice does not transmit Protected Health Information electronically, it is not a HIPAA Covered Entity and not subject to HIPAA compliance for optometrists.

Additionally, optometrists that work exclusively in educational institutions are not required to comply with HIPAA because students´ medical records are part of their educational records under the Family Educational Rights and Privacy Act (FERPA).

Other federal, state, and industry exceptions can apply to HIPAA compliance for optometrists. Therefore, optometry professionals unsure about their HIPAA status are advised to seek advice from an attorney or compliance professional.

When might an optometrist who is not a Covered Entity be required to comply with the HIPAA Rules?

If Optometrist A – who does not qualify as a Covered Entity – performs a service for or on behalf of Optometrist B – who does qualify as a Covered Entity – and the service involves the creation, use, storage, disclosure, or transmission of Protected Health Information, Optometrist A becomes a Business Associate of Optometrist B.

As a Business Associate of Optometrist B, Optometrist A must comply with the Security Rule, the Breach Notification Rule, and certain elements of the Privacy Rule depending on the nature of the disclosure and for what it will be used. Optometrist A will also have to sign a Business Associate Agreement with Optometrist B to provide assurances that PHI will remain secure.

What if a practice only deals with cash customers?

If a practice only deals with cash customers, even though it may not transmit HIPAA-covered transactions relating to eligibility, authorizations, and claims, there may be times when patient data is shared with third parties – for example, when a prescription is sent to a lens supplier.

In these circumstances, the communication (to a lens supplier) is a HIPAA-covered transaction if it is communicated electronically. Any individually identifiable health information within the communication (name, address, head size, etc.) is also covered by HIPAA.

Once one communication (and the data within it) is covered by HIPAA, every communication (and the data within it) is also covered by HIPAA. Therefore, even if a practice only deals with cash customers, it is highly likely it will qualify as a HIPAA Covered Entity.

Why are written paper notes an issue under HIPAA?

It is not the notes themselves that are an issue. It is how they are secured and disposed of once the information on them have been transferred to an EHR that can create compliance issues if – for example – written paper notes are not locked away until they are no longer required.

Which optometry and ophthalmic practices are currently under investigation for HIPAA data breaches?

Details of all Covered Entities under investigation for HIPAA data breaches can be found on HHS´ Breach Report. Some of the largest involving hacking and IT incidents at optometry and ophthalmic practices include:

Name State Records Exposed
Alabama Eye and Cataract P.C. AL 26,000
Allied Eye Physicians and Surgeons OH 20,651
Associated Eye Care MN 40,793
Center for Sight, Inc MA 41,041
Chesapeake Eye Center PA MD 32,770
Luxottica OH 829,454
Mattax Neu Preter Eye Center, Inc MO 92,361
Ophthalmology Associates MN 67,000
Sight Partners Physicians P.C. WA 86,101
Simon Eye DE 144,373

What penalties can optometrists receive for violating HIPAA?

Most violations of HIPAA are resolved by HHS´ Office for Civil Rights offering technical assistance or imposing a Corrective Action Plan (which itself can be costly to comply with). When financial civil penalties are issued, the amount of the penalty reflects the Covered Entity´s culpability for the violation (notwithstanding that State Attorneys General can also issue financial civil penalties).

The four levels of culpability reflect when reasonable efforts have been made to identify threats to the privacy of health information and measures implemented to mitigate the likelihood of the threat occurring, when the violation is attributable to a lack of oversight, and when the violation is attributable to willful neglect – with further penalties if the violation is not corrected within 30 days.

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit 
Tier 1 Reasonable Efforts $127 $63,973 $1,919,173
Tier 2 Lack of Oversight $1,280 $63,973 $1,919,173
Tier 3 Neglect – Rectified within 30 days $12,794 $63,973 $1,919,173
Tier 4 Neglect – Not Rectified within 30 days $63,973 $1,919,173 $1,919,173