Updated HIPAA regulations: What ODs need to know

March 6, 2013

The Health Insurance Portability and Accountability Act (HIPAA) patient privacy protection processes optometrists implemented years ago have now become routine for doctors, staff members, and patients. With the issuance of the new regulations, now is the time for optometrists to update their compliance procedures.

The U.S. Department of Health & Human Services (HHS) changed some of the requirements, and practitioners face bigger penalties for noncompliance. Here are some basic concepts that optometrists should understand as they begin to identify the changes that may need to be made in their practices.

Please note the AOA provides guidance on HIPAA by citing relevant provisions of the HIPAA regulations. This guidance should not be construed as legal advice. Practitioners are encouraged to contact an attorney for legal guidance. For additional information, see the “Updated HIPAA Regulations: What Optometrists Need to Know Now” frequently asked question document at www.excelod.com/HIPAA.

HIPAA: the federal health care privacy law

The HIPAA Privacy and Security Rules are federal law. The Privacy Rule gives individuals rights over their health information and sets rules and limits on who can look at and receive health information. The Security Rule delineates safeguards to protect health information in electronic form and helps to ensure that electronic protected health information is secure.

Who must comply?

Individuals, organizations, and agencies that meet the definition of a “covered entity” must comply with HIPAA. An optometrist is considered a “covered entity” if he/she transmits any information in an electronic form in connection with a transaction for which the HHS has adopted a standard. For example, submitting an electronic claim to Medicare or another payer is such a transaction. To determine if you are a covered entity, visit www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/AreYouaCoveredEntity.html.

Notice of Privacy Practices

Most covered entities (including optometrists) are required to have a Notice of Privacy Practices (NPP). An NPP describes uses and disclosures of protected health information a covered entity is allowed to make. The NPP also includes the covered entity’s legal duties and privacy practices with respect to protected health information. A patient’s rights with regard to protected health information is also included in an NPP.

Business associate agreements

According to the HHS, “The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.”

Breaches of protected health information

“Breach” is generally defined as the unauthorized acquisition, access, use, or disclosure of protected health information that compromises the security or privacy of such information. Health care practitioners may be required to notify affected patients, the HHS, and even the media in the event of a breach of health information protected under the law. If the protected health information is secured by encryption, the security or privacy is generally not considered compromised and the incident is not considered a breach, so the risk assessment and subsequent reporting is not required.

Patient access to health records

Patients will be guaranteed additional access to their health records under the new regulations. The regulations will allow patients to request electronic copies of their patient health information. The new regulations specifically require health care providers to provide electronic information to a patient in the electronic format requested by the patient, if it is readily producible, or, if not, in a readable electronic format as agreed to by the health care provider and the patient.

Patient rights when paying out of pocket for services rendered

In a significant change for the previous HIPAA regulations, patients who pay out of pocket for treatment can prohibit their health care practitioners from disclosing their health information to a health plan. The regulations require that optometrists agree in most cases to a patient’s request to restrict disclosure to a health plan of the patient’s protected health information that pertains to a health care service for which the patient has paid the health care provider in full out of pocket.


The penalties for noncompliance range from $100 to $50,000 for each HIPAA violation. A maximum of $1.5 million will be assessed for violations of the same provision in one calendar year. The HHS will take into account a number of factors in determining the financial penalty. Issues such as the extent of the violation, the harm of the violation and other factors will be considered. If your state has additional privacy protections that are more stringent than the federal regulations, you are also required to comply with those state provisions.

Compliance deadline

Optometrists have until Sept. 23, 2013, to comply with the rule unless an exception applies.


  1. So is there an example of what needs to be updated vs what we are already doing?

  2. The last comment was on May 9 with no response… Facebook is alight with questions colleagues are asking each other. Is there an answer? ‘What exactly needs updating’?

  3. Further details will be forthcoming. This more recent post may assist with your questions: http://newsfromaoa.org/2013/06/08/180-day-countdown-under-way-ods-have-five-months-to-meet-revised-hipaa-privacy-security-regulations/.

    • Thank you for your question. How the new regulations impact a practice will depend on the individual practice and whether the practice has updated their Notice of Privacy Practices (NPP) and other HIPAA policies over the past few years. Generally speaking, nearly all practices will need to update their Notice of Privacy Practices and Business Associate Agreements.
      New AOA HIPAA Notice of Privacy Practices forms – reflecting new, more stringent, federal privacy protection standards – are now available for optometric practices through AOA Marketplace. The forms are available for immediate shipment by calling 800-262-2210 between 8 a.m. and 4 p.m. CST, Monday through Friday or by emailing orders@aoa.org. AOA members should include their member numbers when contacting AOA Marketplace to qualify for a member discount. The AOA HIPAA Notice of Privacy Practices form is offered as a resource. It is not intended to suit all optometry practices or to constitute legal advice. Practicing optometrists should review the form with their legal counsel to ensure it reflects any applicable state privacy protection regulations and the actual privacy protection measures taken in their offices.
      AOA Excel is also working on developing additional resources to assist members in complying with the new regulations before the September compliance date. Once any additional resources are finalized, we will publicize them in our publications.
      Additionally, the Department of Health and Human Services is planning to hold a series of webinars regarding the new regulations which may be helpful to you. I’ve included the webinar information below:

      The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Workgroup for Electronic Data Interchange (WEDI) is launching a series of co-sponsored webinars on various aspects of the Omnibus HIPAA Rulemaking. The 90-minute webinars are specifically designed for small health care providers, with a focus on practical strategies for implementing the Omnibus Rule changes within a small clinical practice.

      The virtual sessions are scheduled for June 28, July 17 and July 26, 2013 from 1:00pm – 2:30pm Eastern Time on the following topics:

      • Drill down on the new HITECH Privacy Rule – June 28

      • Breach and Enforcement under the HITECH Omnibus Rule – July 17

      • Business Associates and the HITECH Omnibus Rule – July 28

      Registration is free of charge and available at: http://www.wedi.org/forms/meeting/MeetingFormPublic/view?id=2C09800000249. WEDI was formed in 1991 by then Secretary of HHS Dr. Louis Sullivan and was named in the original 1996 HIPAA legislation as an advisor to HHS.

      The AOA understands the importance of this issue to our members. Please look for additional information and resources regarding HIPAA compliance in upcoming AOA publications.

  4. whatt about non aoa members. what do they do?

    • The updated forms may be purchased through the Marketplace at 800-262-2210 or orders@aoa.org.

      • Re: non-members – So many answers…..so little room.

  5. Per my phone call today to AOA, forms are NOT available to non-AOA members

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: