HIPAA Compliance for Ophthalmology: What You Need to Know

HIPAA Compliance for Ophthalmology

Are you an Ophthalmologist? Did you know that you need to be HIPAA compliant? As an Ophthalmologist treating patients, you are considered a covered entity under HIPAA, with specific responsibilities. Find out how to become a HIPAA compliant Ophthalmologist.

What is Required for a HIPAA Compliant Ophthalmology Practice?

As a HIPAA covered entity, it is essential for Ophthalmology practices to be HIPAA compliant. To be HIPAA compliant, you must follow the rules and regulations outlined in the HIPAA Privacy, Security, and Breach Notification Rules. 

Each of these Rules comes with a specific set of standards to ensure protected health information (PHI) use and disclosure is limited to only authorized parties. 

HIPAA Privacy Rule

The HIPAA Privacy Rule regulates the use and disclosure of PHI. To comply with the Privacy Rule, HIPAA compliant Ophthalmologists must limit PHI use and disclosure, provide patients with a Notice of Privacy Practices, and grant patients access to their medical records.

Minimum Necessary Standard

The HIPAA minimum necessary standard requires healthcare providers to limit the use and disclosure of PHI to the minimum needed to perform specific job functions. In other words, all employees do not need the same level of access to information to perform their assigned jobs. 

For example, an Ophthalmologist likely needs access to a patient’s entire medical history to perform their job successfully. A Physician Assistant or Optometrist in the same practice may not need the same level of access to the chart. 

An Office Manager would also require different access levels to a patient’s chart, limited to the information they need to book patient appointments, accept payment for the visit, and submit claims to their health insurance provider.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With Summer 2024

HIPAA Notice of Privacy Practices

A HIPAA Notice of Privacy Practices (NPP) provides patients with an explanation of how their PHI will be used and disclosed by their healthcare provider. An NPP must be provided to the patient upon intake before receiving treatment.

An NPP must include:

  • The following statement, as a header, or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
  • A description of how PHI can be used for treatment, payment, and health care operations.
  • A description of the types of PHI uses and disclosures requiring patient authorization.
  • A description of the circumstances in which the covered entity may use or disclose PHI without written authorization.
    • A covered entity may use or disclose PHI without authorization for specific, limited purposes. Examples include public health and health oversight activities, and judicial proceedings.
  • The name, title, and phone number of a person or office to contact for further information or questions about the notice.
  • The date on which the notice is first in effect.
  • A statement that an individual may revoke an authorization.

Right of Access

The HIPAA Right of Access standard gives patients the right to request copies of their medical records from their healthcare provider. 

Under this standard, providers must provide patients with access to their records:

  • Within 30 days of the request
  • In the format requested by the patient (i.e., paper, CD, USB)
  • For a reasonable cost-based fee

In 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) began prioritizing the enforcement of the right of access standard. Since then, most of the HIPAA violation fines imposed have been levied on organizations that failed to comply with the standard.

HIPAA Security Rule

The HIPAA Security Rule requires healthcare providers to ensure the confidentiality, integrity, and availability of protected health information (PHI). Ophthalmologists are required to implement administrative, technical, and physical safeguards to meet the requirements of the Security Rule.

Administrative Safeguards

Practices must conduct an accurate and thorough security risk assessment (SRA) to meet HIPAA administrative safeguard requirements. By completing a risk assessment, you can determine what security measures are reasonable and appropriate for your practice and identify deficiencies in your current security practices.

To complete a risk assessment, follow the steps below:

  • Collect data
  • Identify and document potential threats and vulnerabilities
  • Assess current security measures
  • Determine the likelihood of threat occurrence
  • Determine the potential impact of threat occurrence
  • Determine the level of risk

HIPAA compliance requires your practice to complete an SRA annually or whenever there has been a change to your business practices. 

Technical Safeguards

The technical safeguards required by HIPAA ensure that electronic protected health information (ePHI) is secure. 

To meet the requirements, healthcare providers must implement: 

  • Access Controls: policies and procedures to allow only authorized persons to access ePHI.
  • Audit Controls: hardware, software, and/or procedural mechanisms to record and examine access in information systems containing or using ePHI. 
  • Integrity Controls: policies and procedures to ensure that ePHI has not been, and will not be, improperly altered or destroyed. 
  • Transmission Security: security measures that guard against unauthorized access to ePHI transmitted over an electronic network. 

Physical Safeguards

Physical safeguards required by the HIPAA regulation should protect your physical location, such as your practice’s office. 

Physical safeguards include:

  • Facility access controls that limit access to your office with measures such as locks and security systems
  • Workstation and device security that limits access to devices that have the potential to access ePHI

HIPAA Breach Notification Rule and Breach Notification Requirements

The HIPAA Breach Notification Rule requires healthcare organizations to report breaches that compromise the confidentiality, integrity, or availability of protected health information. 

Incidents that are considered reportable breaches include:

  • Hacking or IT incidents
  • Unauthorized access or disclosure of PHI
  • Theft or loss of an unencrypted device with access to PHI
  • Improper disposal of medical records

When a patient’s PHI is potentially affected by one of these incidents, providers must inform the affected patient within 60 days of discovery. Affected patients must receive breach notification letters by mail. 

If ten or more affected patients cannot be reached by mail, a substitute notice must be available on the organization’s website. If the incident affected 500 or more patients, the breached organization must notify media outlets to ensure that all affected patients are aware of the incident.

Breach notification requirements to the Department of Health and Human Services (HHS) differ depending on how many patients are affected by the incident.

  • Breaches affecting 1 – 499 patients: organizations must keep an account of any breach that involved less than 500 patients during the calendar year. Organizations have 60 days from the end of the calendar year when the breach occurred to report these incidents to the HHS – March 1st.
  • Breaches affecting 500+ patients: any incident that affected 500 or more patients must be reported to the HHS within 60 days of discovering the incident. These incidents are posted on the OCR’s online breach portal for public display.

Implementing an Effective HIPAA Compliance Program

Navigating the complexities and nuances of the HIPAA Rules can be difficult to do without guidance. The HHS expects health practices to be aware of their obligations under HIPAA, but they don’t make it easy to understand what that means exactly. 

To comply with HIPAA, the HHS leaves it up to individual organizations to determine the meaning of “reasonable and appropriate” to implement in their business. 

But how are you supposed to know what that means for your Ophthalmology practice?

Meeting the HIPAA requirements really boils down to five main points that make up an effective HIPAA compliance program.

Security Risk Assessments, Gap Identification, and Remediation

HIPAA compliance requires you first to identify where your deficiencies lie. To do so, healthcare organizations must conduct six self-audits annually. These self-audits uncover weaknesses and vulnerabilities in your security practices. 

To ensure that your organization meets HIPAA safeguard requirements, you must create remediation plans. Remediation plans list your identified deficiencies and how you plan to address them, including actions and a timeline.

HIPAA Policies and Procedures

To ensure that you meet HIPAA Privacy, Security, and Breach Notification requirements, you must implement written policies and procedures. These policies and procedures must be customized for your practice’s specific needs, applying directly to how your business operates. 

To account for any changes in your business practices, you must review your policies and procedures annually and make amendments where appropriate.

Employee HIPAA Training

To ensure that your employees know their responsibilities regarding the HIPAA rules, they receive annual training. This training must cover HIPAA basics, an overview of your organization’s policies and procedures, and cybersecurity best practices.

Business Associate Agreements

Business associate agreements must be signed with each of your business associate vendors. HIPAA defines a business associate as any entity that performs a service for your practice that gives them the potential to access PHI. Examples of business associates include electronic health records platforms, email service providers, online appointment scheduling software, and cloud storage providers. 

You cannot use just any vendor and be HIPAA compliant. They need to be willing and able to sign a business associate agreement (BAA). A BAA is a legal contract that requires each signing party to be HIPAA compliant and be responsible for maintaining their compliance. Using vendors for services without a signed BAA violates HIPAA regulations.

Incident Management

To comply with the HIPAA Breach Notification Rule, you must have a system in place for detecting, responding to, and reporting breaches. Employees must also have the means to report incidents anonymously and know what to do if they suspect a breach has occurred.

Ophthalmologist HIPAA Violations and Fines

Ophthalmologist HIPAA violations occur when the practice fails to meet the standards set forth by HIPAA. Although a breach can lead to a HIPAA violation, the HHS does not issue fines to an organization simply for being breached. Most HIPAA fines are issued for failing to meet the HIPAA right of access standard, failing to conduct an accurate and thorough SRA, or widespread compliance failures. 

When a HIPAA violation occurs, organizations are subject to fines and corrective actions. Penalties amounts are assessed based on the level of perceived negligence of the healthcare provider, as determined by the HHS’ Office for Civil Rights (OCR).

Diagnostic Images, Patient Photos, and HIPAA

There may be times when an Ophthalmologist needs to track patient progress using diagnostic images or photographs. It is essential to understand how you should be handling those images so that you don’t violate HIPAA.

Things to consider include:

  1. Is the storage of the images is HIPAA compliant. Do you have a signed BAA with your cloud storage provider? Do you limit patient photo or image access to only the employees that need it?
  2. Are you sending patient photos through email? Is your email encrypted? Do you have a signed BAA with your email service provider? 
  3. Are employees aware that patient images can only be shared via social media with explicit patient written authorization? Are you obtaining patient consent to share their likeness and testimonials on your website?

Marketing Your HIPAA Compliant Ophthalmology Practice

Many times, you must communicate with your patients regarding treatment or billing matters, but what happens if you want to promote a new service offered by your Ophthalmology practice? HIPAA regulations have specific guidelines regarding the use of patient PHI for marketing. For more guidance, we have written How HIPAA and Marketing Intersect: Social Media, Websites, and Email Marketing that discusses things to consider when marketing to maintain your HIPAA compliance.

See How It Works