The following forms and information are designed to help you begin developing policies that make your practice compliant with the Health Insurance Portability and Accountability Act ("HIPAA") and Security Rules. These rules are federal law, and you should always consult legal counsel to ensure that your practice fully complies with all federal and state laws.
Rights & Protections Provided by HIPAA
The HIPAA Privacy Rule grants patients rights over their health information and sets rules on who can access their health information. The Security Rule outlines safeguards to protect health information in electronic form and helps to ensure that electronic protected health information is secure.
Optometrists Subject to HIPAA Requirements
A practice may be considered a "covered entity" and subject to HIPAA requirements if it transmits any information in an electronic form in connection with a transaction for which HHS has adopted a standard. For example, submitting an electronic claim to Medicare or another payer is such a transaction. If your practice is a covered entity, violations of the HIPAA Rules-which include not complying with the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Breach Notification Rule, and the Patient Safety Rule-can result in thousands of dollars in fines. Below, we have provided two forms to help your practice start developing HIPAA-compliant policies. However, there many more steps to becoming fully HIPAA compliant. The AOA, strongly recommends that you utilize the HIPAA compliance products that Excel offers and consult legal counsel to ensure your practice becomes and remains compliant with all HIPAA rules, regulations, and policies.
Required Notice of Privacy Practices
The HIPAA rules and regulations dictate that you notify your patients of who has access to their health information and how that information is being protected. The AOA recommends that you provide this notification as a "Notice of Privacy Practices." Below is a sample Notice of Privacy Practices. It should be reviewed in consultation with your legal counsel in order to make the necessary changes that suit your particular practice and comply with state law. HIPAA requires that the Notice of Privacy Practices be provided to your patients at the beginning of your treatment, on your website, at the premises of your practice, and upon patients' requests. It also allows you to send this notice electronically. For more detais on the reiquired HIPAA notices, click here.
Business Associate Agreement
Under the Privacy Rule, your practice must obtain assurances that its business associates will appropriately safeguard the protected health information it receives or creates on your behalf. A "business associate" is a person or organization that performs certain functions or activities for your practice, which involves the use or disclosure of protected health information. These certain functions or activities include payment or health care operations activities, as well as other functions or activities.
Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. Employees of your practice are not considered business associates. See the definition of "business associate" at 45 CFR 160.103.
Need More Information? Please contact Jensen Jose at: JJose@aoa.org