Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) enacted various privacy and security protections related to patient health information.  The majority of health care providers, including optometrists, are required to comply with HIPAA.  Since HIPAA became law, there have been a number of regulations issued that govern how health care providers must protect the privacy of the patients they treat.  Included below are resources and information to assist optometrists in complying with HIPAA.



The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules are federal law. The Privacy Rule gives individuals rights over their health information and sets rules and limits on who can look at and receive health information. The Security Rule delineates safeguards to protect health information in electronic form and helps to ensure that electronic protected health information is secure.

Individuals, organizations, and agencies that meet the definition of a "covered entity" must comply with HIPAA.  An optometrist is considered a "covered entity" if he/she transmits any information in an electronic form in connection with a transaction for which the Department of Health and Human Services (HHS) has adopted a standard. For example, submitting an electronic claim to Medicare or another payer is such a transaction. HHS has a tool for determining if you are a covered entity available here.

Updated HIPAA regulations were issued in January 2013.   Changes made by the new regulations  account for various changes in health care practices, including the increased use of electronic health records. The majority of the provisions in the updated HIPAA regulations have a compliance deadline of September 23, 2013. 

HIPAA Regulations

Combined Text of all HIPAA Rules (Updated March 2013)

HIPAA Omnibus Final Rule (Issued January 2013)

HIPAA Breach Notification Rule (Issued August 2009)

HIPAA Security Rule Summary (Compliance was required as of April 20, 2005)

HIPAA Privacy Rule Summary (Compliance was required as of April 14, 2003)

Templates and Forms

Notice of Privacy Practices (Updated June 2013)

HHS Sample Business Associate Agreement

File a HIPAA Complaint

Security Risk Assessment Tool


Additional Resources

AOA Frequently Asked HIPAA Questions

AOA Excel

Updated HIPAA Regulations-What Optometrists Need to Know Now (March 2013)

HHS Offers HIPAA Webinars for Small Health Practices (Summer 2013)

HHS Office for Civil Rights Health Information Privacy

HHS HIPAA Frequently Asked Questions

HHS Guidance on Significant Aspects of the Privacy Rule

HHS HIPAA Training Materials

HHS Fast Facts for Covered Entities

Overview of HIPAA Transactions and Code Sets Regulation

Sign up for the HHS Office of Civil Rights Privacy and Security Listserv

Additional HIPAA compliance resources are available at:

Questions regarding HIPAA regulations not addressed in the above resources can be directed to the American Optometric Association (800-365-2219) or