Health Insurance Portability and Accountability Act

HIPAA requires covered entities and their business associates to protect the privacy and security of protected health information (PHI). It also provides patients with rights to their PHI. HIPAA's Privacy Rule restricts the use and disclosure of individual's PHI. The Security Rule requires administrative, technical and physical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI.

 HIPAA and PHI

The following links and resources are designed to help you begin developing policies that make your practice compliant with HIPAA.  AOA has also provided the HIPAA Security Regulation Compliance Manual (DOC, PDF or AOA Marketplace), which gives a step-by-step overview to help you understand the compliance process. However, these resources are not intended as legal advice. You should always consult legal counsel and HIPAA compliance experts when implementing compliance policies and to ensure that your practice fully complies with all federal, state and local laws.

  • Security Rule
  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Security Risk Analysis

Patient rights: Under the privacy rule, patients have the rights to:

  • Access their PHI
  • Restrict disclosures
  • Request amendments
  • Request an accounting of disclosures
  • Complain without

Covered entities subject to HIPAA: The vast majority of optometry practices and doctors are covered entities and subject to HIPAA. You are a covered entity if you are a provider who electronically transmits (e.g., fax or email) health information related to financial or administrative activities, such as:

  • Claims and encounter information
  • Payment and remittance advice
  • Claims status
  • Eligibility
  • Enrollment and disenrollment
  • Referrals and authorizations
  • Coordination of benefits
  • "Other transactions" established by HHS

Protected health information (PHI): PHI is individually identifiable health information that identifies the individual or can be used to identify the individual. PHI must be protected in any form or media (electronic, paper or oral). Data that is commonly considered PHI includes:

  • Name
  • Address
  • Birth date
  • Social Security Number
  • Facial Image

Disclosures: Generally, patient's PHI must be protected and cannot be released to other parties without the patient's consent. However, practices can disclose PHI if the patient authorizes the disclosure or if disclosure is permitted/required by the privacy rule. Disclosures are required by the privacy rule if the patient requests the disclosure or if your practice is under audit by the HHS. Practices are permitted to disclose PHI without written patient authorization when the PHI is disclosed:

  • To the patient
    A covered entity may disclose PHI to the individual who is the subject of the information.

  • For treatment, payment and health care operations
    A covered entity may use and disclose protected health information for its own treatment, payment and health care operations activities. A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship.

  • When the patient had the opportunity to agree or object
    Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce or object. Where the individual is incapacitated, in an emergency situation or not available, covered entities generally may make such uses and disclosures, if in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual.

  • When the disclosure incident to an otherwise permitted use and disclosure
    The Privacy Rule does not require that every risk of an incidental use or disclosure of protected health information be eliminated. A use or disclosure of this information that occurs as a result of, or as "incident to," an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the "minimum necessary," as required by the Privacy Rule. See additional guidance on Incidental Uses and Disclosures.

  • For public interest and benefit activities
    The Privacy Rule permits use and disclosure of protected health information, without an individual's authorization or permission, for 12 national priority purposes.28 These disclosures are permitted, although not required, by the rule in recognition of the important uses made of health information outside of the health care context. Specific conditions or limitations apply to each public interest purpose, striking the balance between the individual privacy interest and the public interest need for this information.

  • For research public health purposes (limited)
    "Research" is any systematic investigation designed to develop or contribute to generalizable knowledge. The Privacy Rule permits a covered entity to use and disclose protected health information for research purposes, without an individual's authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of individuals' authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or (3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought. A covered entity also may use or disclose, without an individuals' authorization, a limited data set of protected health information for research purposes (see discussion below). See additional guidance on Research and NIH's publication of "Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule."

  • Serious threat to health or safety
    Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat). Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.

  • Essential government functions
    An authorization is not required to use or disclose protected health information for certain essential government functions. Such functions include: assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law, providing protective services to the President, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional institution and determining eligibility for or conducting enrollment in certain government benefit programs.

  • Workers' compensation
    Covered entities may disclose protected health information as authorized by, and to comply with, workers' compensation laws and other similar programs providing benefits for work-related injuries or illnesses.42 See additional guidance on Workers' Compensation. 

HIPAA Resources

AOA Resources

HHS Resources:


Need More Information? Please contact Jensen Jose at: JJose@aoa.org