Please visit U.S. Department of Health & Human Services (HHS) for complete information on HIPAA rules and regulations.

All health care providers, regardless of size, who conduct certain electronic financial and administrative transactions, such as electronic billing, related to health care are covered entities. As a covered entity, you need to ensure you are in compliance with all HIPAA regulations.

This information is provided for informational purposes only and provides a general overview of HIPAA rules and regulations. It is not intended to replace the professional advice of legal counsel. Many variables must be considered before releasing confidential information about a patient. If a specific concern about whether to release a patient’s records arises, consult an attorney.

HIPAA Privacy Rule

Protects the privacy of individually identifiable health information, or Protected Health Information (PHI) held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. PHI is information, including many common identifiers (e.g., name, address, birth date, Social Security Number) or demographic data, relating to:

  • the individual’s past, present or future physical or mental health or condition,

  • the provision of health care to the individual, or

  • the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.

For a summary of the Privacy Rule: http://www.hhs.gov/sites/default/files/privacysummary.pdf

HIPAA Security Rule

Protects individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

    1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;

    2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;

    3. Protect against reasonably anticipated, impermissible uses or disclosures; and

    4. Ensure compliance by their workforce

For a summary of the Security Rule: http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

HIPAA Breach Notification Rule

Requires covered entities and business associates to provide notification following a breach of unsecured protected health information. If a breach of unsecured protected health information affects 500 or more individuals, a covered entity must notify the HHS Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.

If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered.

All notifications must be received electronically, to report a breach: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf

For more information: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

Business Associate

In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. A covered entity can be the business associate of another covered entity.

If you plan to utilize a contractor or other nonworkforce member to perform "business associate" services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement. In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates. Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule.


HHS FAQ Page answering numerous questions: http://www.hhs.gov/hipaa/for-professionals/faq

View the combined unofficial regulation text: http://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf

HIPAA for small providers and businesses: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/small-providers-small-health-plans-small-businesses/index.html

AOA provides many resources to help ensure you remain HIPAA compliant, including a compliancy manual and sample business associate contracts. Login is required: http://www.aoa.org/optometrists/tools-and-resources/hipaa-compliance

California State Law

California Civil Code sections 56-56.37 pertains to medical information confidentiality. This law puts limits on the disclosure of patients' medical information by medical providers, health plans, pharmaceutical companies, and many businesses organized for the purpose of maintaining medical information. It specifically prohibits many types of marketing uses and disclosures. It requires an electronic health or medical record system to protect the integrity of electronic medical information and to automatically record and preserve any change or deletion.