5 Things New Optometrists Should Know About HIPAA

Sep 25, 2014
5 min read

HIPAA compliance can no longer be treated as an unregulated elective. Being well-versed in HIPAA compliancy as a new optometrist is absolutely essential to succeed.



For a student just coming out of optometry school, the idea of trying to build a successful practice can be quite daunting to say the least.

With the demands of trying to provide quality patient care, competition for retail business from discount web sites, and the difficulty of trying to build a thriving business, there is every reason for a new practicing optometrist to feel completely overwhelmed. Including the aforementioned stresses, another area of focus for an optometry school graduate is one that has been largely ignored by most Eye Care Professionals until now.

Where is HIPAA Today?

hipaa_complianceHIPAA compliance can no longer be treated as an unregulated elective. Being well-versed in HIPAA compliance proves to be one more hat a graduating student must wear in order to stay afloat in today’s market. Due to the Meaningful Use Program (MU) and the 2013 Final Omnibus Rule, HIPAA has stepped out of the shadows of the forgotten Privacy and Security Rules, and asserted itself into the limelight as a staple within the eye care industry for decades to come. The good news for graduates is, while building a new practice, they have the ability to create proactive HIPAA safeguards and immediately eliminate concerns surrounding Governmental HIPAA Audits and the potential for their patient’s health information to be compromised.

What Can New Graduate ODs Do?

While most newly graduated Eye Care Professionals understand the importance of selecting an approved EHR product, the Center for Medicare and Medicaid Services is currently capitalizing on the lack of knowledge surrounding all core measures within the MU program.

As part of the MU audit process which began in September of 2013, an increasing percentage of the $21.5B incentive funds doled out to covered entities is being recaptured every day.

Where Are People Failing HIPAA Audits?

Completely and easily avoidable, many failed audits center around Core Measure 15 in Stage 1 – Protecting Electronic Health Information. The 2013 Final Omnibus Rule also states the importance of being HIPAA Compliant in today’s medical environment and highlights that the Government will start to randomly initiate HIPAA Compliance Audits for all Covered Entities, regardless of participation in the Meaningful Use Program or not.

What is a HIPAA Security Risk Analysis?

The goal of these new HIPAA Laws is to make sure a Covered Entity is in compliance with the HIPAA Privacy and Security Rules established by the Office of Civil Rights in the early 2000’s. To be HIPAA compliant, a provider must conduct or review a HIPAA security risk analysis. A HIPAA risk analysis is an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality of electronic health patient information held by the CE.

You must cover five areas of interest within a practice to focus on:

  1. Technical Safeguards
  2. Physical Safeguards
  3. Administrative Safeguards
  4. Policies and Procedures
  5. Organizational Requirements

There are no additional guidelines given by CMS or the Office of Civil Rights. There is no possible way to pass a CMS or OCR audit without proper documentation of your completed risk analysis. Unfortunately, for most doctors, this core measure has been overlooked or ignored. For the small minority of CE’s who actually have attempted to conduct a risk analysis, it has not been completed thorough enough to the Government’s liking. Hence, the reason why so many of the CE’s who have been audited have failed and had to return the incentive funds received for that specific calendar year.

Do the Work Yourself -or- Outsource it?

The first decision a graduate has when it comes to HIPAA compliance is whether or not to outsource this type of service. Do they try to tackle the tasks of vetting the web for CMS/OCR guidelines and then conduct and document a thorough risk analysis on their own? Or do they go outside their organization to ensure compliance? Due to the lack of knowledge, assets, and time CMS/OCR is asking a participant to dedicate towards HIPAA compliance, working with a company who specializes in HIPAA compliance services is a must for any sized organization. Remember, when it comes to whom CMS/OCR decides they will audit, they are treating all participants equally.  This means an independent physician is just as likely to be audited as a major hospital.  Therefore, ensuring documentation is accessible and reliable in case of an audit, is prudent for everyone.

After graduating from optometry school, the will to succeed is high. Unfortunately for today’s graduates, there are many detractors which can steer a new OD down a path of no return. By focusing on compliance in the early years of their practice, graduates can be assured HIPAA violations will not be one of them. By doing so, they will not only safeguard themselves from future audits, but more importantly, their patient health information will be secure – something nobody can put value on.