← How to Start a Solo Optometry Practice (Step-by-Step Guide)
Guide
HIPAA Basics for a New Allied-Health Practice
HIPAA compliance is one of the first operational obligations a new healthcare practice must address — and one many providers underestimate until they are already seeing patients. The law does not distinguish by specialty. If you transmit patient health information electronically in connection with billing or treatment, the same core rules apply whether you are an optometrist, a physical therapist, a chiropractor, or a speech-language pathologist.
This article covers the administrative setup HIPAA requires before you open: how to confirm your status as a covered entity, the documents and agreements you must have in place, what the Security Rule actually demands at the practice level, and what happens when something goes wrong.
Who Qualifies as a Covered Entity
Under HIPAA, three types of organizations must comply: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with a covered transaction. The third category is where most solo practitioners land.
A “covered transaction” includes submitting a claim to an insurer, checking patient eligibility, or processing a payment remittance. HHS defines covered entities to include most healthcare providers — physicians, chiropractors, optometrists, dentists, physical therapists, mental health providers, and other allied-health clinicians — if they bill electronically.
A strict cash-pay practice that never submits a single electronic claim occupies a narrow exception, but few new practices remain there for long. If you store patient records in any digital system, use scheduling software linked to health information, or accept electronic payment connected to health data, you should operate as a covered entity from day one.
The Three Rules That Govern Your Obligations
HIPAA’s requirements fall into three separate rules:
Privacy Rule. Governs how you use and disclose protected health information (PHI) — any individually identifiable health information you create, receive, maintain, or transmit. Patients receive specific rights under this rule, and certain disclosures require their written authorization. See the HHS Privacy Rule summary.
Security Rule. Governs only electronic PHI (ePHI). Requires administrative, physical, and technical safeguards appropriate to the size and complexity of your practice. See the HHS Security Rule overview.
Breach Notification Rule. Requires you to notify affected individuals, HHS, and in some cases the media when unsecured PHI is accessed, used, or disclosed without authorization.
Notice of Privacy Practices
Your Notice of Privacy Practices (NPP) is the document that tells patients how you collect, use, and share their PHI. It must be given to every patient at or before their first appointment, and you must make a good-faith effort to get a signed acknowledgment. If a patient declines to sign, document the attempt.
What an NPP must include:
- Permitted and required uses and disclosures (treatment, payment, operations; disclosures required by law)
- Patient rights: access, amendment, accounting of disclosures, restrictions, and complaint filing
- Your legal duty to protect PHI
- How to file a complaint with your practice or with HHS
- Effective date
2026 update. As of February 16, 2026, all HIPAA covered entities must include language in their NPP about substance use disorder (SUD) patient record protections under 42 CFR Part 2. The required language: “To the extent that we have your substance use disorder patient records, subject to 42 CFR part 2, we cannot use or share information in those records in civil, criminal, administrative, or legislative investigations or proceedings against you without (1) your consent or (2) a court order and a subpoena.” The HHS model NPP has been updated to reflect this requirement and is available as a free starting point.
Post the NPP visibly in your office and on your website if you have one.
Business Associate Agreements
A Business Associate (BA) is any outside person or organization that performs functions on your behalf that involve PHI. Common examples in an allied-health practice:
| Vendor category | Examples |
|---|---|
| EHR / practice management | Jane App, ChARM, SimplePractice |
| Medical billing service | Third-party billers, claims clearinghouses |
| Cloud storage | Google Workspace Healthcare, Microsoft 365 |
| Video platform | Doxy.me, Zoom for Healthcare |
| Transcription service | Any service that processes clinical notes |
| IT / managed services | Any provider with access to systems containing ePHI |
Under HHS rules on business associates, you must have a signed Business Associate Agreement (BAA) with each vendor before transmitting any PHI to them. The BAA is not optional fine print — operating without one while a vendor handles your PHI is itself a HIPAA violation, even if no breach ever occurs.
HHS provides sample BAA provisions you can use as a starting framework. Most HIPAA-compliant vendors offer a pre-drafted BAA; sign theirs or negotiate your own. Keep signed copies accessible.
The Security Rule: What Your Practice Actually Needs
The HIPAA Security Rule requires three categories of safeguards. Specifications are either “required” (must implement) or “addressable” (must implement or document an equivalent alternative in writing).
Administrative Safeguards
These are the policies that govern how your workforce handles ePHI:
- Written security risk analysis. You must identify where ePHI lives in your systems, what threats exist, and how you are mitigating them. This is the single most commonly cited missing item in HHS compliance audits. Do it before you see your first patient and update it when your systems change.
- Workforce training. Document that every staff member with access to ePHI has received HIPAA security training.
- Access management. Assign minimum necessary access — front-desk staff should not have access to clinical notes unless their role requires it.
- Incident response procedures. Written procedures for identifying, responding to, and documenting security incidents.
Physical Safeguards
Controls over the physical spaces and devices where ePHI is accessed:
- Position workstation screens so they are not visible from waiting areas or public areas.
- Lock workstations when unattended.
- Encrypt any portable devices (laptops, tablets) that leave the office or store ePHI.
- Restrict physical access to servers, network equipment, and back-office systems.
Technical Safeguards
Controls built into the systems themselves:
- Unique user IDs. Every staff member must have their own login. Shared credentials violate the Security Rule.
- Audit controls. Your EHR should log who accessed which records and when.
- Transmission security. ePHI sent over a network must be encrypted. Standard unencrypted email does not meet this standard. Use a HIPAA-compliant messaging tool or your EHR’s secure portal.
- Automatic log-off. Systems should time out after a defined period of inactivity.
A practical benefit of encryption: PHI that is encrypted in accordance with NIST standards is not considered “unsecured” under the Breach Notification Rule. An encrypted device that is stolen does not trigger breach notification if the encryption key was not also compromised.
Patient Rights You Must Be Ready to Honor
The Privacy Rule grants patients specific rights that your practice must be operationally prepared to fulfill before you see patients.
Right of access. Patients may request copies of their records. You generally have 30 days to fulfill the request (with one 30-day extension) and cannot charge fees beyond the actual cost of reproduction. For records in an electronic format the patient requests, you must provide them electronically. See HHS guidance on the right of access.
Right to amend. Patients may request corrections to records they believe are inaccurate. You may deny the request if the record was accurate or was not created by you, but you must document the denial and allow the patient to submit a written disagreement.
Right to an accounting of disclosures. Patients may request a list of instances where you shared their PHI for purposes other than treatment, payment, or operations, covering the preceding six years.
Right to request restrictions. You are not required to agree to every restriction request — except one: if a patient asks you not to share information with a health plan for services they paid for entirely out of pocket, you must comply.
Breach Notification
If unsecured PHI is accessed, used, or disclosed without authorization, the Breach Notification Rule sets specific deadlines:
- Notification to individuals: Without unreasonable delay, no later than 60 days from discovery. First-class mail or electronic notice if the patient has agreed to electronic communications.
- Notification to HHS: Breaches affecting 500 or more individuals in a state must be reported to HHS simultaneously with individual notice and require notification to prominent media outlets in the affected state. Breaches affecting fewer than 500 individuals may be logged and submitted to HHS annually through the HHS breach reporting portal.
The reason encryption matters beyond Security Rule compliance: encrypted PHI is exempt from breach notification. A stolen encrypted laptop does not trigger the reporting requirement if the key was not compromised.
What to Have in Place Before Your First Patient
| Document or control | Obligation addressed |
|---|---|
| Notice of Privacy Practices + acknowledgment form | Privacy Rule |
| Business Associate Agreements with all vendors | Privacy and Security Rules |
| Written security risk analysis | Security Rule — administrative safeguard |
| Workforce training records | Security Rule — administrative safeguard |
| Incident response and breach response procedures | Breach Notification Rule |
| Access control policies (unique logins, minimum necessary) | Security Rule — technical safeguard |
For the complete document set your practice needs at opening — intake forms, consent forms, financial policies, and HIPAA forms together — see The Documents Every New Optometry Practice Needs. For the full practice startup sequence, see How to Start a Solo Optometry Practice.
Frequently Asked Questions
What happens if I operate without a BAA?
Operating without a BAA while a vendor handles your PHI is a standalone HIPAA violation — reportable if discovered and subject to civil money penalties even if no breach occurred. HHS enforcement actions document settlements ranging from thousands to millions of dollars, many triggered by missing BAAs rather than a data event.
Does HIPAA apply to paper records?
Paper PHI is covered by the Privacy Rule but not the Security Rule (which applies only to ePHI). You must still control access to paper records, dispose of them properly (cross-cut shredding), and include them in your privacy and breach assessment processes.
How often do I need to update my Notice of Privacy Practices?
Update the NPP any time you make a material change to your privacy practices. Provide patients with a copy of the revised version — or post notice of the change and direct them where to get a copy — and document the update. The February 2026 SUD language update is the most recent required change.
Can I use personal email to send records to a patient?
Only if the patient specifically requests it and you document that you informed them of the security risk. The safer and legally cleaner path is a HIPAA-compliant portal or secure messaging tool. Standard consumer email without a BAA and transport encryption does not meet the Security Rule’s transmission security requirement.
Disclaimer: Folio publishes general information about the operational and administrative side of running a private practice. It is not legal, medical, clinical, tax, or compliance advice, and it does not create a professional relationship. Rules vary by state, payer, and profession and change over time. Verify requirements with the primary sources cited, your licensing board, and your own qualified advisors before acting.