HIPAA Compliance for Optometry & Eye Care Practices
Eye care sits at an unusual intersection of clinical medicine and retail, and that combination shapes its HIPAA risk in ways a general medical office never faces. An optometry or ophthalmology practice runs a clinical operation — exams, diagnoses, electronic claims — that makes it a covered entity, while simultaneously running an optical dispensary that sells frames, lenses, and contacts. Knowing which data is protected health information (PHI) and which is ordinary retail data is the first compliance challenge.
The clinical side is also unusually imaging-heavy. Modern eye care generates a continuous stream of diagnostic images and measurements — retinal photographs, OCT scans, visual field tests, corneal topography, and fundus images — each tied to a patient and therefore electronic PHI (ePHI). These devices often store images locally and sync to an EHR or image-management system, and those interfaces and storage points are among the most commonly overlooked items when a practice evaluates its security.
The retail and clinical blend complicates compliance
The optical dispensary complicates the picture. A prescription is PHI; a customer’s frame-style preference, on its own, may not be. But the two routinely mingle in the same practice-management system, so the safest approach is to protect the entire system as if it holds PHI rather than trying to carve out the retail data. Point-of-sale terminals, online ordering portals, and loyalty programs all deserve scrutiny.
Eye care practices also tend to have busy, open front offices and multiple exam and pretest lanes, which raises the risk of incidental disclosures — names called out in a crowded waiting room, or screens visible at the pretest station. Reasonable safeguards such as repositioning monitors and using privacy filters are expected under HIPAA.
Start with a Security Risk Analysis
Every covered eye care practice must complete a Security Risk Analysis (SRA) under 45 CFR § 164.308(a)(1)(ii)(A). For optometry, a thorough SRA must explicitly map every imaging device and its data path — not just the EHR and billing system — because diagnostic imaging is where eye care’s ePHI concentrates and where coverage gaps most often hide. The SRA is a living document the HHS Office for Civil Rights expects you to revisit as you add equipment or change vendors.
The proposed 2026 Security Rule update
In December 2024, HHS published a Notice of Proposed Rulemaking (NPRM) that would tighten the HIPAA Security Rule — making currently “addressable” safeguards such as encryption and multi-factor authentication effectively mandatory and requiring more rigorous, regularly updated risk analyses. The proposal is not final. If finalized as written, organizations would have a 240-day compliance window after publication. Treat it as the direction of travel, not a present obligation.
How Medcurity helps
Medcurity gives optometry and eye care practices a guided way to complete and maintain the Security Risk Analysis — mapping every imaging device, documenting safeguards, and keeping everything audit-ready — for $499/year (about $42/month). Larger groups and multi-location practices can request a quote. For related guidance, see our notes on HIPAA compliance for imaging centers and our HIPAA compliance checklist.
Frequently asked questions
Are retinal photographs and OCT scans considered PHI?
Yes. Diagnostic images such as retinal photos, OCT scans, visual fields, and corneal topography are electronic protected health information, and the devices and systems that store them must be included in your Security Risk Analysis.
Does HIPAA cover the optical and eyewear retail side of the practice?
Retail data on its own may not be PHI, but because frame and contact-lens orders routinely mix with clinical records in the same practice-management system, the safest approach is to protect the whole system as if it holds PHI.
Is a small or solo optometry practice too small for HIPAA?
No. There is no small-practice exemption. If you bill electronically you are a covered entity and must comply regardless of size.
What is the most commonly overlooked risk in eye care?
Diagnostic imaging devices and their storage and sync paths. They concentrate ePHI and are frequently left out of the Security Risk Analysis, leaving a major gap.