Thank you for that answer. I'm going to try to re-formulate my question as accurate and uncluttered as possible and if you would, please address:WEBSITE:
I've not created the website [yet]. But the practice that needs the website to sell the contact lenses is in New Orleans, Louisiana. The contact lenses will be sold online within the US only. I've spoken to a company that handles HIPAA-compliant forms and emails and the best part - they'll sign the BAA (Business Associate Agreement). But they don't handle ecommerce.ONLINE PURCHASE SCENARIO:
1. Online visitor browses and picks the contact lenses to purchase.
2. Visitor chooses brand of contact lenses and amount of boxes per eye.
3. Visitor chooses the options as per their prescription (power, cylinder, axis, etc.).
4. Visitor fills form for personal information: (name, email, phone number, physical address for delivery)
5. Visitor fills form for prescription verification: (patient's name of the doc/clinic, clinic's address, clinic's phone, patient's DOB)
6. Makes payment online.
7. Doctor's practice receives a notification that an order has been placed.
8. Doctor's practice verifies prescription whether was issued at their practice or some other practice.
9. Open: either buyer picks up the contact or lenses
get shipped by practice or even blind shipped.Please advise, is the scenario above under HIPAA? I ask because that's exactly how the company above (link provided for WebEyeCare) and a LOT of other websites do it.**** Since the practice handles the verification of the actual prescription, does that mean that #3, #4 and #5 in the scenario above is not covered by HIPAA and therefore a normal ecommerce transaction?************************************************IDENTIFIERS:
I'm just a bit confused since (as I humbly understand it), when it boils down to it HIPAA doesn't care if a website asks the "normal" questions online: name, phone, address, etc. But, DOES CARE if any of those [identifiers] are in addition or correlation to any medical (ePHI) info.
As per HHS:
So, in this case I'm a bit confused about the contact lenses being labeled as medical devices requiring a prescription.
Here's a website to illustrate what I mean of the information about the contact lenses needed to make the sale:
http://www.webeyecare.com/ProductDetails.asp?ProductCode=2375So since the contact lenses are categorized as medical, I'm assuming the prescription (i.e. the power, cylinder, axis, bc and diameter) would fall under HIPAA being an ePHI. Here's a link as a reference:
http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/HomeHealthandConsumer/ConsumerProducts/ContactLenses/ucm270953.htmVALID PRESCRIPTION/8 HOUR RULE:
Now, I did find out that in order to be able to process online orders the buyer must provide the seller a valid (not expired) prescription and the seller has 8 business hours to verify that. The following page explains (in particular "FOR SELLERS"):
The bot***** *****ne here is if there are fields in the form to omit to avoid being under HIPAA, the best the solution. My goal is to avoid (if at all possible) signing a BAA and dealing with the liabilities of a third party handling ePHI in any way. From what you responded and what I explain above, would you still suggest as not falling under HIPAA?Thank you in advance, I look forward to your response.