How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site. Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.
Ask Dr. Rick Your Own Question
Dr. Rick
Dr. Rick, Board Certified MD
Category: Eye
Satisfied Customers: 11363
Experience:  Ophthalmology since 1994 with Retina sub-specialty interest
48069651
Type Your Eye Question Here...
Dr. Rick is online now
A new question is answered every 9 seconds

Does a website need to follow HIPAA to sell contact lenses?

Customer Question

Does a website need to follow HIPAA to sell contact lenses? What are the limits? I would like to create a website for an eye doctor's practice and they would like to sell their contact lenses online, but I'm concerned about HIPAA, if at all. I've seen
many websites that sell contact lenses but don't seem to follow HIPAA. Doesn't mean that it shouldn't, should it?
Submitted: 2 years ago.
Category: Eye
Expert:  Dr. Rick replied 2 years ago.
Hi. My name is***** and I am online and available to help you today. Thank you for your patience.
Question and answer is just one of the services I offer. I can also provide you with additional services, such as live telephone or skype consultation, at a small additional cost. Let me know if you are interested.
What have you done so far in creating this website?
Would it be worldwide or limited to the USA only?
This is not an answer, but an Information Request. I need this information to answer your question. Please reply, so I can answer your question. I look forward to helping you.
Expert:  Dr. Rick replied 2 years ago.
If you are dealing with patient data you will probably have to follow all the HIPPA rules
Does this make sense to you?
Don't forget to mash the positive feedback button for me...the one labeled "excellent" is the most fun to push by far ;)
It's safe for you to press the positive feedback button now if you so desire. And, never fear, even after you press that button I don't go up in a puff of smoke -- I'll still be right here to continue helping you, but, as I do work for tips, I want to make sure you are happy before rating me.
Dr. Rick MD FACS
Customer: replied 2 years ago.
Thank you for that answer. I'm going to try to re-formulate my question as accurate and uncluttered as possible and if you would, please address:WEBSITE:
I've not created the website [yet]. But the practice that needs the website to sell the contact lenses is in New Orleans, Louisiana. The contact lenses will be sold online within the US only. I've spoken to a company that handles HIPAA-compliant forms and emails and the best part - they'll sign the BAA (Business Associate Agreement). But they don't handle ecommerce.ONLINE PURCHASE SCENARIO:
1. Online visitor browses and picks the contact lenses to purchase.
2. Visitor chooses brand of contact lenses and amount of boxes per eye.
3. Visitor chooses the options as per their prescription (power, cylinder, axis, etc.).
4. Visitor fills form for personal information: (name, email, phone number, physical address for delivery)
5. Visitor fills form for prescription verification: (patient's name of the doc/clinic, clinic's address, clinic's phone, patient's DOB)
6. Makes payment online.
7. Doctor's practice receives a notification that an order has been placed.
8. Doctor's practice verifies prescription whether was issued at their practice or some other practice.
9. Open: either buyer picks up the contact or lenses get shipped by practice or even blind shipped.Please advise, is the scenario above under HIPAA? I ask because that's exactly how the company above (link provided for WebEyeCare) and a LOT of other websites do it.**** Since the practice handles the verification of the actual prescription, does that mean that #3, #4 and #5 in the scenario above is not covered by HIPAA and therefore a normal ecommerce transaction?************************************************IDENTIFIERS:
I'm just a bit confused since (as I humbly understand it), when it boils down to it HIPAA doesn't care if a website asks the "normal" questions online: name, phone, address, etc. But, DOES CARE if any of those [identifiers] are in addition or correlation to any medical (ePHI) info.
As per HHS:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html#protectedMEDICAL DEVICES:
So, in this case I'm a bit confused about the contact lenses being labeled as medical devices requiring a prescription.
Here's a website to illustrate what I mean of the information about the contact lenses needed to make the sale:
http://www.webeyecare.com/ProductDetails.asp?ProductCode=2375So since the contact lenses are categorized as medical, I'm assuming the prescription (i.e. the power, cylinder, axis, bc and diameter) would fall under HIPAA being an ePHI. Here's a link as a reference:
http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/HomeHealthandConsumer/ConsumerProducts/ContactLenses/ucm270953.htmVALID PRESCRIPTION/8 HOUR RULE:
Now, I did find out that in order to be able to process online orders the buyer must provide the seller a valid (not expired) prescription and the seller has 8 business hours to verify that. The following page explains (in particular "FOR SELLERS"):
https://www.ftc.gov/tips-advice/business-center/guidance/contact-lens-rule-guide-prescribers-sellers**************************
BOT***** *****NE:
The bot***** *****ne here is if there are fields in the form to omit to avoid being under HIPAA, the best the solution. My goal is to avoid (if at all possible) signing a BAA and dealing with the liabilities of a third party handling ePHI in any way. From what you responded and what I explain above, would you still suggest as not falling under HIPAA?Thank you in advance, I look forward to your response.
Customer: replied 2 years ago.
ADDITIONAL THOUGHTS:
As far as you mentioned, if I'm dealing with patient's data.. That's the magic question. In the scenario above, those are the fields that would go in the website to make a sale.
Expert:  Dr. Rick replied 2 years ago.
Based on what you have posted and since you have medical information (Rx data) you would have to follow hippa, just as I stated previously.
You have no choice but to follow HIPPA rules.
Don't forget to mash the positive (excellent is the most fun to push) feedback button.....without this important step on your part the funds you left on deposit are not released and my kids will spend another cold winter barefoot ;)
It's safe for you to press the positive feedback button now if you so desire. And, never fear, even after you press that button I don't go up in a puff of smoke -- I'll still be right here to continue helping you, but, as I do work for tips, I want to make sure you are happy before rating me.
Dr. Rick MD FACS
Customer: replied 2 years ago.
which part?