OCT scans, contact lens records, fundus photos - all PHI. Is your eye care team trained?
Your practice generates more patient imaging data per visit than most primary care offices. Diagnostic images, contact lens prescriptions, and billing records move between your practice, labs, insurance, and specialty vendors every day. EZBunny covers the HIPAA scenarios your optometry team actually faces.
Start 14-day free trialHIPAA is the federal law that protects patient health information. Annual training is the industry standard.
Breaches affecting 500+ individuals are published on the HHS Breach Portal (the "Wall of Shame"), a permanent, public record. Training your team is the most effective way to avoid it.
And it gets stricter. States like California (CMIA) and Texas (HB 300) impose penalties beyond federal HIPAA. Your team needs to meet the highest standard.
25+ courses your optometry team actually needs
Beyond HIPAA, your team needs OSHA safety training, infection control, mandatory reporting, and state-specific compliance. EZBunny covers it all in one subscription.
Browse All Courses →What keeps optometrists up at night
Diagnostic imaging sent without encryption
OCT images, fundus photographs, and visual field results sent via standard email or unencrypted file transfer to a referring physician or specialist. Each one is a PHI disclosure that could trigger an HHS investigation.
30 minutes, done between patients
Audio-narrated lessons with quick knowledge checks. Your optometrists, technicians, and front desk staff finish during a lunch break. No full-day seminar needed.
Frame and lens vendors as unmanaged BAs
Your optical lab and online contact lens vendor receive patient prescriptions. If those orders include patient names and Rx details, those vendors are Business Associates under HIPAA - and need BAAs.
See who's trained before the auditor asks
One dashboard shows every team member's status. Who finished, who's overdue, who just started. Export a compliance report for your state optometry board in two clicks.
Front desk sharing contact Rx by text
A patient texts asking for their contact lens prescription. Your staff texts back a photo of the Rx. That's PHI in an unencrypted message thread, on personal phones, outside your practice systems.
New technician? Already reminded
EZBunny sends training reminders automatically. When you hire someone, they get an invite. When a certificate's about to expire, they get a nudge. You don't chase anyone.
No HIPAA officer and small staff
You're running an optometry practice, not a compliance department. But a 4-person practice faces the same HIPAA rules as a hospital. And state boards are auditing optometrists directly.
Certificates that hold up to scrutiny
Each certificate has a unique ID and public verification link. When your state optometry board or insurance auditor asks for proof, you've got it.
One flat price. Every optometrist, technician, and front desk person included
No per-seat charges. No hidden fees. Cancel anytime.
Beyond HIPAA: Complete Training for Eye Care Practices
HIPAA is just the start. Here's what optometry teams also need.
OSHA Safety (Required)
Optometrists and ophthalmic technicians have occupational exposure to bloodborne pathogens from contact lens handling, eye procedures, and instrument reprocessing. Required: Bloodborne Pathogens and OSHA General Safety. These are separate OSHA requirements independent of HIPAA.
Infection Control
Instrument reprocessing (slit lamps, tonometer heads, trial contact lenses) requires proper infection control protocols. In New York, optometrists are specifically named under PHL Section 239 and must complete infection control training every 4 years. This is separate from OSHA bloodborne pathogen requirements.
Mandatory Reporting (Required)
Most states require optometrists to report suspected abuse, with requirements varying by state. Eye examinations can reveal signs of systemic conditions, domestic violence, and child abuse. Your team must know their reporting obligations - failure to report is a criminal offense in most jurisdictions.
Sexual Harassment Prevention (Required)
Required under Title VII for all employers. States like California, New York, and Illinois add annual training requirements for all employees. Many optometry practices have multistate staff, so the strictest requirement applies.
Cybersecurity Awareness
Eye care practices use imaging systems, electronic health records, and contact lens ordering portals - each is a potential entry point for phishing attacks. Cybersecurity awareness training helps staff recognize attempts to compromise patient data and practice management systems.
Business Associate Awareness
Your optical lab, EHR vendor, billing company, and contact lens distributors who receive patient-identifiable prescription data are Business Associates under HIPAA. Your staff needs to understand BA relationships and when BAAs are required before sharing patient information with third parties.
Training by Role
Different roles need different courses. Here's a breakdown for eye care teams.
| Role | Core Courses | Additional |
|---|---|---|
| Optometrist / Ophthalmologist | HIPAA Privacy & Security, Bloodborne Pathogens, Mandatory Reporting, OSHA General Safety, Sexual Harassment Prevention | Infection Control; Medical Records |
| Optician | HIPAA Privacy & Security, Sexual Harassment Prevention, Business Associate Awareness | Infection Control if dispensing contact lenses |
| Ophthalmic Technician | HIPAA Privacy & Security, Bloodborne Pathogens, Infection Control, OSHA General Safety, Sexual Harassment Prevention | |
| Front Desk / Receptionist | HIPAA Privacy & Security, Sexual Harassment Prevention, Business Associate Awareness | Phishing & Risk Analysis |
| Office Manager | HIPAA Privacy & Security, Medical Records, Sexual Harassment Prevention | Cybersecurity |
| Billing Coordinator | HIPAA Privacy & Security, Medical Records, Sexual Harassment Prevention | CMS FWA if billing Medicare/Medicaid |
State-Specific Requirements
State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here.
- If you operate in California: CMIA privacy training; cultural competency CE for licensed optometrists; workplace violence prevention (SB 553)
- If you operate in Texas: HB 300 privacy training within 90 days of hire - Texas penalties up to $1.5M per incident
- If you operate in Florida: HIV/AIDS training for applicable licensed practitioners per FL Statute 381.0034
- If you operate in New York: Infection control every 4 years specifically required for optometrists (PHL Section 239 names optometrists by license type); sexual harassment prevention annually
Proposed changes to the HIPAA Security Rule (expected 2026) may expand cybersecurity and encryption requirements for eye care practices that store diagnostic imaging. Browse all 25+ courses →
Common HIPAA questions from eye care practices
Are retinal scans and OCT images PHI under HIPAA?
Yes. Retinal scans, OCT images, fundus photographs, and all diagnostic imaging from an eye exam are PHI under HIPAA. These images are linked to a specific patient and created in the course of healthcare. They must be stored in encrypted, access-controlled systems. If you use a cloud-based imaging platform or send images to a specialist, the vendor must sign a BAA. Sharing diagnostic images by unsecured email is a HIPAA violation.
Do opticians need HIPAA training?
Yes - opticians who work in an optometry practice or optical shop attached to a covered entity handle PHI and must receive HIPAA training. Every workforce member who accesses prescriptions, contact lens orders, and patient records must be trained, regardless of whether they perform clinical functions. Opticians at standalone retail shops that file no insurance claims are generally outside HIPAA coverage, but those working in a medical or optometric practice are not.
What about frame and lens vendors - do optometrists need BAAs with them?
If your lab orders include patient names or identifiers, those vendors are Business Associates and need BAAs. Review your ordering workflow - if patient-identifiable information (name, prescription, Rx parameters) is transmitted to the lab or vendor, a BAA is required before sharing PHI. Vendors receiving only de-identified product orders are generally not BAs, but the threshold is low if patient names appear anywhere in the order.
Are contact lens prescriptions protected by HIPAA?
Yes. Contact lens prescriptions are medical records and PHI under HIPAA - patients have the right to receive a copy. When sharing prescriptions with contact lens retailers or online vendors at patient request, only the minimum necessary information should be transmitted. Under the Fairness to Contact Lens Consumers Act (FCLCA), patients also have the right to a copy of their prescription - this is separate from but complementary to HIPAA rights.
Get your whole practice covered
Set up takes about 5 minutes. Start your 14-day free trial now.
Start 14-day free trialRegulatory Disclaimer
Training requirements vary by organization type, size, state, payer mix, and accreditation. This guide reflects common federal and state requirements as of March 2026 and is not legal advice. Consult your compliance officer or legal counsel for requirements specific to your organization. State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here. Last reviewed: March 2026.