HIPAA compliance does not apply to the release and verification of contact lens prescriptions. Despite this, we take privacy and compliance very seriously and support your practice in abiding by HIPAA.
From the guide for Complying with the Contact Lens Rule from the ftc.gov website:
The Contact Lens Rule says prescribers must provide or verify contact lens prescription information “as directed” by a third party designated by a patient. But according to HIPAA (Health Insurance Portability and Accountability Act of 1996), don’t I have to get written authorization from a patient before providing or verifying his contact lens prescription to a seller?
No. HIPAA permits covered entities to use or disclose protected health information without patient authorization if the use or disclosure is for “treatment” or “required by law.” Providing, confirming, correcting, or verifying a contact lens prescription to a seller designated by the patient constitutes treatment or is required by the Act and the Rule.
If you'd like more information or have any questions, please reach out! We love to chat with practices—firstname.lastname@example.org.