HIPAA compliance does not apply to the release and verification of contact lens prescriptions. Please see the statement below copied exactly from the guide for Complying with the Contact Lens Rule from the ftc.gov website.
The Contact Lens Rule says prescribers must provide or verify contact lens prescription information “as directed” by a third party designated by a patient. But according to HIPAA (Health Insurance Portability and Accountability Act of 1996), don’t I have to get written authorization from a patient before providing or verifying his contact lens prescription to a seller?
No. HIPAA permits covered entities to use or disclose protected health information without patient authorization if the use or disclosure is for “treatment” or “required by law.” Providing, confirming, correcting, or verifying a contact lens prescription to a seller designated by the patient constitutes treatment or is required by the Act and the Rule.
If you would like more information or have a specific question, please email our team at firstname.lastname@example.org.