Whey they sign up for Sightbox, our members designate Sightbox as an authorized treatment provider as covered under the FTC's Contact Lens Rule, which requires practices to treat Sightbox requests for prescriptions and payment the same way they would treat a patient request.
HIPAA compliance does not apply to the release and verification of contact lens prescriptions. From the guide for Complying with the Contact Lens Rule:
The Contact Lens Rule says prescribers must provide or verify contact lens prescription information “as directed” by a third party designated by a patient. But according to HIPAA (Health Insurance Portability and Accountability Act of 1996), don’t I have to get written authorization from a patient before providing or verifying his contact lens prescription to a seller
No. HIPAA permits covered entities to use or disclose protected health information without patient authorization if the use or disclosure is for “treatment” or “required by law.” Providing, confirming, correcting, or verifying a contact lens prescription to a seller designated by the patient constitutes treatment or is required by the Act and the Rule.
If you'd like more information or have any questions, please reach out! We love to chat with practices—firstname.lastname@example.org.
See also: Does HIPAA compliance apply to Sightbox?