top of page

HIPAA Privacy Policy / Notice of Privacy Practices


Effective Date: 12/2020
Last Updated: 12/2025

​

1. Purpose & Scope

We at Eye Care Prosper recognize the sensitive nature of health and personal information. This Privacy Policy describes how we collect, maintain, use, and disclose Protected Health Information (“PHI”) in compliance with HIPAA. It applies to all individuals whose PHI we handle, including patients, clients, or users whose data we collect, store, or process.


2. Definitions

 

  • Protected Health Information (PHI): Individually identifiable health information, including but not limited to names; geographic data more specific than state; precise dates related to health events (admission, discharge, birth date, etc.); and other identifiers, when maintained together with health or payment information.

  • Covered Entity / Business Associate: As defined under HIPAA — i.e., health care providers, health plans, clearinghouses, and any third-party vendor or partner that creates, receives, maintains, or transmits PHI on behalf of a covered entity.


3. Uses and Disclosures of PHI


3.1 Permitted Uses Without Authorization


We may use or disclose PHI without your prior written authorization in the following cases:

 

  •  For treatment, payment, and healthcare operations.

  •  To comply with legal requirements (e.g., court orders, law enforcement subpoenas, public-health mandates) when required by law.

  • For disclosures “incident to” any otherwise permitted use or disclosure.


3.2 Uses Requiring Patient Authorization


Any other uses or disclosures of PHI not described above - for example, for marketing not
related to treatment, payment, or operations; fundraising; research; or other non-routine
purposes - will require your prior written authorization.


3.3 Minimum Necessary Standard


When using or disclosing PHI, we will make reasonable efforts to limit the information disclosed
to the minimum necessary to accomplish the intended purpose, consistent with our role and the
request.


4. Your Rights Regarding Your PHI


You have the following rights under HIPAA with respect to your PHI:

​

  • Right to access: You may request to inspect and obtain a copy of your PHI in a designated record set, including an electronic copy if maintained electronically.

  • Right to request amendment: You may ask us to correct or amend PHI you believe is incorrect or incomplete; we will respond per HIPAA rules.

  • Right to an accounting of disclosures: You may request a list of certain disclosures of your PHI made by us in the preceding six years (or other period as required by law), excluding certain permitted disclosures.

  • Right to request restrictions: You may request that we restrict certain uses or disclosures of your PHI (for example, to restrict disclosure to your health plan for services you paid for out-of-pocket). We will consider such requests, but in certain cases are not required to agree. If we do agree, we will follow the restriction except in emergencies.

  • Right to request alternative communications: You may request that we communicate with you at an alternate address or via alternate means (e.g., by mail instead of phone) to enhance privacy.

  • Right to be notified of breach: You will be notified if there is any unauthorized access, use, or disclosure of your unsecured PHI, as required under HIPAA breach-notification rules.

  • Right to lodge a complaint: You may file a complaint with our Privacy Officer or to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) if you believe your rights under HIPAA have been violated.

​

5. Our Obligations

​

 

  • We are required by law to maintain the privacy of PHI and to provide this Notice of Privacy Practices.

  • We must abide by the terms of this Policy unless we notify you (in writing) of a change and you indicate otherwise.

  • We will implement administrative, physical, and technical safeguards to protect PHI - including secure storage, access controls, encryption (for ePHI), and staff training.

  • We will document our policies and procedures - including how PHI is accessed, used, disclosed, and protected - and retain documentation for at least six years from the date last in effect.

​

6. Security & Data Handling Practices

 

We maintain strict safeguards to protect PHI from unauthorized access, use, or disclosure:

  • Technical safeguards: Use of secure transmission (e.g., TLS/HTTPS), encryption of ePHI at rest, access controls, secure authentication, and other appropriate cybersecurity measures, consistent with HIPAA Security Rule requirements.

  • Physical safeguards: Secure storage for physical records (locked cabinets, restricted access areas), secure disposal of PHI when no longer needed, and facility access controls.

  • Administrative safeguards: Appointment of a Privacy Officer, workforce training on HIPAA compliance, policies and procedures for handling PHI, workforce sanctions for violations, and processes for responding to complaints or potential breaches.

​

7. Business Associates and Third-Party Vendors


When we engage any third-party vendors, subcontractors, or partners (“Business Associates”) who will create, receive, maintain, or transmit PHI on our behalf (e.g., web hosting, analytics, telehealth vendors, messaging services), we will enter into a formal Business Associate Agreement (BAA) that requires them to protect PHI in accordance with HIPAA standards.


8. Changes to Our Privacy Policy


We reserve the right to modify this Privacy Policy at any time. If we make material changes, we will post the revised policy on our website with an updated “Effective Date” and “Last Updated” date. We will also notify individuals affected as required under HIPAA and applicable law.


9. Contact Information & Complaints


If you have questions about this Privacy Policy, want to request access, correction, or restriction, or wish to lodge a complaint, please contact:

 

Privacy Officer
Address: 5620 W. University Dr. Prosper, TX 75078
Phone: 972.346.6135
Email: help@eyecareprosper.com

 

If you believe your privacy rights have been violated, you may also file a complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.

 

Notes / Observations Regarding Use with External Services (e.g. Messaging, Campaigns)

​

  • While the policy above describes how PHI is treated internally or using services under Business Associate Agreements, any external communication platforms or marketing-type messaging services (e.g., texting, bulk message campaigns) must be carefully assessed. If such services will process PHI or identifiable health data, they must be HIPAA-compliant and covered by a BAA.

  • If your service only sends general notifications or non-health-specific messages (no PHI included), HIPAA may not apply — but you should still be transparent about what data is being handled, and clearly communicate to users the type of information that will be shared.

bottom of page