Connect with us

Best of Eyecare

Oh, The Horror!




HIPAA compliance is the financial gamble that could ruin your business

 STORY BY Deirdre Carroll

It’s the 6,000-pound monster in the room. The boogieman under the bed. The thing in the mist … you don’t know what it is, or when it’s coming, but you know it’s out there. It will get you eventually but you have no idea what to do about it. Or maybe you think you’re prepared. Protected. You can handle it. Let’s dispel that myth right now. In this scenario, you’re the nubile young coed who decided to take a shower while a homicidal maniac is on the loose. In other words … you’re an easy target and HIPAA compliance is the axe-wielding lunatic coming to get you.

According to Matt DiBlasi, president of Abyde, a company that guides independent medical practices through the complexities of implementing HIPAA compliance programs, last year after the U.S. Department of Health & Human Services (HHS) — which oversees HIPAA compliance under the Office for Civil Rights (OCR) — did a first round audit of the program, they found that 83 percent of the covered entities audited did not have a complete risk assessment or analysis. A covered entity is any business dealing with protected health information — social security numbers, medical histories, and, yes, lens prescriptions, etc. So, that means you even if you don’t have an OD on site. And a risk analysis is considered just the first step in HIPAA compliance; without it you cannot consider yourself compliant. In fact, 94 percent audited in that first round didn’t have a risk analysis or any other part of the puzzle.

Terrifying when you consider that the minimum fine Abyde has ever seen was $25,000. And it should be noted that the amount of a fine is not determined by the size of the business, but the size of the breach and the steps you have taken in advance to protect patient information. 

Can your business survive a $25,000 fine?

While no specific stats for independent verticals within a heathcare field are currently available because HIPAA does not differentiate between covered entities — meaning your eyewear boutique or one doctor optometry practice is held to the same standard as a large urban hospital — we do know that independent practioners are behind.


“Everyone can agree with that,” says DiBlasi. “The stats we’ve seen are very eye opening.” He estimates that 90-95 percent of eyecare practices are non-compliant “but we don’t blame them. Most haven’t been educated properly so they don’t understand what their formal roles and responsibilities are when it comes to HIPAA.”

Abyde works with independent practices, regardless of specialty, but predominantly in the eyecare field, so we asked DiBlasi the three most common violations a smaller practice might see.




This includes hackers, viruses and phishing. Any outside person or entity with malicious intent that accesses a network or Practice Management/EMR software. “An OD practice needs to be aware of what remote theft is and how they can react to it,” says DiBlasi. “It’s the number one way criminals get access. Ransomware — someone takes ‘control’ of your IT network or data, locks it down, and you must pay to get access back. Even once you pay, you may still not get access. By that time, the damage is done. On top of that, there are PR ramifications and each individual who had their information stolen needs to be notified. If the breach affects more than 500 individuals, it’s even worse – media must be notified.” In April 2017, the HHS announced a $400,000 fine for an organization in Colorado after 3,200 records were compromised during a phishing attack. The organization was fined for failing to conduct a risk assessment and failing to properly implement documented policies and procedures to prevent, detect, contain, and correct security violations.




This includes accidental disclosure, accidental loss of a device, or theft of USB drives, hard drives, computers, tablets, and/or servers. Say an employee leaves their laptop somewhere or someone comes in and steals a computer. If there is protected health information on those devices they should be encrypted, including scanners or copiers with hard drives. “All information copied or scanned gets stored on internal hard drives and unless the hard drives get scrubbed periodically all patient information is exposed,” DiBlasi warns. To underscore the risk, an organization was fined $2.2M in January 2017 after a USB drive with 2,209 individuals’ complete names, dates of birth and Social Security Numbers was stolen from its IT department, where it was left without safeguards overnight. An investigation revealed the organization’s noncompliance with HIPAA rules, specifically a failure to conduct a risk analysis and implement risk management plans, as well as a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media. The organization was also cited for failing to implement or delaying implementing other corrective measures it said it would undertake. 



his includes what the practice is doing every day to protect patient information and what they are prepared to do should information be compromised. “There should be formal training,” says DiBlasi. “At minimum, formal training should be done once a year… By training employees on a regular basis, safeguarding patient’s sensitive information becomes ingrained in their everyday habits…  HIPAA education is lacking in the large majority of practices based on settlement statements from the OCR…  Most organizations who have been fined were not trained properly on how to handle patient health information. If trained properly, a risk assessments/analysis would have been conducted and thus immensely reduce their overall risk and eliminate or substantially reduce the fines incurred.” 


If that’s not enough to give you nightmares, fines imposed by the OCR have increased in the last three years. 2016 was a record year, with fines totaling $23.51M. As of May 2017, the OCR has levied $17.1M in fines, putting them on track to almost double what they did in 2016. It continues a trend; 2016 nearly doubled 2014 and 2015 combined. Additionally, the OCR is putting more resources into updating its websites and guidance materials stating it will focus more on small data breaches. DiBlasi says “criminals are focusing on the smaller businesses because they are sitting ducks.”

You are basically gambling with the financial health and longevity of your business if you are not actively implementing, and most importantly, documenting a formal HIPAA compliance program. To make it even scarier, though covered entity audits are selected at random, a disgruntled patient or employee can lodge a complaint that also instigates an investigation and audit. They are protected under the Whistleblower Act and eligible for a cash reward. 

Finally, DiBlasi leaves us with this: “We are all patients somewhere. I think we can agree that we all want our own doctors to implement security standards to protect our private information. By complying with the government regulations, not only will you protect your practice from audits but you will also be ensuring your valued patients are protected from those who have malicious intent.”




Most of the time violations are accidental breaches. Nonetheless, documenting that you have tried to be compliant by analyzing and mitigating risk, and by documenting policies and procedures, is a good faith gesture that could save your business. There is no ironclad way to assess that risk but here are a few pointers:

1 Perform a risk analysis. There is no formal template for ECPs, but the site offers a helpful 15-page document.

2 Document policy and procedures as they pertain to the accessibility or security of patient information specific to your organization. If generic policy and procedure templates are purchased or downloaded, be aware they must be edited and updated to accurately portray which safeguards your practice has implemented to keep protected information secure.

3 Implement business associate agreements. Any vendors or third party companies or individuals who may have access to private health information need to sign one stating they are HIPAA compliant. Examples of business associates include the IT company that does your maintenance or updates, and who could have access to information on your server, your file storage and disposal service, etc. When signed and executed properly, they protect both companies when there is a data breach. According to DiBlasi, this year a fine was levied on a seven-location practice because the company they contracted to store their physical records discarded them (without their notice) into an unlocked bin. A business associate agreement was not in place and the practice was fined $31,000.

4 Proof of HIPAA training and awareness for doctors and staff. Document completed written quizzes with a certificate of completion, which includes the name of the employee, the date it was given, and the name of the training.

Do it on a continual basis. Always be assessing your risk. Always be documenting what you are doing to mitigate that risk. Conduct training on a regular basis and ensure your business associate agreements are up to date. And remember, “risk assessment is an ongoing process that ultimately never ends,” says DiBlasi.

Lastly, bring in a third-party expert to help. Abyde itself is great resource and DiBlasi puts the cost in perspective: “It’s pennies on the dollar when you’re talking about fines.” Learn more at

This article originally appeared in the January 2018 edition of INVISION.

America's Finest

You’ll Be Amazed What This Minnesota Practice Did with 1,000 Sq. Ft.

Hint: A stunning optical, exam lane AND plans to put in an edger.




Wink Family Eye Care of SLP, St. Louis Park, MN

OWNER: Dr. Roman Gerber; ; FOUNDED: 2018 ; ARCHITECT FIRM: Bob Shaffer Foundation Architects; EMPLOYEES: 2 full-time ; AREA: 1,000 sq. ft.; TOP BRANDS: Ørgreen, Etnia Barcelona, MODO, Acuvue Oasys 1 Day, Fresh Day Sphere; FACEBOOK:; INSTAGRAM:;; BUILDOUT COST: $150K

Dr. Roman Gerber had wanted to open his own practice from the moment he graduated OD school in 2011. His dream came true in January 2018.

DR. ROMAN GERBER WANTED to cold-open a practice from the moment he graduated optometry school in 2011. Life circumstances and other opportunities kept that from happening for a few years, but by early 2017 he was scoping out potential locations for his own business in the South Minneapolis/St. Louis Park, MN area.

Things moved pretty quickly and the doors to Wink Family Eye Care of SLP opened on Jan. 15, 2018. Gerber began by seeing patients at Wink three half-days a week, while still working at his previous office; but before the year was out, Wink had gone from one to two full-time employees and was busy enough for Gerber to start working there full-time himself.

Gerber’s prime motivation for choosing the St. Louis Park neighborhood was because that was where his family first settled after immigrating from Russia when he was just 4 years old.

But as he took a closer look at the area, he was surprised at how much busier certain blocks were than others not that far away. The location he eventually settled on benefits from being in a mixed commercial and residential zone with Fresh Thyme and Trader Joe’s groceries nearby, a CVS pharmacy across the street and a busy Starbucks outlet just two doors down.


Gerber estimates that about half of his patients are in the 20-39 age group, and they’re an important segment for Wink. “However, that still leaves half of our patient base as younger than 20, or 40 and older. We try to cater to everyone.” Figuring out the ways to cater to each group has been a learning experience, he says. “We understand that many of our Millennial/Gen Z patients may prefer to communicate through secure email/text so we try to accommodate that. Although some of our Gen X/Baby Boomer patients would prefer phone calls, it has been surprising to me how many of our patients from those generations also prefer text messages.”

The store’s décor and distinctive green color scheme were inherited from Wink’s partner business, Wink Family Eye Care in Chanhassen, MN, with a few embellishments. The store’s cool feel, sleek materials and careful, efficient use of space offer a lesson in how to make the most of a smaller space. Explains Gerber: “With our young hip demographic, we focused on a classier optical. The walls are lined with stinkwood and showcase our frame lines beautifully. We have a small, 1,000 square foot, flag-shaped space. We wanted to fit a pretest room, exam room, office, and future edger without sacrificing our optical. Our architect worked tirelessly to fit all of these components and to allow a natural flow.”

Eyewear is merchandised by brand, with Tracey Eggerstedt, Wink’s technician/paraoptometric/optician extraordinaire organizing and reorganizing constantly. Once again, it’s a constant learning curve: “It’s interesting to see where people look at glasses and which locations are ‘hot spots,’” Gerber says. He adds that the store’s online focus is primarily on building brand awareness. “We like to educate our patients while still showcasing our fun vibe.”


Gerber strongly believes in listening to staff, treating them with respect, and empowering them. “Take care of your staff and they will take care of your patients,” he counsels. Before every eye exam, staff call on the patient’s medical and vision insurance to ensure there are no surprise bills. Eggerstedt focuses on pre-testing, frame styling, and learning everything about ocular health. “She enjoys being quirky with our patients and getting to know each one,” Gerber says. But all of the staff do a little bit of everything. “Kristin [Cannon] is our contact lens guru. She loves working with scleral lenses and doing difficult insertion and removal trainings.” The key to achieving great service, Gerber says, is to “treat every patient as if they were your family. We really try to empower patients and give them information to make the decisions for themselves. Everybody’s life is different and all we can do is educate our patients on all their options.”


Five Cool Things About Wink Family Eye Care of SLP

1. PARTNERS IN FINE. Wink Family Eye Care of SLP has a partner practice, Wink Family Eye Care in Chanhassen, MN, another America’s Finest Honorable Mention. They share staff, records and a website, but are run as separate businesses.

2. MEET & GREET. The Wink team are huge believers in networking and spend about five hours a week meeting other small businesses in the community, looking for ways to help each other out.

3. WILL TRAVEL. Gerber has made charity trips to Honduras, India, Mexico and Peru, and for two years helped build clinics in The Gambia, West Africa.

4. AWARD WINNING. Staff member Tracey Eggerstedt was named Paraoptometric of the Year in 2018 by the Minnesota Optometric Association.

5. EASY ON THE EYE. The store’s green color theme was chosen on the basis that the green wavelength of 555nm is the easiest for the rods in the retina to see.


  • Great logo, clean marketing materials and excellent use of that eye-popping green. Very clean and “shoppable” store layout. Nathan Troxell, PPG, Monroeville, PA
  • Refreshing in its simplicity and direct messaging. A solidly cool business. Leigh and Todd Rogers Berberian, Todd Rogers Eyewear, Andover, MA
  • While they obviously take the medical side of their business very seriously, there is a quirky, fun side that is evident in their marketing materials and social media posts. I like the community involvement, both local and global. Beverly Suliteanu, Westgroupe, Ville St-Laurent, Québec, Canada


Fine Story

Wink Family Eye Care of SLP owner Dr. Roman Gerber’s approach to choosing the precise location for the practice was downright scientific. In early 2017, while looking for places in South Minneapolis and St. Louis Park, MN, he says, “We ran a geospatial analysis (a gathering, of imagery, GPS, satellite photography and historical data for specific geographic coordinates, i.e. a street address or postal code) on a few spaces that were available. We were aware the area was changing rapidly, but it was great to see whether our assumptions about traffic patterns were correct. For the most part they were.”

Continue Reading


How 6 ECPs Designed, and Use, Their Business Cards

Even in a digital era, they find them to be an essential business tool.




THE HUMBLE BUSINESS CARD is the great survivor of our tech-driven retail world. They have few rivals when it comes to making a memorable first impression; handed to departing customers they become little ambassadors for your uniqueness — and a great vehicle for impromptu incentives. They’ll be around as long as folks have pockets. But people don’t hold on to cards as long as they used to, so it’s important to make them memorable … There are many reasons that 27 million of them continue to be printed every day. We do urge you to spare a thought for the planet though and choose an eco-friendly option, of which there are many. (To name two, Rhode Island-based Moo makes cards out of cotton from T-shirt remnants, and Botanical Paperworks of Canada produces “plantable” cards made from seed paper.) We asked six ECPs to flash their cards and share with us how they use them.

Optical Oasis
Jupiter, FL

Julie Uram’s parents met an artist during a trip to Key West and happened to mention their daughter was opening an optical with a thatched roof and sand-covered floor. He designed her a card there and then. She hands them out both inside the store and out, and occasionally recruits relatives for the task. She has given cards to doctors who practice in town; on the back of these she stamps a $50 coupon. She believes customers that take them do hand them on: “I do ask customers how they found me and they will tell me from either a customer, a doctor, or Google.”


Kenneth D. Boltz, OD
Dublin, OH

When Dr. Ken Boltz was setting up his new office in 2016, he needed a card with the new location and number in a hurry. He designed it himself, figuring he’d call a professional later. But his chart-inspired card went down so well, he kept it. “I keep cards with me at all times, as do all my staff. Each of us has a goal to hand out at least five each week.” They occasionally place a label on the back offering a complimentary retinal scan (value $39) with an expiration date. “This seems to stimulate those new contacts to call and make an appointment sooner rather than later,” he says.

Socialite Vision
Palm Beach Gardens, FL

Dr. Adam Ramsey sees his cards as an extension of his office, and spares no expense. He recently worked with a designer through numerous revisions “until the shine on the copper lettering was just right.” Given their ability to attract new clients, he advises, “don’t go low cost — go high quality.” He carries his cards everywhere and keeps a stash in his car. He also mails them to businesses from which he would like to receive referrals, including MDs without opticals and opticians without ODs. Not only does Ramsey ask staff to carry them, he even bought them fancy cardholders. “You need to instill that pride in them with their own cards. It’s their office too!” he says.

MacPherson Opticians
Arlington, VA

Kate Giroux worked with a designer to come up with MacPherson’s logo. She has them made for herself and staff, and they all carry them. She will use them to note a discount for customers who need an incentive to come in. Giroux adds that all of her referring doctors use her cards on her behalf when patients ask where they should have their eyeglasses fit and fabricated. “I have even had a few chain optical stores ask for my cards when those opticians cannot fit anything over a + or – 6D power lens or deal with complex compounded prism jobs.”


Hudson River Eye Care
White Plains, NY

It pays to have a graphic artist in the family — Dr. Larah Alami’s cousin came up with Hudson River’s wordmark and card design. “We have our cards displayed in dispensers, but don’t use them much outside the business,” she says. Doctors and opticians all have named cards, but not support staff. The practice prints up separate cards for discounts on suns with a CL purchase, but hands out a large number of business cards to people stopping in who need to call for appointments. “I don’t think it’s possible to operate without them,” Alami says. “It’s probably one of the first things we did when we opened.”

Goodrich Optical
Lansing, MI

Owner Dave Goodrich’s self-designed cards are mostly intended for use outside the store, including by staff. “I give them to people I meet, I use them for ID at other businesses. I’ve left them with a tip after good service at a restaurant.” When it comes to incentive write-ins, he tends to leave that for his “repair” cards, which allow folks to put money spent on a solder or repair toward new glasses. “I know we get five to 10-plus customers a year from a business or repair card,” he says. “I consider them a marketing tool rather than advertising since they are usually given to people asking about our services.”

Continue Reading

Best of the Best

Spice Up Your Frame Selection with This Strategy That Probably Never Occurred to You

It gives patients a reason to visit based on product assortment rather than discounts.




PERRY BRILL, GENERAL MANAGER at Brill Eye Center in Mission, KS, was looking for something new to base the practice’s marketing effort on, and knew that having new brands always generates more excitement than just saying you’ve got a refresh. Always one to shy away from typical optical business plans, he hit on a novel concept.


Tired of brands wanting 30-plus-piece orders, he decided to try bringing in micro-collections of 10-20 pieces every month to create some email and direct-mail hype. He wanted experience with more brands quicker than his usual once-every-six-months, large brand buy. “A retailer should always have a flavor of uniqueness. Restaurants have seasonal menus and opticals should have seasonal eyewear. Give patients a reason to visit based on product assortment rather than discounts,” Brill says.


Perry Brill

To curate a micro-collection of eight to 15 pieces, Brill says, connect with “ma and pa” frame vendors, who he says are just happy to have representation of their eyewear in any city. The easiest way to find these vendors is to go to Vision Expo, find the smaller booths and ask their minimum purchase. “Don’t expect the booths to be fancy!” he says. “Just observe the eyewear for quality and personality before making judgments. Most people will be super transparent and love your idea of creating seasonal collections.”

Brill says a small micro-collection should cost between $500 and $3,000. So far, he’s been impressed with the number of luxury or quasi-luxury brands that let him dabble with smaller orders. Being in the Kansas City area, he says, “It’s pretty easy to have exclusivity, with everyone selling bread and butter.”

The small collections now represent 10 percent of his inventory, which he figures is about right, as he wouldn’t risk going deep into the more obscure pricey stuff anyway. “I’m okay if it doesn’t sell quickly since the investment was slim.”
Micro-collections that have worked well for Brill include:

  • Ethnicity: “Asian and global fitting with acetate built-up pads and special wider temples. Don’t need a ton of frames but enough to tackle difficult-to-fit. Opticians need to up their game with fitting standards. The moment you solve frames on cheek issues — patient for a lifetime.”
  • Lucas De Stael (shown): “Ultra luxury for the high rollers and lover of texture and design. Made of leather, stone or cork. Retails for $1,000-plus.”
  • Sospiri: “Ultra luxury for the fancy woman who wants to shine — literally. Most jeweled frames are tacky; these are classy. $1,000-plus. People that want jewels want it! They will go find it if you don’t have it.”


Brill says the main benefit of ordering micro-collections is they give you a reason to engage with patients via social media and email. In such a competitive environment, and having access to great independent collections, it’s fun to test the waters with new product all the time, he says. And from a patient perspective, Brill believes that when they walk into an office they always want to see something new. “Carrying the same branded collections is easy, but having lots of collections gives patients choices and a tour around the world of independent eyewear. My optical is used to rapid change and every optician always wants to show what’s new.”

Do It Yourself: Micro Order Luxury Frames

  • PRIDE OF PLACE. Label an area in your optical with catchy signage that says something like: “New season eyewear, feel invigorated.”
  • DON’T SWEAT THE… “Don’t think too hard,” says Brill. “If the frames are bad sellers, the risk was low and you don’t need to worry about returns.”
  • HAVE FUN. “Go funky, always!” is Brill’s motto. This is your time to try wacky new inventory you would never go 50 frames deep in.
  • TAKE YOUR TIME. The key to selling such frames is sitting the patient down, explaining to them the brand story and frame characteristics.
  • GET THE WORD OUT. Inform your patients you have something cool and new in stock. “Thank goodness for email campaigns,” says Brill.

Continue Reading





Get the most important news and business ideas for eyecare professionals every weekday from INVISION.


Most Popular