Pharmacies are HIPAA-covered entities that must comply with the acceptable uses and disclosures of protected health information (PHI). They must implement standards that secure PHI at rest and in transit. They must respect the right of patients to get copies of their PHI. Failure to comply with HIPAA can be penalized severely.
The Department of Health and Human Services’ Office for Civil Rights published a 115-page reference text of all HIPAA Rules. To simplify the dissemination of information on HIPAA compliance required of pharmacies, some of the important points are outlined below.
- Conduct risk analyses regularly – A covered entity needs to identify risks to PHI confidentiality, integrity and availability by conducting a comprehensive risk analysis. Identified risks must be subjected to a risk management process and reduced to an acceptable level. Risk analysis is not done once but regularly and especially when there are changes in business practices or there are new technologies implemented.
- Keep PHI safe at all times – Pharmacies need to ensure that safeguards are implemented to keep the integrity, confidentiality and availability of PHI and ePHI. HIPAA does not dictate specific safeguards to implement. This must be decided based on the risk analysis findings.
- Appoint a privacy or compliance officer – One staff must be appointed as a privacy officer. His responsibility is to enforce all policies and procedures, monitor proper documentation and filing and see to it that patient requests for PHI are met promptly. It is also his job to be updated on HIPAA regulations and be sure that the entity is in compliance.
- Get required authorizations – Use or disclosure of PHI is allowed for purposes of treatment, receiving payment and pharmacy operations. If there must be other uses or disclosures of PHI, the entity must get written authorizations.
- Entering into business associate agreements – In case a pharmacy needs the services of a third party and access to PHI or copies of PHI is necessary, a business associate agreement is required. The third party must also give reasonable assurances of HIPAA compliance.
- Avoid impermissible disclosure of PHI – Disclosing PHI for reasons not allowed by the Privacy Rule, whether accidentally or deliberately, can cause serious harm to patients. The pharmacy must be careful to follow policies and procedures to avoid impermissible disclosures.
- Grant patient request to obtain copies of their PHI – Pharmacies must be ready to provide patients a copy of pharmacy records if requested.
- Dispose of PHI properly – Prescription labels and documents with PHI must be disposed of properly by shredding, pulverizing, pulping or incinerating. Delete PHI on electronic devices before disposal.
- Train staff to comply with HIPAA Rules – All staff in the pharmacy needs to undergo HIPAA awareness and security training. The training must be given to volunteers and interns as well.
- Provide privacy practices information to patients – Patients must receive a copy of the written privacy practices of the pharmacy. Patient signature is required to confirm receipt of the information.
- Notify patients and OCR in case of a privacy breach – The pharmacy must notify the patients whose PHI have been exposed and OCR within 60 days from the discovery of a breach. If the breach impacted less than 500 persons, the notification may be issued no later than 60 days from the end of the calendar year in which the breach happened.
A pharmacy may seek the assistance of a compliance specialist to help with the entity’s HIPAA compliance. For other HIPAA compliance questions, ask a healthcare attorney.