Monthly Archives : October 2013

HIPAA training

Pharmacy News: HIPAA Training for employees

HIPAA training

If you have been following along with my latest blog posts, you saw that when the OCR performed their Pilot Program for HIPAA audits, one of the areas where providers tend to be the most non-compliant is in the area of employee training.

You may be thinking, well that’s easy; I will just have my employees go on-line and complete a training course.   Unfortunately, although your employees may learn something, purchasing a “canned” HIPAA training program will not make you compliant with the HIPAA rules for training.

Why, you ask?

When it comes to HIPAA training for employees, the training MUST be based on YOUR policies and procedures and according to their job functions.

The Regulation States:

164.530 (b) (1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

(2) Implementation specifications: Training.

(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:

(A) To each member of the covered entity’s workforce by no later than the compliance date for the covered entity;

(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and

(C) To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.

(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.

So we see, the HIPAA training must be conducted and documented:

    • Based on your Policies and Procedures and that workforce members job function
    • By the compliance date
    • HIPAA trainingWithin a reasonable period of time for new workforce members
    • Within a reasonable period of time if material changes are made to your HIPAA Compliance Program

HIPAA Training for employee is simple if you use these simple rules.

Some HIPAA Programs, like PRS’s HIPAATrack  come with complete employee training, so that you are assured your employees have the appropriate training to comply with the HIPAA Rules.

Harry Lattanzio | why care about Omnibus HIPAA

Pharmacy News: Omnibus HIPAA and How it Impacts You — Part 3

Harry Lattanzio | why care about Omnibus HIPAA

We have discussed the facts about the changes to the HIPAA laws and tackled some  of the specific changes and issues that you, as pharmacy owners, need to review within your current  HIPAA Compliance Program.  But, you may be still asking yourself, “In all the years I’ve been in business, no one has ever come to review my HIPAA policies or look at my Disaster Recovery Plan, so why should I worry about the Omnibus HIPAA Final Rule?”


Here’s why.

In the past, HHS sent auditors in response to complaints and/or breaches; now, you may be audited without cause. Congress has allocated money for the HHS Office of Civil Rights (OCR) to conduct audits, and any fines that result will go to fund more audits. The potential fines, civil and criminal, have increased to a maximum of $1.5 million for each type of violation and up to 10 years of imprisonment.

Between 2011 and 2012, the OCR conducted a Pilot Audit Program to gauge if covered entities truly are HIPAA compliant. The OCR hasn’t released the results of the pilot audits, but they have stated that only two of the 61 healthcare providers audited were fully compliant. From bits of information the OCR has released, it seems providers tend to be non-compliant in the following areas:

1) Disaster Recovery Plan

2) Risk Analysis

3) Minimum necessary rules

4) Notice of Privacy

5) Policies and procedures manual

6) Adequate employee training on the pharmacy’s HIPAA policies and procedures.

The HIPAA Audit Program began around October 1, 2013, so don’t put your HIPAA updates on the back burner. There are programs out there that can make this easy for you. HIPAATrack, presented by NCPA, powered by PRS is the quickest, most cost effective way to be compliant with the HIPAA Omnibus Final Rule.

So, don’t panic, but don’t be complacent, either. Get your HIPAA house in order; then relax.


Pharmacy News: Omnibus HIPAA and How it Impacts you — Part II

In my last blog post, I informed you of changes to HIPAA and how it will be enforced.

Here are some of the specific changes in the  Omnibus HIPAA Final Rule and that impact you as a pharmacy owners:

  1. Security Rule—You must now make sure your business associates, anyone with whom you legally share individuOmnibus HIPAA changesally identifiable PHI, are compliant with the Security Rule and have policies and procedures in place to ensure the confidentiality, integrity, and availability of electronic Protected Health Information (PHI). While you’re at it, conduct an evaluation of your own Security Compliance Program, paying close attention to your Risk Analysis, Risk Management, Disaster Recovery, and Contingency Plans. A pilot audit program found that pharmacies were often deficient in these areas.
  2. Breach Notification—The standard for deciding whether one must issue a Breach Notification was changed from risk of harm to the patient to risk that the PHI was compromised. If your risk analysis determines that the PHI was possibly released inappropriately, you must: 1) Notify the patient within 60 days of discovery. 2) Notify HHS within 60 days for breaches of 500 or more patients. 3) Notify HHS of all breaches within 60 days of year’s end. 4) Notify a prominent media outlet in your area for breaches of 500 or more patients.
  3. Privacy Rule—This is where the majority of changes were made. Your Notice of Privacy must now: 1) State that you are required to get patient authorization for certain uses and disclosures (e.g. psychotherapy notes, marketing, sale of PHI, and other uses and disclosures not described in the Notice). 2) Include an opt-out statement in your fundraising statement. 3) Notify patients that they may restrict disclosures to health plans for services paid for out of pocket. 4) State that patients will be notified of any PHI breach. Offsite records must now be provided within 30 days of patient request, rather than 60 (with a 30-day time extension provision, as before). If patients request their PHI in an electronic format that you can provide, you must provide it electronically.

Also, there are changes to disclosure rules for the PHI of deceased persons and for proof of immunization to schools. You may continue to disclose PHI to individuals who were authorized to receive it before the patient’s death, and you must protect the PHI for 50 years or until you destroy those records. Proof of immunization may be disclosed to schools with a verbal request of a patient, parent, or person acting in loco parentis; document the request and the submission.

Want more information on the changes put in place by Omnibus HIPAA?

View the PRS webinar: HIPAA 2013: Don’t Panic. Be Prepared.

Looking for an answer to Omnibus HIPAA Compliance for your pharmacy?  

Visit the PRS website @ or contact 1-800-338-3688 to speak with a Specialist.