Monthly Archives : February 2015

Pharmacy News: Did you know, you are responsible if an employee commits a violation of HIPAA?

Over the past few weeks, we have been exploring HIPAA, which has made its way back into the news. We have talked about how computer viruses and malware can be dangerous to PHI on your network and what to do when you think you have a breach. We are going to continue on our HIPAA Readiness journey by discussing how you as a pharmacy owner are responsible for what your employees commit a violation of HIPAA.

#3 Respondeat superior : The Sins of the Tech Shall Be Visited Upon the Pharmacy Owner (violation of HIPAA)

hipaa violationWhat if Joe, your pharmacy tech, lets slip to his friends that “Jane Doe” was prescribed medication for a pretty embarrassing medical condition? That’s a clear violation of HIPAA, and if you hear about it, you’ll fire Joe. But, what if Jane hears about it and files a lawsuit? Will she sue Joe, or will she sue you? Who has the deeper pockets?

Respondeat superior is Latin for “let the master answer.” As a legal doctrine, Respondeat superior means that the employer can be held liable for illegal actions of employees that are done within the scope of their employment. Even though you have done nothing wrong, the law holds that you, “the master,” have a measure of control over your employee and may have to answer for his wrong doing. An employer takes on a certain amount of vicarious liability for employees. You are responsible for training your employees on how to do their jobs and what not to say or do.

There are conditions that must be met before employer liability will be imposed for the wrongful conduct of an employee. To be within “the scope of employment,” conduct must (1) be of the type the employee was hired to perform; (2) takeplace within the time and space limits authorized by the employer; and (3) be at least partly motivated by a purpose to serve the employer. Often, these questions are decided by a jury.

All pharmacies should have policies and procedures in place that clearly spell out the responsibility of employees not to disclose confidential or private medical or treatment information. Employee should be trained on your HIPAA Policies and Procedures and Employees should electronically acknowledge or sign a document stating that they’ve participated in your HIPAA Training. This training along with their job description should clearly lay out the scope of their duties and conduct that is inappropriate or illegal. If you do all you can to document your HIPAA compliance and employee training, Joe may, indeed, take the rap alone.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: Reporting Breaches, Notifying Patients & Risk Assessment

Last week, I told you that HIPAA is back in the news. Didn’t get a chance to read why? Take a minute to read Part 1 of the HIPAA Readiness series — HIPAA Has Returned. So now that you know why HIPAA is such a hot topic, let’s continue on our HIPAA Readiness journey…

#2 What to do when you have a HIPAA breach.Risk Management

Uh-oh! You believe there’s been a breach in your HIPAA security. Keep Calm & Do a Risk Assessment. The federal government requires different actions depending on the nature of the information compromised and the number of people affected. So, first, find out how bad the situation is.

You need to document your risk assessment and keep it on file for at least six years. In the best case scenario, you may find that the disclosure of patient health information (PHI) has been limited to acceptable uses or can be recovered. If there is a low probability that the PHI was compromised, you do not need to report a breach.

But, if a breach actually did occur, you need to notify each patient via first class mail, email if the patient has consented to electronic notices, or telephone—and as soon as possible—if there is any danger that the PHI can be used in a malicious way. If there are 10 or more patients you are not able to contact, you need to notify them publicly on your website or through the media.

In cases involving fewer than 500 individuals, the HITECH Breach Notification regulations require you to notify those patients within 60 days of discovering the breach. You must keep a log of such incidents and report them to the HHS Secretary annually, no later than 60 days after the end of the calendar year. Alternatively, you can report them as they happen at the new OCR Breach Portal. This online reporting process allows you to enter any information you have and add details as they become available. In cases involving 500 or more individuals, you must promptly (within 60 days of discovery) notify each patient, the HHS Secretary, and the media.

In addition to federal requirements, most states have their own laws regarding breach notification. The National Conference of State Legislatures has collected the state laws together here.

Want to test your HIPAA knowledge? Take the HIPAA Readiness Quiz.

You can read more details about how to deal with a security breach on the site. Better yet, you can get everything you need for a strong HIPAA Compliance Program and Risk Assessment from PRS. Click here to learn about all of our COMPLIANCETrack programs.


Pharmacy News: HIPAA has returned

Are you sure your pharmacy is HIPAA Compliant?

Recently, HIPAA has made its way back into the news with new court rulings on regulations and enforcement. I was asked to write an article for the February issue of NCPA’s America’s Pharmacist explaining the impact of the rulings on the pharmacy industry. If you are an NCPA member, be sure to read Thin Ice Ahead: Four Rulings That Increase Your HIPAA Liability. If you aren’t a member, write to us at to request a .pdf copy.

As a sidebar to the article, I wrote a HIPAA Readiness Survey, asking nine questions about your understanding of HIPAA and the strength of your HIPAA compliance program. In this HIPAA Readiness blog series I elaborate on one question a week to discuss how each impacts your pharmacy.

So, let’s get started.

#1—Computer Viruses and Malware


Has a computer virus or malware program ever appeared on any computer that houses or has access to protected health information (PHI) entrusted to your pharmacy? That could be very, very bad. Hackers can slip spyware programs onto your computer and steal or destroy patient information. You must do all you can to keep that from happening. HIPAA requires that you put in place practices, policies and procedures, and security measures to ensure the confidentiality, integrity and availability of electronic PHI.

The best solution would be to keep PHI only on computers or devices that are not connected to the internet, but that is impossible in today’s environment. At a minimum, use the very best antivirus and antimalware software available. Malicious software, or malware, can slow down your computer or network access, damage your hardware, deliver viruses, and steal information. It can be spread by opening e-mail attachments, visiting unreliable websites, using infected USB flash drives, CDs, or DVDs, playing infected media files, or even by using programs from unscrupulous sources that claim to provide protection from malware while actually infecting or spying on your computer. Antimalware is not meant to be a replacement for antivirus software; it is essential to have both.

Choose a well-reviewed antivirus/antimalware solution that prevents all types of malware infections, automatically scans any downloads and automatically delivers updates for its antivirus database at least once a day (preferably every few hours), and includes good malware removal capabilities. Since few pharmacies have an IT department, make sure the product you choose has stellar customer service.

A good program, when configured properly, has the ability to send an alert if an attempt was made to infect your computer. It will tell you what action it took to prevent the download or to remove or quarantine the file. Pharmacy employees should report any alerts to your designated Security Officer who can then make sure that no breach took place.

Remember, you’re not paranoid if they really are out to get you—and they are.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.