Monthly Archives : March 2015

Pharmacy News: HITECH Requirements for Business Associate Agreements

Wow! We are covering a lot of topics in this HIPAA Readiness Series! If you haven’t had a chance and want to, visit the PRS website to catch up on the topics we have gone over so far. This next topic is an important one.

Let’s Share! Business-Associate-Agr(Business Associate Agreements)

We’ve all been taught that sharing is good. In 21st century healthcare, sharing data is essential. But, it’s also a bit worrisome. Criminals can do a lot of harm with stolen patient health information (PHI), so the laws protecting PHI disclosed by Health Care Providers were strengthened through the Health Information Technology for Economic and Clinical Health (HITECH) in 2009. Further strengthening occurred to all aspects of the HIPAA Rules and Regulations in January of 2013 with the release of Omnibus HIPAA Rulemaking.
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriquez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

Covered entities and their business associates—anyone to whom they legally disclose PHI— must sign agreements obligating them to follow the HIPAA Privacy and Security Rules. You should already have these Business Associate Agreements (BAAs), but are they up to date? As of September 23, 2014, OCR is now enforcing these additional requirements:
1. Your business associates must now have a written plan that complies with the HIPAA Security Rule with the same level of specificity required of any covered entity. They must document how they will protect hard copy and/or electronic PHI.
2. BAAs must include the restrictions on use and disclosure of PHI listed in Section 164.504(e) of the HIPAA Privacy Rule.
3. Your BAA should include an acknowledgement that your business associate may be audited by OCR.
4. Your business associates are required to notify you, the covered entity, of any breach or unsecured PHI. You need to follow the notification rules even if it was your business associate that experienced the breach.

Make sure your business associates know that they are subject to civil and criminal penalties for breaching a BAA or otherwise violating HIPAA. Civil penalties range from $100 per violation to $50,000 per violation for incidences that exhibit “willful neglect.” HITECH also gives State Attorneys General the ability to enforce violations with injunctions and civil damages.
You can find additional resources about Business Associate Agreements BAAs on the Office of Civil Rights website found at

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: Save your electronic PHI

The Show Must Go On!

When I started this blog series on HIPAA Readiness, I had no idea that real life was going to play such a big role in my posts! After telling you why HIPAA Readiness is such a big deal right now, how to handle possible breaches and how you as a pharmacy owner are responsible for your employees actions when it comes to HIPAA, a major pipe burst and “rained on our parade.” We didn’t see that coming, but we were sufficiently prepared to march on.

It’s important that your pharmacy is prepared to “march on” and to see patients through whatever happens to your facility or your community. Everything from hurricanes to snow storms to heat waves can damage your building, take out your electricity, or keep key employees from getting to work. Your disaster recovery plan should address the fallout from physical damage, loss of electronic PHI, and from the loss of key employees.

Here are a few high priority items for your plan:
1. Protect your electronic PHI. How can you access it if you can’t get into your building? Consider backing up your electronic PHI to a remote, possibly cloud-based, site. Make a plan for you or key staff members to access data remotely so they can work with patients from a safe place. This will also require you to ensure all of your employees who are remotely access your network are aware of standard security protocols for remote access.
2. Anticipate your patients’ needs. How can they get the medications they need if your facility is out of commission? You might establish a relationship with another independent pharmacy to back each other up in emergencies. Also, consider your state board requirements when utilizing a temporary site for your pharmacy.
3. Have an alternative communication system. Make sure you can get in touch with your employees. Immediately update your website with instructions on how patients can get their prescriptions filled.
4. Cross-train employees. The loss of a key employee to injury or worse cannot shut down operations. You need operational redundancy for the functions your employees perform just as much as for the functions your computers perform.
5. Train Staff and Test Plans. So, you’ve made a plan, but does it work? Get everyone on board and try it out. By doing so, you and your staff may see a better way or something that needs to be updated and keep your electronic PHI safe.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: A good Disaster Recovery Plan is essential to your pharmacy business.

Have you been keeping up with our HIPAA Readiness Series? We have been exploring why HIPAA is back in the news, what to do if you experience a HIPAA breach, and the fact the you, as a Pharmacy Owner, are responsible for your employees actions if they violate HIPAA. Let’s continue exploring the importance of HIPAA Readiness by using this REAL LIFE situation that happened to my company.

#4 Preparing for the Deluge: Risk AnalysisCompliance-Checklist/Disaster Recovery Plan

It can happen to anyone, and it happened to PRS last week! On a dark, deserted Saturday night, a major water pipe on the top floor of our 19th century building burst. Motion detectors triggered the alarm, but by the time the water flow was under control, the three occupied floors were a wet mess. Some computers survived, others were a complete loss, but our server was back in business by Tuesday afternoon.

We hadn’t expected a deluge from above, but we created our Disaster Recovery Plan / Contingency Plan years ago and when the flood occurred it was implemented. We understood our operations and our needs based on our risk analysis we had performed. In the Risk Analysis we were able to identify our critical systems and identified all of the threats and vulnerability that existed to our operations. This allowed us to ensure we had the proper policies, technical safeguards and an effective Disaster RecoveryPlan / Contingency Plan to protect the important data stored on our computers. Performing a detailed, well-considered risk analysis is a requirement of HIPAA. Every covered entity is responsible for the confidentiality, integrity, and availability of the electronic protected health information (ePHI) it holds. You must imagine what might endanger your ePHI and put safety measures in place.

PRS was hit with a flood; you might be hit by computer hackers. Every situation must be considered. And because new computer products continually come on the market, new employees join your staff, new malware is invented by hackers, you need to review your risks and solutions periodically. Additionally, whenever you make a change to your pharmacy—remodeling your interior space, buying new hardware, altering your procedures or your employees’ job descriptions—think about how that might impact your risk analysis and your Disaster Recovery Plan.

It’s the law and it’s good business. A periodic review of your risk analysis is an essential insurance policy against loss, theft, or corruption of your ePHI files.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.