Category : Compliance

Pharmacy News: HIPAA Readiness wrap-up.

HIPAA

So, just a few months ago, I let you all know that HIPAA was back in the news with new court rulings, enforcement activities and how future HIPAA Audits would be occurring proactively (instead of reacting to breaches and complaints). Since then we have taken a long journey together to go over some of the items that need to be in place and happen on a daily basis, so that your pharmacy is HIPAA ready. We also looked at what you, as a pharmacy owner, need to do if certain things were to happen within your facility.

Let’s do a liCompliance Checklistttle review to sum things up.

1. We learned about malware and computer viruses and how they can be a way for Protected Health Information (PHI) to get deleted or even stolen. The solution, be sure to have good anti-virus/malware software on the computer(s) where PHI is stored. It is also important that you ensure that your firewalls, routers and wireless devices are appropriately setup to protect your infrastructure.

2. What do you do if a breach of PHI does happen at your pharmacy? Don’t panic, just DO A RISK ASSESSMENT to determine if there is a low probability the PHI has actually been compromised. If it is determined a breach did occur, then you must notify each patient within 60 days of breach discovery via first class mail, email if the patient has consented to electronic notices, or telephone. If there are 10 or more patients you are not able to contact, you need to notify them publicly on your website or through the media. If the breach was of 499 or less individuals, then you must report them to the HHS Secretary annually, no later than 60 days after the end of the calendar year the breach was discovered. If the breach was of 500 or more individuals, then you must report them to the HHS Secretary within 60 days of discovery.

3. We discussed you as an employer may be held responsible if your employees commit a HIPAA violation. How do you avoid this? All pharmacies should have policies and procedures in place that clearly spell out the responsibility of employees not to disclose confidential or private medical or treatment information. Employees should be trained on your HIPAA Policies and Procedures and Employees should electronically acknowledge or sign a document stating that they’ve participated in your HIPAA Training. This training along with their job description should lay out the scope of duties and conduct that is inappropriate or illegal. If your Training Program, Policies and Procedures and IT Processes are clear and effective (and there are no holes), then your ultimate responsibility toward any violation could be mitigated.

4. This is where it got personal for me as a business owner. We had a DISASTER here in our office – from power and IT to damage to the building we lost a lot!!! But, we instituted our Disaster Recovery Program within a few hours and were back up to normal business functions from our customers and members point of view. We used the same Disaster Recovery Program that thousands of you have, and our servers were up and running to normal levels within 48 hours. If we hadn’t had one in place, we could have never gotten back on our feet as quickly as we did.

So what are some of the key areas you need to consider when creating your Disaster Recovery Plan:
• Ensure you are performing Data Backups
• Anticipate your patients’ needs
• Ensure you have contact information for all of your vendors (hardware, software, drug wholesaler, etc.)
• Have an alternative communication system
• Ensure your employees know what will be needed of them
• TRAIN YOUR EMPLOYEES AND TEST THE PLAN

5. Make sure all of your Business Associate Agreements are up-to-date with the OMNIBUS HIPAA Rules released in January of 2013.

6. Make sure your Notice of Privacy Practices is compliant with the OMINIBUS HIPAA Rules and you are handing them out to all new Patients, upon request and posted on your website if you provide health care related services online, including online refills. Your patients must sign off that they have received your Notice of Privacy Practices.

7. And last, but certainly not least – Be sure your HIPAA policies and procedure are a part of your daily activities, don’t just keep them on a shelf. With all of the enforcement activities and upcoming audits, you need to make sure Compliance is part of your Pharmacy’s DNA. And make sure your employees are trained on your P&Ps.

I hope that you have learned why after all these years, HIPAA is still one of the most impactful regulations to hit the pharmacy industry and that being HIPAA Ready can save your business, whether an inspector comes to your door, or (and I hope this doesn’t happen to you) a disaster happens.

Just as I was working on this post, I saw an enforcement action and fine was issued to a Pharmacy for improperly disposing of PHI. At least that is where the investigation started, but the Office of Civil Rights also discovered the Pharmacy did not have Policies and Procedures and did not provide and document HIPAA Training for their employees.

As always, for more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: HIPAA Compliance Policies and Procedures

policy-procedure

We have been talking HIPAA Readiness for a little over a month now and I hope that it is helping you to realize you can’t afford to ignore HIPAA Compliance, or put your program on a shelf.  Our final topic before we sum it all up is another HIPAA basic: policies and procedures.

Mind your Ps and Qs, or in this case, your P and Ps.

In the old days, many people had formal living rooms or parlors that were perfect showcases of fancy furniture and tchotchkes, rooms where no one was actually allowed to live. They were kept clean and pristine only for guests and maybe for the family on Christmas Day.

Some pharmacies treat their HIPAA compliance policies and procedures like the “good parlor”—they’re perfect, but they’re only pulled out for guests, who, in this case, are called auditors. Their well-worn day-to-day operations don’t follow the good intentions outlined in the pharmacy’s official P and Ps. Unfortunately, your pretty P and P’s won’t impress an auditor if they are not put into practice.

There are a number of ways a disparity between written policies and procedures and actual operations can develop. Perhaps you’ve purchased an off-the-shelf compliance package to keep up with changes made in the latest HIPAA rules; then, you put it back on a dusty shelf in your store because you were too busy to implement any necessary changes to your systems.

Too much success can lead to cutting a few corners. In the hustle and bustle of a busy pharmacy, vials brought in for refill can get tossed in the trash or recycling bin. Records could be put aside to be refiled when the rush is over, but misplaced instead. Under the stress of a long line of customers, electronic security measures may be missed, passwords may be shared (“Joe, give me your password. I need to refill this Xanax.”).

All of your employees were trained on your policies and procedures. But, just as a student may forget half the information s/he crammed for a test as soon as the test is over, your staff may forget some policies that don’t come up in everyday practice. On a happier note, your staff may have “invented a better mousetrap,” a better procedure that complies with the HIPAA rules than what is written in your P and P’s. Edit your written procedures, and all will be well.

The moral of the story: Sit on your fancy furniture, use the good china, and follow your P and P’s.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: Notice of Privacy Practices

We have taken a long journey in this HIPAA Readiness series, so let’s not forget the basics —

Stop Me If You’ve Heard This One: Notice of Privacy Practices

Communication is the key to success. Or so read a poster on the wall in my high school English class. Communication is also thenotice of privacy key to HIPAA compliance. You need to give every patient a Notice of Privacy the first time you provide any health service. The Notice of Privacy Practices must be designed to inform the patient as to how their Protected Health Information may and may not be used, and provide them with information related to their individual rights.

Communication is a two-way street. Another tried and true aphorism that’s relevant to HIPAA. Your patients need to tell you that they received a Notice of Privacy Practices. Luckily, you don’t have to document that they read and understand the notice, but you do need to get them to sign an acknowledgement that you gave it to them. You probably have a checklist for serving new patients; it may even be part of your pharmacy software. Make sure that the Notice of Privacy Practices acknowledgment is on it, and that you have some method of quality control to double check that all patient files include an acknowledgment. If you find a file that is missing the acknowledgment, don’t panic, but put an alert on their account to make sure you get one on the patient’s next visit.

Here’s another old saw: Repetitio mater studiorum est, or Repetition is the mother of all learning. You’ve handed your patients a Notice of Privacy Practices which they will very likely toss, file away, or lose. It is therefore prudent for you to offer the notice in other, more lasting forms. Post a copy at the pharmacy counter. Put a Privacy Notice link on every page of your website where patients go for services like prescription renewals. Such repetition adheres to another ancient adage: CYA, or Cover your…assets.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: HITECH Requirements for Business Associate Agreements

Wow! We are covering a lot of topics in this HIPAA Readiness Series! If you haven’t had a chance and want to, visit the PRS website to catch up on the topics we have gone over so far. This next topic is an important one.

Let’s Share! Business-Associate-Agr(Business Associate Agreements)

We’ve all been taught that sharing is good. In 21st century healthcare, sharing data is essential. But, it’s also a bit worrisome. Criminals can do a lot of harm with stolen patient health information (PHI), so the laws protecting PHI disclosed by Health Care Providers were strengthened through the Health Information Technology for Economic and Clinical Health (HITECH) in 2009. Further strengthening occurred to all aspects of the HIPAA Rules and Regulations in January of 2013 with the release of Omnibus HIPAA Rulemaking.
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriquez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.” http://www.hhs.gov/news/press/2013pres/01/20130117b.html

Covered entities and their business associates—anyone to whom they legally disclose PHI— must sign agreements obligating them to follow the HIPAA Privacy and Security Rules. You should already have these Business Associate Agreements (BAAs), but are they up to date? As of September 23, 2014, OCR is now enforcing these additional requirements:
1. Your business associates must now have a written plan that complies with the HIPAA Security Rule with the same level of specificity required of any covered entity. They must document how they will protect hard copy and/or electronic PHI.
2. BAAs must include the restrictions on use and disclosure of PHI listed in Section 164.504(e) of the HIPAA Privacy Rule.
3. Your BAA should include an acknowledgement that your business associate may be audited by OCR.
4. Your business associates are required to notify you, the covered entity, of any breach or unsecured PHI. You need to follow the notification rules even if it was your business associate that experienced the breach.

Make sure your business associates know that they are subject to civil and criminal penalties for breaching a BAA or otherwise violating HIPAA. Civil penalties range from $100 per violation to $50,000 per violation for incidences that exhibit “willful neglect.” HITECH also gives State Attorneys General the ability to enforce violations with injunctions and civil damages.
You can find additional resources about Business Associate Agreements BAAs on the Office of Civil Rights website found at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: Save your electronic PHI

The Show Must Go On!

When I started this blog series on HIPAA Readiness, I had no idea that real life was going to play such a big role in my posts! After telling you why HIPAA Readiness is such a big deal right now, how to handle possible breaches and how you as a pharmacy owner are responsible for your employees actions when it comes to HIPAA, a major pipe burst and “rained on our parade.” We didn’t see that coming, but we were sufficiently prepared to march on.

It’s important that your pharmacy is prepared to “march on” and to see patients through whatever happens to your facility or your community. Everything from hurricanes to snow storms to heat waves can damage your building, take out your electricity, or keep key employees from getting to work. Your disaster recovery plan should address the fallout from physical damage, loss of electronic PHI, and from the loss of key employees.

Here are a few high priority items for your plan:
1. Protect your electronic PHI. How can you access it if you can’t get into your building? Consider backing up your electronic PHI to a remote, possibly cloud-based, site. Make a plan for you or key staff members to access data remotely so they can work with patients from a safe place. This will also require you to ensure all of your employees who are remotely access your network are aware of standard security protocols for remote access.
2. Anticipate your patients’ needs. How can they get the medications they need if your facility is out of commission? You might establish a relationship with another independent pharmacy to back each other up in emergencies. Also, consider your state board requirements when utilizing a temporary site for your pharmacy.
3. Have an alternative communication system. Make sure you can get in touch with your employees. Immediately update your website with instructions on how patients can get their prescriptions filled.
4. Cross-train employees. The loss of a key employee to injury or worse cannot shut down operations. You need operational redundancy for the functions your employees perform just as much as for the functions your computers perform.
5. Train Staff and Test Plans. So, you’ve made a plan, but does it work? Get everyone on board and try it out. By doing so, you and your staff may see a better way or something that needs to be updated and keep your electronic PHI safe.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: A good Disaster Recovery Plan is essential to your pharmacy business.

Have you been keeping up with our HIPAA Readiness Series? We have been exploring why HIPAA is back in the news, what to do if you experience a HIPAA breach, and the fact the you, as a Pharmacy Owner, are responsible for your employees actions if they violate HIPAA. Let’s continue exploring the importance of HIPAA Readiness by using this REAL LIFE situation that happened to my company.

#4 Preparing for the Deluge: Risk AnalysisCompliance-Checklist/Disaster Recovery Plan

It can happen to anyone, and it happened to PRS last week! On a dark, deserted Saturday night, a major water pipe on the top floor of our 19th century building burst. Motion detectors triggered the alarm, but by the time the water flow was under control, the three occupied floors were a wet mess. Some computers survived, others were a complete loss, but our server was back in business by Tuesday afternoon.

We hadn’t expected a deluge from above, but we created our Disaster Recovery Plan / Contingency Plan years ago and when the flood occurred it was implemented. We understood our operations and our needs based on our risk analysis we had performed. In the Risk Analysis we were able to identify our critical systems and identified all of the threats and vulnerability that existed to our operations. This allowed us to ensure we had the proper policies, technical safeguards and an effective Disaster RecoveryPlan / Contingency Plan to protect the important data stored on our computers. Performing a detailed, well-considered risk analysis is a requirement of HIPAA. Every covered entity is responsible for the confidentiality, integrity, and availability of the electronic protected health information (ePHI) it holds. You must imagine what might endanger your ePHI and put safety measures in place.

PRS was hit with a flood; you might be hit by computer hackers. Every situation must be considered. And because new computer products continually come on the market, new employees join your staff, new malware is invented by hackers, you need to review your risks and solutions periodically. Additionally, whenever you make a change to your pharmacy—remodeling your interior space, buying new hardware, altering your procedures or your employees’ job descriptions—think about how that might impact your risk analysis and your Disaster Recovery Plan.

It’s the law and it’s good business. A periodic review of your risk analysis is an essential insurance policy against loss, theft, or corruption of your ePHI files.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: Did you know, you are responsible if an employee commits a violation of HIPAA?

Over the past few weeks, we have been exploring HIPAA, which has made its way back into the news. We have talked about how computer viruses and malware can be dangerous to PHI on your network and what to do when you think you have a breach. We are going to continue on our HIPAA Readiness journey by discussing how you as a pharmacy owner are responsible for what your employees commit a violation of HIPAA.

#3 Respondeat superior : The Sins of the Tech Shall Be Visited Upon the Pharmacy Owner (violation of HIPAA)

hipaa violationWhat if Joe, your pharmacy tech, lets slip to his friends that “Jane Doe” was prescribed medication for a pretty embarrassing medical condition? That’s a clear violation of HIPAA, and if you hear about it, you’ll fire Joe. But, what if Jane hears about it and files a lawsuit? Will she sue Joe, or will she sue you? Who has the deeper pockets?

Respondeat superior is Latin for “let the master answer.” As a legal doctrine, Respondeat superior means that the employer can be held liable for illegal actions of employees that are done within the scope of their employment. Even though you have done nothing wrong, the law holds that you, “the master,” have a measure of control over your employee and may have to answer for his wrong doing. An employer takes on a certain amount of vicarious liability for employees. You are responsible for training your employees on how to do their jobs and what not to say or do.

There are conditions that must be met before employer liability will be imposed for the wrongful conduct of an employee. To be within “the scope of employment,” conduct must (1) be of the type the employee was hired to perform; (2) takeplace within the time and space limits authorized by the employer; and (3) be at least partly motivated by a purpose to serve the employer. Often, these questions are decided by a jury.

All pharmacies should have policies and procedures in place that clearly spell out the responsibility of employees not to disclose confidential or private medical or treatment information. Employee should be trained on your HIPAA Policies and Procedures and Employees should electronically acknowledge or sign a document stating that they’ve participated in your HIPAA Training. This training along with their job description should clearly lay out the scope of their duties and conduct that is inappropriate or illegal. If you do all you can to document your HIPAA compliance and employee training, Joe may, indeed, take the rap alone.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Seven Necessities for Fraud, Waste, and Abuse Compliance

Every company wants to operate free from fraud, waste, and abuse (FWA). It’s good for business. So, try to think of that as the silver lining to the fact that your pharmacy is required by CMS, and many states, to have a formal fraud, waste, and abuse compliance program.

The Affordable Care Act spelled out seven elements you need in your fraud, waste, and abuse  program:

1. Written policies, procedures, and standards of conductfraud
2. A designated compliance officer and compliance committee, with high level oversight
3. Effective employee training and education
4. Effective lines of communication within your company
5. Well-publicized disciplinary standards
6. An effective system for routine monitoring, auditing, and identification of compliance risks
7. Procedures for prompt response to compliance issue

CMS enforcement efforts will primarily be looking for the completion and documentation of:

1. Appropriate claims data
2. conflict of interest attestations
3. annual employee fraud, waste, and abuse training
4. monthly checks for employees on the OIG (Office of Inspector General) and SAMS (System for Award Management) exclusion lists.

You can read more about FWA compliance program guidelines on the CMS website. This .pdf document will help you create your fraud, waste and abuse program or make sure that a program you purchase is complete.

For more information about Fraud, Waste and Abuse and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

HIPAA Cautionary Tales

Knowing what is happening in the world of HIPAA “mistakes” can be beneficial to you as a pharmacy owner.

HHS press releases tell the following stories:

content-mistakesMobile devices, full of unencrypted records, are being stolen. A USB drive was taken from the car of an Alaska Department of Health and Social Services employee. Thieves took a laptop from a Concentra Health Services facility in Missouri and from a QCA Health Plan employee’s car in Arkansas. “’Covered entities and business associates must understand that mobile device security is their obligation,’ said Susan McAndrew, OCR’s deputy director of health information privacy. ‘Our message…is simple: encryption is your best defense against these incidents.’” Penalties on these violations totaled $3,675,220.

Someone at Idaho State University’s Pocatello Family Medicine Clinic disabled firewall protections on its server. It was 10 months before the clinic realized that the records of 17,500 patients were unsecured. “’Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,’ said OCR Director Leon Rodriguez.” ISU agreed to pay $400,000.

This story is my favorite because it is so egregious and, unlike the other examples, low tech. It seems a physician was retiring and Parkview Health System, Inc. was thinking about purchasing a portion of her practice. Parkview took custody of medical records for 5,000 to 8,000 patients. Nine months later, Parkview employees, knowing that the doctor wasn’t home, “left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.” Parkview agreed to pay $800,000.

Moral of the stories: Everyone who touches health records must be educated on HIPAA rules and think about the effects of their actions…even the Parkview drivers.

For more information about  HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

hP2

HIPAA Compliance: You’ve Got to Be More Careful

Are you taking your pharmacy’s  HIPAA Compliance seriously?

hP2-300x225I’m sure you’ve heard about the million-dollar settlements that Rite Aid and CVS paid for HIPAA violations. Here’s a January 2, 2013 headline you may have missed: HHS announces first HIPAA breach settlement involving less than 500 patients. The Hospice of North Idaho agreed to pay $50,000 for a breach of unsecured electronic protected health information (ePHI).
The HHS Office for Civil Rights (OCR) doesn’t just investigate the big pharmacy players, it is tasked with enforcing HIPAA for every US citizen, including your customers. While OCR still spends most of its resources following up on complaints, last summer it began Phase 2 of its random audit program. This phase looked at a randomly selected pool of covered entities AND their business associates. Auditors found that more than 39% of the problems with Privacy Standards compliance were attributed to a lack of awareness of the requirements. Further, they found that the smallest covered entities struggled with compliance under all three of the HIPAA Standards: Security Rule, Breach Notification Rule, and Privacy Rule.
OCR lists, in order of frequency, the five most common compliance issues it investigates:
1. Impermissible uses and disclosures of protected health information;
2. Lack of safeguards of protected health information;
3. Lack of patient access to their protected health information;
4. Uses or disclosures of more than the minimum necessary protected health information; and
5. Lack of administrative safeguards of electronic protected health information.
Everyone in your pharmacy needs to know the HIPAA rules. More importantly, they need to know how to follow them. You and your employees must have solid policies and procedures and be vigilant in sticking to them. It only takes one customer, competitor, or employee to make a complaint to OCR that could get you into big financial trouble.

For more information about  pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.