Category : Pharmacy News

Pharmacy News: HIPAA Compliance Policies and Procedures


We have been talking HIPAA Readiness for a little over a month now and I hope that it is helping you to realize you can’t afford to ignore HIPAA Compliance, or put your program on a shelf.  Our final topic before we sum it all up is another HIPAA basic: policies and procedures.

Mind your Ps and Qs, or in this case, your P and Ps.

In the old days, many people had formal living rooms or parlors that were perfect showcases of fancy furniture and tchotchkes, rooms where no one was actually allowed to live. They were kept clean and pristine only for guests and maybe for the family on Christmas Day.

Some pharmacies treat their HIPAA compliance policies and procedures like the “good parlor”—they’re perfect, but they’re only pulled out for guests, who, in this case, are called auditors. Their well-worn day-to-day operations don’t follow the good intentions outlined in the pharmacy’s official P and Ps. Unfortunately, your pretty P and P’s won’t impress an auditor if they are not put into practice.

There are a number of ways a disparity between written policies and procedures and actual operations can develop. Perhaps you’ve purchased an off-the-shelf compliance package to keep up with changes made in the latest HIPAA rules; then, you put it back on a dusty shelf in your store because you were too busy to implement any necessary changes to your systems.

Too much success can lead to cutting a few corners. In the hustle and bustle of a busy pharmacy, vials brought in for refill can get tossed in the trash or recycling bin. Records could be put aside to be refiled when the rush is over, but misplaced instead. Under the stress of a long line of customers, electronic security measures may be missed, passwords may be shared (“Joe, give me your password. I need to refill this Xanax.”).

All of your employees were trained on your policies and procedures. But, just as a student may forget half the information s/he crammed for a test as soon as the test is over, your staff may forget some policies that don’t come up in everyday practice. On a happier note, your staff may have “invented a better mousetrap,” a better procedure that complies with the HIPAA rules than what is written in your P and P’s. Edit your written procedures, and all will be well.

The moral of the story: Sit on your fancy furniture, use the good china, and follow your P and P’s.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: Notice of Privacy Practices

We have taken a long journey in this HIPAA Readiness series, so let’s not forget the basics —

Stop Me If You’ve Heard This One: Notice of Privacy Practices

Communication is the key to success. Or so read a poster on the wall in my high school English class. Communication is also thenotice of privacy key to HIPAA compliance. You need to give every patient a Notice of Privacy the first time you provide any health service. The Notice of Privacy Practices must be designed to inform the patient as to how their Protected Health Information may and may not be used, and provide them with information related to their individual rights.

Communication is a two-way street. Another tried and true aphorism that’s relevant to HIPAA. Your patients need to tell you that they received a Notice of Privacy Practices. Luckily, you don’t have to document that they read and understand the notice, but you do need to get them to sign an acknowledgement that you gave it to them. You probably have a checklist for serving new patients; it may even be part of your pharmacy software. Make sure that the Notice of Privacy Practices acknowledgment is on it, and that you have some method of quality control to double check that all patient files include an acknowledgment. If you find a file that is missing the acknowledgment, don’t panic, but put an alert on their account to make sure you get one on the patient’s next visit.

Here’s another old saw: Repetitio mater studiorum est, or Repetition is the mother of all learning. You’ve handed your patients a Notice of Privacy Practices which they will very likely toss, file away, or lose. It is therefore prudent for you to offer the notice in other, more lasting forms. Post a copy at the pharmacy counter. Put a Privacy Notice link on every page of your website where patients go for services like prescription renewals. Such repetition adheres to another ancient adage: CYA, or Cover your…assets.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: Save your electronic PHI

The Show Must Go On!

When I started this blog series on HIPAA Readiness, I had no idea that real life was going to play such a big role in my posts! After telling you why HIPAA Readiness is such a big deal right now, how to handle possible breaches and how you as a pharmacy owner are responsible for your employees actions when it comes to HIPAA, a major pipe burst and “rained on our parade.” We didn’t see that coming, but we were sufficiently prepared to march on.

It’s important that your pharmacy is prepared to “march on” and to see patients through whatever happens to your facility or your community. Everything from hurricanes to snow storms to heat waves can damage your building, take out your electricity, or keep key employees from getting to work. Your disaster recovery plan should address the fallout from physical damage, loss of electronic PHI, and from the loss of key employees.

Here are a few high priority items for your plan:
1. Protect your electronic PHI. How can you access it if you can’t get into your building? Consider backing up your electronic PHI to a remote, possibly cloud-based, site. Make a plan for you or key staff members to access data remotely so they can work with patients from a safe place. This will also require you to ensure all of your employees who are remotely access your network are aware of standard security protocols for remote access.
2. Anticipate your patients’ needs. How can they get the medications they need if your facility is out of commission? You might establish a relationship with another independent pharmacy to back each other up in emergencies. Also, consider your state board requirements when utilizing a temporary site for your pharmacy.
3. Have an alternative communication system. Make sure you can get in touch with your employees. Immediately update your website with instructions on how patients can get their prescriptions filled.
4. Cross-train employees. The loss of a key employee to injury or worse cannot shut down operations. You need operational redundancy for the functions your employees perform just as much as for the functions your computers perform.
5. Train Staff and Test Plans. So, you’ve made a plan, but does it work? Get everyone on board and try it out. By doing so, you and your staff may see a better way or something that needs to be updated and keep your electronic PHI safe.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: Did you know, you are responsible if an employee commits a violation of HIPAA?

Over the past few weeks, we have been exploring HIPAA, which has made its way back into the news. We have talked about how computer viruses and malware can be dangerous to PHI on your network and what to do when you think you have a breach. We are going to continue on our HIPAA Readiness journey by discussing how you as a pharmacy owner are responsible for what your employees commit a violation of HIPAA.

#3 Respondeat superior : The Sins of the Tech Shall Be Visited Upon the Pharmacy Owner (violation of HIPAA)

hipaa violationWhat if Joe, your pharmacy tech, lets slip to his friends that “Jane Doe” was prescribed medication for a pretty embarrassing medical condition? That’s a clear violation of HIPAA, and if you hear about it, you’ll fire Joe. But, what if Jane hears about it and files a lawsuit? Will she sue Joe, or will she sue you? Who has the deeper pockets?

Respondeat superior is Latin for “let the master answer.” As a legal doctrine, Respondeat superior means that the employer can be held liable for illegal actions of employees that are done within the scope of their employment. Even though you have done nothing wrong, the law holds that you, “the master,” have a measure of control over your employee and may have to answer for his wrong doing. An employer takes on a certain amount of vicarious liability for employees. You are responsible for training your employees on how to do their jobs and what not to say or do.

There are conditions that must be met before employer liability will be imposed for the wrongful conduct of an employee. To be within “the scope of employment,” conduct must (1) be of the type the employee was hired to perform; (2) takeplace within the time and space limits authorized by the employer; and (3) be at least partly motivated by a purpose to serve the employer. Often, these questions are decided by a jury.

All pharmacies should have policies and procedures in place that clearly spell out the responsibility of employees not to disclose confidential or private medical or treatment information. Employee should be trained on your HIPAA Policies and Procedures and Employees should electronically acknowledge or sign a document stating that they’ve participated in your HIPAA Training. This training along with their job description should clearly lay out the scope of their duties and conduct that is inappropriate or illegal. If you do all you can to document your HIPAA compliance and employee training, Joe may, indeed, take the rap alone.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: Reporting Breaches, Notifying Patients & Risk Assessment

Last week, I told you that HIPAA is back in the news. Didn’t get a chance to read why? Take a minute to read Part 1 of the HIPAA Readiness series — HIPAA Has Returned. So now that you know why HIPAA is such a hot topic, let’s continue on our HIPAA Readiness journey…

#2 What to do when you have a HIPAA breach.Risk Management

Uh-oh! You believe there’s been a breach in your HIPAA security. Keep Calm & Do a Risk Assessment. The federal government requires different actions depending on the nature of the information compromised and the number of people affected. So, first, find out how bad the situation is.

You need to document your risk assessment and keep it on file for at least six years. In the best case scenario, you may find that the disclosure of patient health information (PHI) has been limited to acceptable uses or can be recovered. If there is a low probability that the PHI was compromised, you do not need to report a breach.

But, if a breach actually did occur, you need to notify each patient via first class mail, email if the patient has consented to electronic notices, or telephone—and as soon as possible—if there is any danger that the PHI can be used in a malicious way. If there are 10 or more patients you are not able to contact, you need to notify them publicly on your website or through the media.

In cases involving fewer than 500 individuals, the HITECH Breach Notification regulations require you to notify those patients within 60 days of discovering the breach. You must keep a log of such incidents and report them to the HHS Secretary annually, no later than 60 days after the end of the calendar year. Alternatively, you can report them as they happen at the new OCR Breach Portal. This online reporting process allows you to enter any information you have and add details as they become available. In cases involving 500 or more individuals, you must promptly (within 60 days of discovery) notify each patient, the HHS Secretary, and the media.

In addition to federal requirements, most states have their own laws regarding breach notification. The National Conference of State Legislatures has collected the state laws together here.

Want to test your HIPAA knowledge? Take the HIPAA Readiness Quiz.

You can read more details about how to deal with a security breach on the site. Better yet, you can get everything you need for a strong HIPAA Compliance Program and Risk Assessment from PRS. Click here to learn about all of our COMPLIANCETrack programs.

Pharmacy Compliance shouldn't be a nightmare

Pharmacy Compliance regulations are all around us. And, just when you’re sure you’ve addressed every requirement and best practice suggestion in your pharmacy operations, some government entity or state pharmacy board changes the rules a little bit.

Pharmacy Compliance

It can be overwhelming, but myself and my Director of Compliance wrote an article for the October 2014 America’s Pharmacist that summarizes the latest changes and the most important issues with pharmacy compliance. NCPA members can click here to read “Compliance: It Doesn’t Have to Be a Nightmare.” These are the topics they highlighted:

HIPAA: “What will HIPAA auditors be looking for in your pharmacy?”

FRAUD, WASTE AND ABUSE: “It is important to understand what the Medicare Part C and D plans will be looking for, in addition to appropriate claims data.”

MEDICARE PARTS C & D STAR RATING: Because Medicare is rating the quality and performance of prescription drug plans, those plans are “evaluating individual pharmacies in their networks based on the…criteria that Medicare uses.”

HAZARD COMMUNICATION STANDARD (OSHA): “Basically, employees have the right to know and understand the hazardous chemicals that are maintained and/or used in a workplace.”

MEDICARE PART B and RELATED AUDITS: “A common misunderstanding among pharmacy owners is that, if they filed and received an exemption from the DMEPOS accreditation…requirement, they are also exempt from the Medicare Part B compliance requirements. Not true.”

COMBAT METHAMPHETAMINE ACT OF 2005: “This regulation…outlines the requirement to track the sale of pseudoephedrine and related chemicals…”

QUALITY ASSURANCE (QA) or CONTINUOUS QUALITY IMPROVEMENT (CQI) PROGRAMS: “As QA program requirements will vary from state to state, you must assure your meets the requirements of all your payers, the federal government, and the state.”

Stay tuned! In future blogs, I will be breaking down and giving more detail on each of the topics above.

For more information about the specific changes and pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

compliance puzzle

Compliance and Your Pharmacy

It’s not news that compliance issues are among the biggest worries a pharmacy owner faces today.

With the scheduling of more and more government auditing, it is even more compliance puzzleimportant to be organized and compliant with Fraud, Waste and Abuse, HIPAA, Quality Assurance, and Pseudoephedrine regulations. You must document your monthly check of the exclusion lists and keep all of your licenses and certifications up-to-date. With these audits come steep fines if the pharmacy is found to be out of compliance.

Since June 1, 2013, the Health and Human Services Office of Civil Rights (HHS OCR) has levied fines totaling more than ten million dollars. Many recent articles about HIPAA audits warn that this past year was just the tip of the iceberg and that next year will bring even more substantial penalties and fines. For more information about what the HHS OCR has to say about their future enforcement of HIPAA and the penalties they’ll impose, click here.

I have said it time and again in this blog and at my speaking engagements, YOU, as a pharmacy owner, cannot afford to ignore or put the minimum amount of work into making your pharmacy compliant. The audits are happening and the fines and penalties are considerable.

How do you get and stay compliant, you ask?

Here are four tips that can help you get started.

1. Appoint a staff member that you trust to be your Compliance Officer.
2. Research available software and tools that can assist you in becoming compliant.
3. STAY ON TOP OF IT. There are often updates and changes to the regulations. If you don’t pay attention, you can fall out of compliance.
4. Be sure that your employees are trained on all of the pharmacy’s procedures and that their training is documented.

This seems like a lot of work, doesn’t it? Unfortunately, it can be if you let it. Lucky for you, there are consultants out there that can help. While they won’t do ALL of the work for you, they can DEFINITELY make the work easier.

PRS Pharmacy Services offers COMPLIANCETrack, a new program that puts ALL of the compliance policies and procedures you need at your fingertips. No more going from program to program to keep your compliance up to date. View a short video on this new and innovative program to see how it can make compliance easier and less worrisome so you can spend time where it matters—on your valuable patients.

Poison week

Pharmacy News: Poison Prevention Week

Poison week

What are you doing at your pharmacy to bring awareness to your customers and community?

Since Poison Prevention is such a major concern to your customers, especially those with small children, it makes sense to celebrate National Poison Prevention Week. During this promotion, you can educate your customers about preventing poison incidents while making your pharmacy more visible within your community.

Here are a few tips to get you started.

Poison_bottle1. Have Patient Handouts available on Poison Awareness. Your State Association may have free flyers and handouts available on their website or links to where you can download them.

2.Put up an Easel with “(Pharmacist’s Name) Health Tips”.  Change it a few times during the week. You can find tips at the American Association of Poison Prevention Website.

3. Visit local elementary schools to speak about Medication Safety to the children. There are existing programs like Katy’s Kids that can help you prepare.

4. Have Mr. Yuk stickers available, along with an instruction sheet on the proper way to utilize them. You can get Mr. Yuk information, here.

Remember, by providing the community with this vitally important information about Poison Prevention, your pharmacy can position itself as a community leader and resource for not only this, but other health related topics as well, bringing more customers to your pharmacy.

Want to learn more about how PRS can assist your pharmacy? Visit us at , or call one of our Specialists at 1-800-338-3688.

HIPAA training

Pharmacy News: HIPAA Training for employees

HIPAA training

If you have been following along with my latest blog posts, you saw that when the OCR performed their Pilot Program for HIPAA audits, one of the areas where providers tend to be the most non-compliant is in the area of employee training.

You may be thinking, well that’s easy; I will just have my employees go on-line and complete a training course.   Unfortunately, although your employees may learn something, purchasing a “canned” HIPAA training program will not make you compliant with the HIPAA rules for training.

Why, you ask?

When it comes to HIPAA training for employees, the training MUST be based on YOUR policies and procedures and according to their job functions.

The Regulation States:

164.530 (b) (1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

(2) Implementation specifications: Training.

(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:

(A) To each member of the covered entity’s workforce by no later than the compliance date for the covered entity;

(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and

(C) To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.

(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.

So we see, the HIPAA training must be conducted and documented:

    • Based on your Policies and Procedures and that workforce members job function
    • By the compliance date
    • HIPAA trainingWithin a reasonable period of time for new workforce members
    • Within a reasonable period of time if material changes are made to your HIPAA Compliance Program

HIPAA Training for employee is simple if you use these simple rules.

Some HIPAA Programs, like PRS’s HIPAATrack  come with complete employee training, so that you are assured your employees have the appropriate training to comply with the HIPAA Rules.

Harry Lattanzio | why care about Omnibus HIPAA

Pharmacy News: Omnibus HIPAA and How it Impacts You — Part 3

Harry Lattanzio | why care about Omnibus HIPAA

We have discussed the facts about the changes to the HIPAA laws and tackled some  of the specific changes and issues that you, as pharmacy owners, need to review within your current  HIPAA Compliance Program.  But, you may be still asking yourself, “In all the years I’ve been in business, no one has ever come to review my HIPAA policies or look at my Disaster Recovery Plan, so why should I worry about the Omnibus HIPAA Final Rule?”


Here’s why.

In the past, HHS sent auditors in response to complaints and/or breaches; now, you may be audited without cause. Congress has allocated money for the HHS Office of Civil Rights (OCR) to conduct audits, and any fines that result will go to fund more audits. The potential fines, civil and criminal, have increased to a maximum of $1.5 million for each type of violation and up to 10 years of imprisonment.

Between 2011 and 2012, the OCR conducted a Pilot Audit Program to gauge if covered entities truly are HIPAA compliant. The OCR hasn’t released the results of the pilot audits, but they have stated that only two of the 61 healthcare providers audited were fully compliant. From bits of information the OCR has released, it seems providers tend to be non-compliant in the following areas:

1) Disaster Recovery Plan

2) Risk Analysis

3) Minimum necessary rules

4) Notice of Privacy

5) Policies and procedures manual

6) Adequate employee training on the pharmacy’s HIPAA policies and procedures.

The HIPAA Audit Program began around October 1, 2013, so don’t put your HIPAA updates on the back burner. There are programs out there that can make this easy for you. HIPAATrack, presented by NCPA, powered by PRS is the quickest, most cost effective way to be compliant with the HIPAA Omnibus Final Rule.

So, don’t panic, but don’t be complacent, either. Get your HIPAA house in order; then relax.