Category : Regulations

Pharmacy News: HIPAA Readiness wrap-up.

HIPAA

So, just a few months ago, I let you all know that HIPAA was back in the news with new court rulings, enforcement activities and how future HIPAA Audits would be occurring proactively (instead of reacting to breaches and complaints). Since then we have taken a long journey together to go over some of the items that need to be in place and happen on a daily basis, so that your pharmacy is HIPAA ready. We also looked at what you, as a pharmacy owner, need to do if certain things were to happen within your facility.

Let’s do a liCompliance Checklistttle review to sum things up.

1. We learned about malware and computer viruses and how they can be a way for Protected Health Information (PHI) to get deleted or even stolen. The solution, be sure to have good anti-virus/malware software on the computer(s) where PHI is stored. It is also important that you ensure that your firewalls, routers and wireless devices are appropriately setup to protect your infrastructure.

2. What do you do if a breach of PHI does happen at your pharmacy? Don’t panic, just DO A RISK ASSESSMENT to determine if there is a low probability the PHI has actually been compromised. If it is determined a breach did occur, then you must notify each patient within 60 days of breach discovery via first class mail, email if the patient has consented to electronic notices, or telephone. If there are 10 or more patients you are not able to contact, you need to notify them publicly on your website or through the media. If the breach was of 499 or less individuals, then you must report them to the HHS Secretary annually, no later than 60 days after the end of the calendar year the breach was discovered. If the breach was of 500 or more individuals, then you must report them to the HHS Secretary within 60 days of discovery.

3. We discussed you as an employer may be held responsible if your employees commit a HIPAA violation. How do you avoid this? All pharmacies should have policies and procedures in place that clearly spell out the responsibility of employees not to disclose confidential or private medical or treatment information. Employees should be trained on your HIPAA Policies and Procedures and Employees should electronically acknowledge or sign a document stating that they’ve participated in your HIPAA Training. This training along with their job description should lay out the scope of duties and conduct that is inappropriate or illegal. If your Training Program, Policies and Procedures and IT Processes are clear and effective (and there are no holes), then your ultimate responsibility toward any violation could be mitigated.

4. This is where it got personal for me as a business owner. We had a DISASTER here in our office – from power and IT to damage to the building we lost a lot!!! But, we instituted our Disaster Recovery Program within a few hours and were back up to normal business functions from our customers and members point of view. We used the same Disaster Recovery Program that thousands of you have, and our servers were up and running to normal levels within 48 hours. If we hadn’t had one in place, we could have never gotten back on our feet as quickly as we did.

So what are some of the key areas you need to consider when creating your Disaster Recovery Plan:
• Ensure you are performing Data Backups
• Anticipate your patients’ needs
• Ensure you have contact information for all of your vendors (hardware, software, drug wholesaler, etc.)
• Have an alternative communication system
• Ensure your employees know what will be needed of them
• TRAIN YOUR EMPLOYEES AND TEST THE PLAN

5. Make sure all of your Business Associate Agreements are up-to-date with the OMNIBUS HIPAA Rules released in January of 2013.

6. Make sure your Notice of Privacy Practices is compliant with the OMINIBUS HIPAA Rules and you are handing them out to all new Patients, upon request and posted on your website if you provide health care related services online, including online refills. Your patients must sign off that they have received your Notice of Privacy Practices.

7. And last, but certainly not least – Be sure your HIPAA policies and procedure are a part of your daily activities, don’t just keep them on a shelf. With all of the enforcement activities and upcoming audits, you need to make sure Compliance is part of your Pharmacy’s DNA. And make sure your employees are trained on your P&Ps.

I hope that you have learned why after all these years, HIPAA is still one of the most impactful regulations to hit the pharmacy industry and that being HIPAA Ready can save your business, whether an inspector comes to your door, or (and I hope this doesn’t happen to you) a disaster happens.

Just as I was working on this post, I saw an enforcement action and fine was issued to a Pharmacy for improperly disposing of PHI. At least that is where the investigation started, but the Office of Civil Rights also discovered the Pharmacy did not have Policies and Procedures and did not provide and document HIPAA Training for their employees.

As always, for more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: HIPAA Compliance Policies and Procedures

policy-procedure

We have been talking HIPAA Readiness for a little over a month now and I hope that it is helping you to realize you can’t afford to ignore HIPAA Compliance, or put your program on a shelf.  Our final topic before we sum it all up is another HIPAA basic: policies and procedures.

Mind your Ps and Qs, or in this case, your P and Ps.

In the old days, many people had formal living rooms or parlors that were perfect showcases of fancy furniture and tchotchkes, rooms where no one was actually allowed to live. They were kept clean and pristine only for guests and maybe for the family on Christmas Day.

Some pharmacies treat their HIPAA compliance policies and procedures like the “good parlor”—they’re perfect, but they’re only pulled out for guests, who, in this case, are called auditors. Their well-worn day-to-day operations don’t follow the good intentions outlined in the pharmacy’s official P and Ps. Unfortunately, your pretty P and P’s won’t impress an auditor if they are not put into practice.

There are a number of ways a disparity between written policies and procedures and actual operations can develop. Perhaps you’ve purchased an off-the-shelf compliance package to keep up with changes made in the latest HIPAA rules; then, you put it back on a dusty shelf in your store because you were too busy to implement any necessary changes to your systems.

Too much success can lead to cutting a few corners. In the hustle and bustle of a busy pharmacy, vials brought in for refill can get tossed in the trash or recycling bin. Records could be put aside to be refiled when the rush is over, but misplaced instead. Under the stress of a long line of customers, electronic security measures may be missed, passwords may be shared (“Joe, give me your password. I need to refill this Xanax.”).

All of your employees were trained on your policies and procedures. But, just as a student may forget half the information s/he crammed for a test as soon as the test is over, your staff may forget some policies that don’t come up in everyday practice. On a happier note, your staff may have “invented a better mousetrap,” a better procedure that complies with the HIPAA rules than what is written in your P and P’s. Edit your written procedures, and all will be well.

The moral of the story: Sit on your fancy furniture, use the good china, and follow your P and P’s.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: Notice of Privacy Practices

We have taken a long journey in this HIPAA Readiness series, so let’s not forget the basics —

Stop Me If You’ve Heard This One: Notice of Privacy Practices

Communication is the key to success. Or so read a poster on the wall in my high school English class. Communication is also thenotice of privacy key to HIPAA compliance. You need to give every patient a Notice of Privacy the first time you provide any health service. The Notice of Privacy Practices must be designed to inform the patient as to how their Protected Health Information may and may not be used, and provide them with information related to their individual rights.

Communication is a two-way street. Another tried and true aphorism that’s relevant to HIPAA. Your patients need to tell you that they received a Notice of Privacy Practices. Luckily, you don’t have to document that they read and understand the notice, but you do need to get them to sign an acknowledgement that you gave it to them. You probably have a checklist for serving new patients; it may even be part of your pharmacy software. Make sure that the Notice of Privacy Practices acknowledgment is on it, and that you have some method of quality control to double check that all patient files include an acknowledgment. If you find a file that is missing the acknowledgment, don’t panic, but put an alert on their account to make sure you get one on the patient’s next visit.

Here’s another old saw: Repetitio mater studiorum est, or Repetition is the mother of all learning. You’ve handed your patients a Notice of Privacy Practices which they will very likely toss, file away, or lose. It is therefore prudent for you to offer the notice in other, more lasting forms. Post a copy at the pharmacy counter. Put a Privacy Notice link on every page of your website where patients go for services like prescription renewals. Such repetition adheres to another ancient adage: CYA, or Cover your…assets.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: HITECH Requirements for Business Associate Agreements

Wow! We are covering a lot of topics in this HIPAA Readiness Series! If you haven’t had a chance and want to, visit the PRS website to catch up on the topics we have gone over so far. This next topic is an important one.

Let’s Share! Business-Associate-Agr(Business Associate Agreements)

We’ve all been taught that sharing is good. In 21st century healthcare, sharing data is essential. But, it’s also a bit worrisome. Criminals can do a lot of harm with stolen patient health information (PHI), so the laws protecting PHI disclosed by Health Care Providers were strengthened through the Health Information Technology for Economic and Clinical Health (HITECH) in 2009. Further strengthening occurred to all aspects of the HIPAA Rules and Regulations in January of 2013 with the release of Omnibus HIPAA Rulemaking.
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriquez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.” http://www.hhs.gov/news/press/2013pres/01/20130117b.html

Covered entities and their business associates—anyone to whom they legally disclose PHI— must sign agreements obligating them to follow the HIPAA Privacy and Security Rules. You should already have these Business Associate Agreements (BAAs), but are they up to date? As of September 23, 2014, OCR is now enforcing these additional requirements:
1. Your business associates must now have a written plan that complies with the HIPAA Security Rule with the same level of specificity required of any covered entity. They must document how they will protect hard copy and/or electronic PHI.
2. BAAs must include the restrictions on use and disclosure of PHI listed in Section 164.504(e) of the HIPAA Privacy Rule.
3. Your BAA should include an acknowledgement that your business associate may be audited by OCR.
4. Your business associates are required to notify you, the covered entity, of any breach or unsecured PHI. You need to follow the notification rules even if it was your business associate that experienced the breach.

Make sure your business associates know that they are subject to civil and criminal penalties for breaching a BAA or otherwise violating HIPAA. Civil penalties range from $100 per violation to $50,000 per violation for incidences that exhibit “willful neglect.” HITECH also gives State Attorneys General the ability to enforce violations with injunctions and civil damages.
You can find additional resources about Business Associate Agreements BAAs on the Office of Civil Rights website found at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: Save your electronic PHI

The Show Must Go On!

When I started this blog series on HIPAA Readiness, I had no idea that real life was going to play such a big role in my posts! After telling you why HIPAA Readiness is such a big deal right now, how to handle possible breaches and how you as a pharmacy owner are responsible for your employees actions when it comes to HIPAA, a major pipe burst and “rained on our parade.” We didn’t see that coming, but we were sufficiently prepared to march on.

It’s important that your pharmacy is prepared to “march on” and to see patients through whatever happens to your facility or your community. Everything from hurricanes to snow storms to heat waves can damage your building, take out your electricity, or keep key employees from getting to work. Your disaster recovery plan should address the fallout from physical damage, loss of electronic PHI, and from the loss of key employees.

Here are a few high priority items for your plan:
1. Protect your electronic PHI. How can you access it if you can’t get into your building? Consider backing up your electronic PHI to a remote, possibly cloud-based, site. Make a plan for you or key staff members to access data remotely so they can work with patients from a safe place. This will also require you to ensure all of your employees who are remotely access your network are aware of standard security protocols for remote access.
2. Anticipate your patients’ needs. How can they get the medications they need if your facility is out of commission? You might establish a relationship with another independent pharmacy to back each other up in emergencies. Also, consider your state board requirements when utilizing a temporary site for your pharmacy.
3. Have an alternative communication system. Make sure you can get in touch with your employees. Immediately update your website with instructions on how patients can get their prescriptions filled.
4. Cross-train employees. The loss of a key employee to injury or worse cannot shut down operations. You need operational redundancy for the functions your employees perform just as much as for the functions your computers perform.
5. Train Staff and Test Plans. So, you’ve made a plan, but does it work? Get everyone on board and try it out. By doing so, you and your staff may see a better way or something that needs to be updated and keep your electronic PHI safe.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: A good Disaster Recovery Plan is essential to your pharmacy business.

Have you been keeping up with our HIPAA Readiness Series? We have been exploring why HIPAA is back in the news, what to do if you experience a HIPAA breach, and the fact the you, as a Pharmacy Owner, are responsible for your employees actions if they violate HIPAA. Let’s continue exploring the importance of HIPAA Readiness by using this REAL LIFE situation that happened to my company.

#4 Preparing for the Deluge: Risk AnalysisCompliance-Checklist/Disaster Recovery Plan

It can happen to anyone, and it happened to PRS last week! On a dark, deserted Saturday night, a major water pipe on the top floor of our 19th century building burst. Motion detectors triggered the alarm, but by the time the water flow was under control, the three occupied floors were a wet mess. Some computers survived, others were a complete loss, but our server was back in business by Tuesday afternoon.

We hadn’t expected a deluge from above, but we created our Disaster Recovery Plan / Contingency Plan years ago and when the flood occurred it was implemented. We understood our operations and our needs based on our risk analysis we had performed. In the Risk Analysis we were able to identify our critical systems and identified all of the threats and vulnerability that existed to our operations. This allowed us to ensure we had the proper policies, technical safeguards and an effective Disaster RecoveryPlan / Contingency Plan to protect the important data stored on our computers. Performing a detailed, well-considered risk analysis is a requirement of HIPAA. Every covered entity is responsible for the confidentiality, integrity, and availability of the electronic protected health information (ePHI) it holds. You must imagine what might endanger your ePHI and put safety measures in place.

PRS was hit with a flood; you might be hit by computer hackers. Every situation must be considered. And because new computer products continually come on the market, new employees join your staff, new malware is invented by hackers, you need to review your risks and solutions periodically. Additionally, whenever you make a change to your pharmacy—remodeling your interior space, buying new hardware, altering your procedures or your employees’ job descriptions—think about how that might impact your risk analysis and your Disaster Recovery Plan.

It’s the law and it’s good business. A periodic review of your risk analysis is an essential insurance policy against loss, theft, or corruption of your ePHI files.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: Did you know, you are responsible if an employee commits a violation of HIPAA?

Over the past few weeks, we have been exploring HIPAA, which has made its way back into the news. We have talked about how computer viruses and malware can be dangerous to PHI on your network and what to do when you think you have a breach. We are going to continue on our HIPAA Readiness journey by discussing how you as a pharmacy owner are responsible for what your employees commit a violation of HIPAA.

#3 Respondeat superior : The Sins of the Tech Shall Be Visited Upon the Pharmacy Owner (violation of HIPAA)

hipaa violationWhat if Joe, your pharmacy tech, lets slip to his friends that “Jane Doe” was prescribed medication for a pretty embarrassing medical condition? That’s a clear violation of HIPAA, and if you hear about it, you’ll fire Joe. But, what if Jane hears about it and files a lawsuit? Will she sue Joe, or will she sue you? Who has the deeper pockets?

Respondeat superior is Latin for “let the master answer.” As a legal doctrine, Respondeat superior means that the employer can be held liable for illegal actions of employees that are done within the scope of their employment. Even though you have done nothing wrong, the law holds that you, “the master,” have a measure of control over your employee and may have to answer for his wrong doing. An employer takes on a certain amount of vicarious liability for employees. You are responsible for training your employees on how to do their jobs and what not to say or do.

There are conditions that must be met before employer liability will be imposed for the wrongful conduct of an employee. To be within “the scope of employment,” conduct must (1) be of the type the employee was hired to perform; (2) takeplace within the time and space limits authorized by the employer; and (3) be at least partly motivated by a purpose to serve the employer. Often, these questions are decided by a jury.

All pharmacies should have policies and procedures in place that clearly spell out the responsibility of employees not to disclose confidential or private medical or treatment information. Employee should be trained on your HIPAA Policies and Procedures and Employees should electronically acknowledge or sign a document stating that they’ve participated in your HIPAA Training. This training along with their job description should clearly lay out the scope of their duties and conduct that is inappropriate or illegal. If you do all you can to document your HIPAA compliance and employee training, Joe may, indeed, take the rap alone.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy News: Reporting Breaches, Notifying Patients & Risk Assessment

Last week, I told you that HIPAA is back in the news. Didn’t get a chance to read why? Take a minute to read Part 1 of the HIPAA Readiness series — HIPAA Has Returned. So now that you know why HIPAA is such a hot topic, let’s continue on our HIPAA Readiness journey…

#2 What to do when you have a HIPAA breach.Risk Management

Uh-oh! You believe there’s been a breach in your HIPAA security. Keep Calm & Do a Risk Assessment. The federal government requires different actions depending on the nature of the information compromised and the number of people affected. So, first, find out how bad the situation is.

You need to document your risk assessment and keep it on file for at least six years. In the best case scenario, you may find that the disclosure of patient health information (PHI) has been limited to acceptable uses or can be recovered. If there is a low probability that the PHI was compromised, you do not need to report a breach.

But, if a breach actually did occur, you need to notify each patient via first class mail, email if the patient has consented to electronic notices, or telephone—and as soon as possible—if there is any danger that the PHI can be used in a malicious way. If there are 10 or more patients you are not able to contact, you need to notify them publicly on your website or through the media.

In cases involving fewer than 500 individuals, the HITECH Breach Notification regulations require you to notify those patients within 60 days of discovering the breach. You must keep a log of such incidents and report them to the HHS Secretary annually, no later than 60 days after the end of the calendar year. Alternatively, you can report them as they happen at the new OCR Breach Portal. This online reporting process allows you to enter any information you have and add details as they become available. In cases involving 500 or more individuals, you must promptly (within 60 days of discovery) notify each patient, the HHS Secretary, and the media.

In addition to federal requirements, most states have their own laws regarding breach notification. The National Conference of State Legislatures has collected the state laws together here.

Want to test your HIPAA knowledge? Take the HIPAA Readiness Quiz.

You can read more details about how to deal with a security breach on the HHS.gov site. Better yet, you can get everything you need for a strong HIPAA Compliance Program and Risk Assessment from PRS. Click here to learn about all of our COMPLIANCETrack programs.

business-decision

Pharmacy News: HIPAA has returned

Are you sure your pharmacy is HIPAA Compliant?

Recently, HIPAA has made its way back into the news with new court rulings on regulations and enforcement. I was asked to write an article for the February issue of NCPA’s America’s Pharmacist explaining the impact of the rulings on the pharmacy industry. If you are an NCPA member, be sure to read Thin Ice Ahead: Four Rulings That Increase Your HIPAA Liability. If you aren’t a member, write to us at prsinfo@prsrx.com to request a .pdf copy.

As a sidebar to the article, I wrote a HIPAA Readiness Survey, asking nine questions about your understanding of HIPAA and the strength of your HIPAA compliance program. In this HIPAA Readiness blog series I elaborate on one question a week to discuss how each impacts your pharmacy.

So, let’s get started.

#1—Computer Viruses and Malware

HIPAA|Malware

Has a computer virus or malware program ever appeared on any computer that houses or has access to protected health information (PHI) entrusted to your pharmacy? That could be very, very bad. Hackers can slip spyware programs onto your computer and steal or destroy patient information. You must do all you can to keep that from happening. HIPAA requires that you put in place practices, policies and procedures, and security measures to ensure the confidentiality, integrity and availability of electronic PHI.

The best solution would be to keep PHI only on computers or devices that are not connected to the internet, but that is impossible in today’s environment. At a minimum, use the very best antivirus and antimalware software available. Malicious software, or malware, can slow down your computer or network access, damage your hardware, deliver viruses, and steal information. It can be spread by opening e-mail attachments, visiting unreliable websites, using infected USB flash drives, CDs, or DVDs, playing infected media files, or even by using programs from unscrupulous sources that claim to provide protection from malware while actually infecting or spying on your computer. Antimalware is not meant to be a replacement for antivirus software; it is essential to have both.

Choose a well-reviewed antivirus/antimalware solution that prevents all types of malware infections, automatically scans any downloads and automatically delivers updates for its antivirus database at least once a day (preferably every few hours), and includes good malware removal capabilities. Since few pharmacies have an IT department, make sure the product you choose has stellar customer service.

A good program, when configured properly, has the ability to send an alert if an attempt was made to infect your computer. It will tell you what action it took to prevent the download or to remove or quarantine the file. Pharmacy employees should report any alerts to your designated Security Officer who can then make sure that no breach took place.

Remember, you’re not paranoid if they really are out to get you—and they are.

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Seven Necessities for Fraud, Waste, and Abuse Compliance

Every company wants to operate free from fraud, waste, and abuse (FWA). It’s good for business. So, try to think of that as the silver lining to the fact that your pharmacy is required by CMS, and many states, to have a formal fraud, waste, and abuse compliance program.

The Affordable Care Act spelled out seven elements you need in your fraud, waste, and abuse  program:

1. Written policies, procedures, and standards of conductfraud
2. A designated compliance officer and compliance committee, with high level oversight
3. Effective employee training and education
4. Effective lines of communication within your company
5. Well-publicized disciplinary standards
6. An effective system for routine monitoring, auditing, and identification of compliance risks
7. Procedures for prompt response to compliance issue

CMS enforcement efforts will primarily be looking for the completion and documentation of:

1. Appropriate claims data
2. conflict of interest attestations
3. annual employee fraud, waste, and abuse training
4. monthly checks for employees on the OIG (Office of Inspector General) and SAMS (System for Award Management) exclusion lists.

You can read more about FWA compliance program guidelines on the CMS website. This .pdf document will help you create your fraud, waste and abuse program or make sure that a program you purchase is complete.

For more information about Fraud, Waste and Abuse and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.