Category : Regulations

HIPAA Cautionary Tales

Knowing what is happening in the world of HIPAA “mistakes” can be beneficial to you as a pharmacy owner.

HHS press releases tell the following stories:

content-mistakesMobile devices, full of unencrypted records, are being stolen. A USB drive was taken from the car of an Alaska Department of Health and Social Services employee. Thieves took a laptop from a Concentra Health Services facility in Missouri and from a QCA Health Plan employee’s car in Arkansas. “’Covered entities and business associates must understand that mobile device security is their obligation,’ said Susan McAndrew, OCR’s deputy director of health information privacy. ‘Our message…is simple: encryption is your best defense against these incidents.’” Penalties on these violations totaled $3,675,220.

Someone at Idaho State University’s Pocatello Family Medicine Clinic disabled firewall protections on its server. It was 10 months before the clinic realized that the records of 17,500 patients were unsecured. “’Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,’ said OCR Director Leon Rodriguez.” ISU agreed to pay $400,000.

This story is my favorite because it is so egregious and, unlike the other examples, low tech. It seems a physician was retiring and Parkview Health System, Inc. was thinking about purchasing a portion of her practice. Parkview took custody of medical records for 5,000 to 8,000 patients. Nine months later, Parkview employees, knowing that the doctor wasn’t home, “left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.” Parkview agreed to pay $800,000.

Moral of the stories: Everyone who touches health records must be educated on HIPAA rules and think about the effects of their actions…even the Parkview drivers.

For more information about  HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.


HIPAA Compliance: You’ve Got to Be More Careful

Are you taking your pharmacy’s  HIPAA Compliance seriously?

hP2-300x225I’m sure you’ve heard about the million-dollar settlements that Rite Aid and CVS paid for HIPAA violations. Here’s a January 2, 2013 headline you may have missed: HHS announces first HIPAA breach settlement involving less than 500 patients. The Hospice of North Idaho agreed to pay $50,000 for a breach of unsecured electronic protected health information (ePHI).
The HHS Office for Civil Rights (OCR) doesn’t just investigate the big pharmacy players, it is tasked with enforcing HIPAA for every US citizen, including your customers. While OCR still spends most of its resources following up on complaints, last summer it began Phase 2 of its random audit program. This phase looked at a randomly selected pool of covered entities AND their business associates. Auditors found that more than 39% of the problems with Privacy Standards compliance were attributed to a lack of awareness of the requirements. Further, they found that the smallest covered entities struggled with compliance under all three of the HIPAA Standards: Security Rule, Breach Notification Rule, and Privacy Rule.
OCR lists, in order of frequency, the five most common compliance issues it investigates:
1. Impermissible uses and disclosures of protected health information;
2. Lack of safeguards of protected health information;
3. Lack of patient access to their protected health information;
4. Uses or disclosures of more than the minimum necessary protected health information; and
5. Lack of administrative safeguards of electronic protected health information.
Everyone in your pharmacy needs to know the HIPAA rules. More importantly, they need to know how to follow them. You and your employees must have solid policies and procedures and be vigilant in sticking to them. It only takes one customer, competitor, or employee to make a complaint to OCR that could get you into big financial trouble.

For more information about  pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

Pharmacy Compliance shouldn't be a nightmare

Pharmacy Compliance regulations are all around us. And, just when you’re sure you’ve addressed every requirement and best practice suggestion in your pharmacy operations, some government entity or state pharmacy board changes the rules a little bit.

Pharmacy Compliance

It can be overwhelming, but myself and my Director of Compliance wrote an article for the October 2014 America’s Pharmacist that summarizes the latest changes and the most important issues with pharmacy compliance. NCPA members can click here to read “Compliance: It Doesn’t Have to Be a Nightmare.” These are the topics they highlighted:

HIPAA: “What will HIPAA auditors be looking for in your pharmacy?”

FRAUD, WASTE AND ABUSE: “It is important to understand what the Medicare Part C and D plans will be looking for, in addition to appropriate claims data.”

MEDICARE PARTS C & D STAR RATING: Because Medicare is rating the quality and performance of prescription drug plans, those plans are “evaluating individual pharmacies in their networks based on the…criteria that Medicare uses.”

HAZARD COMMUNICATION STANDARD (OSHA): “Basically, employees have the right to know and understand the hazardous chemicals that are maintained and/or used in a workplace.”

MEDICARE PART B and RELATED AUDITS: “A common misunderstanding among pharmacy owners is that, if they filed and received an exemption from the DMEPOS accreditation…requirement, they are also exempt from the Medicare Part B compliance requirements. Not true.”

COMBAT METHAMPHETAMINE ACT OF 2005: “This regulation…outlines the requirement to track the sale of pseudoephedrine and related chemicals…”

QUALITY ASSURANCE (QA) or CONTINUOUS QUALITY IMPROVEMENT (CQI) PROGRAMS: “As QA program requirements will vary from state to state, you must assure your meets the requirements of all your payers, the federal government, and the state.”

Stay tuned! In future blogs, I will be breaking down and giving more detail on each of the topics above.

For more information about the specific changes and pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.

HIPAA training

Pharmacy News: HIPAA Training for employees

HIPAA training

If you have been following along with my latest blog posts, you saw that when the OCR performed their Pilot Program for HIPAA audits, one of the areas where providers tend to be the most non-compliant is in the area of employee training.

You may be thinking, well that’s easy; I will just have my employees go on-line and complete a training course.   Unfortunately, although your employees may learn something, purchasing a “canned” HIPAA training program will not make you compliant with the HIPAA rules for training.

Why, you ask?

When it comes to HIPAA training for employees, the training MUST be based on YOUR policies and procedures and according to their job functions.

The Regulation States:

164.530 (b) (1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

(2) Implementation specifications: Training.

(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:

(A) To each member of the covered entity’s workforce by no later than the compliance date for the covered entity;

(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and

(C) To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.

(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.

So we see, the HIPAA training must be conducted and documented:

    • Based on your Policies and Procedures and that workforce members job function
    • By the compliance date
    • HIPAA trainingWithin a reasonable period of time for new workforce members
    • Within a reasonable period of time if material changes are made to your HIPAA Compliance Program

HIPAA Training for employee is simple if you use these simple rules.

Some HIPAA Programs, like PRS’s HIPAATrack  come with complete employee training, so that you are assured your employees have the appropriate training to comply with the HIPAA Rules.

Harry Lattanzio | why care about Omnibus HIPAA

Pharmacy News: Omnibus HIPAA and How it Impacts You — Part 3

Harry Lattanzio | why care about Omnibus HIPAA

We have discussed the facts about the changes to the HIPAA laws and tackled some  of the specific changes and issues that you, as pharmacy owners, need to review within your current  HIPAA Compliance Program.  But, you may be still asking yourself, “In all the years I’ve been in business, no one has ever come to review my HIPAA policies or look at my Disaster Recovery Plan, so why should I worry about the Omnibus HIPAA Final Rule?”


Here’s why.

In the past, HHS sent auditors in response to complaints and/or breaches; now, you may be audited without cause. Congress has allocated money for the HHS Office of Civil Rights (OCR) to conduct audits, and any fines that result will go to fund more audits. The potential fines, civil and criminal, have increased to a maximum of $1.5 million for each type of violation and up to 10 years of imprisonment.

Between 2011 and 2012, the OCR conducted a Pilot Audit Program to gauge if covered entities truly are HIPAA compliant. The OCR hasn’t released the results of the pilot audits, but they have stated that only two of the 61 healthcare providers audited were fully compliant. From bits of information the OCR has released, it seems providers tend to be non-compliant in the following areas:

1) Disaster Recovery Plan

2) Risk Analysis

3) Minimum necessary rules

4) Notice of Privacy

5) Policies and procedures manual

6) Adequate employee training on the pharmacy’s HIPAA policies and procedures.

The HIPAA Audit Program began around October 1, 2013, so don’t put your HIPAA updates on the back burner. There are programs out there that can make this easy for you. HIPAATrack, presented by NCPA, powered by PRS is the quickest, most cost effective way to be compliant with the HIPAA Omnibus Final Rule.

So, don’t panic, but don’t be complacent, either. Get your HIPAA house in order; then relax.


Pharmacy News: Omnibus HIPAA and How it Impacts you — Part II

In my last blog post, I informed you of changes to HIPAA and how it will be enforced.

Here are some of the specific changes in the  Omnibus HIPAA Final Rule and that impact you as a pharmacy owners:

  1. Security Rule—You must now make sure your business associates, anyone with whom you legally share individuOmnibus HIPAA changesally identifiable PHI, are compliant with the Security Rule and have policies and procedures in place to ensure the confidentiality, integrity, and availability of electronic Protected Health Information (PHI). While you’re at it, conduct an evaluation of your own Security Compliance Program, paying close attention to your Risk Analysis, Risk Management, Disaster Recovery, and Contingency Plans. A pilot audit program found that pharmacies were often deficient in these areas.
  2. Breach Notification—The standard for deciding whether one must issue a Breach Notification was changed from risk of harm to the patient to risk that the PHI was compromised. If your risk analysis determines that the PHI was possibly released inappropriately, you must: 1) Notify the patient within 60 days of discovery. 2) Notify HHS within 60 days for breaches of 500 or more patients. 3) Notify HHS of all breaches within 60 days of year’s end. 4) Notify a prominent media outlet in your area for breaches of 500 or more patients.
  3. Privacy Rule—This is where the majority of changes were made. Your Notice of Privacy must now: 1) State that you are required to get patient authorization for certain uses and disclosures (e.g. psychotherapy notes, marketing, sale of PHI, and other uses and disclosures not described in the Notice). 2) Include an opt-out statement in your fundraising statement. 3) Notify patients that they may restrict disclosures to health plans for services paid for out of pocket. 4) State that patients will be notified of any PHI breach. Offsite records must now be provided within 30 days of patient request, rather than 60 (with a 30-day time extension provision, as before). If patients request their PHI in an electronic format that you can provide, you must provide it electronically.

Also, there are changes to disclosure rules for the PHI of deceased persons and for proof of immunization to schools. You may continue to disclose PHI to individuals who were authorized to receive it before the patient’s death, and you must protect the PHI for 50 years or until you destroy those records. Proof of immunization may be disclosed to schools with a verbal request of a patient, parent, or person acting in loco parentis; document the request and the submission.

Want more information on the changes put in place by Omnibus HIPAA?

View the PRS webinar: HIPAA 2013: Don’t Panic. Be Prepared.

Looking for an answer to Omnibus HIPAA Compliance for your pharmacy?  

Visit the PRS website @ or contact 1-800-338-3688 to speak with a Specialist.



Pharmacy News: Omnibus HIPAA Compliance and how it impacts you

pichipaalock_lgIn case you haven’t heard, substantial changes to HIPAA regulations, enforcement, and penalties—with the catchy name of HIPAA Omnibus Final Rule—went into effect last March. September 23, 2013, is the day your pharmacy must be compliant with the new regulations. But, don’t panic, and don’t listen to consultants who try to scare you. The amendments to the regulations should be easy for currently compliant pharmacies to implement. However, it is imperative that you update your HIPAA program because the enforcement, in the form of proactive auditing, and the penalty increases are stiff enough to demand your attention.

Here are some of the fact about Omnibus HIPAA and how it impacts you as a pharmacy owner:

  • As stated above, all pharmacies need to take action to replace or revise their existing HIPAA Compliance Program by September 23, 2013 to avoid repercussions of non-compliance.
  • Enforcement of compliance was funded in the Affordable Care Act and will be handled by the Office of Civil Rights (OCR).
  • The big difference is that enforcement will be proactive and no longer just in response to complaints.
  • OCR is hiring enforcement officers to visit facilities and conduct active compliance audits.
  • Facilities that are audited and found non-compliant will then be penalized and/or excluded from programs payable, directly or indirectly, by a Federal health care dollars.


Have questions?

For more information about the specific changes and a solution for your pharmacy, visit PRS Pharmacy Services at Booth #1022 at the NCPA Annual Convention October 12-14, 2013 in Orlando or call PRS at 1-800-338-3688 and speak with one of the Specialists. Also, stop back here for additional posts on HIPAA Compliance  and what you need to know as a pharmacy owner.