HIPAA is an area of compliance that has been around for a while now – almost 17 years. Over this long period of time, the Federal Government has continuously increased the level of scrutiny and amount of fines they have placed on Covered Entities (including Pharmacies).
Because HIPAA has been in effect for so long, there is no excuse to be noncompliant. The first time the Office of Civil Rights (OCR; the Federal entity responsible for HIPAA enforcement) comes knocking, it is typically the result of a privacy breach or a complaint received by a consumer (or whistleblower). Depending on the circumstances of the breach or event, the OCR may conduct an investigation.
During an OCR investigation, they typically find additional areas where the Covered Entity was noncompliant above and beyond the breach or incident that caught their attention in the first place. Over the next few months, we will be regularly blogging about HIPAA concerns that Independent Pharmacies must be aware of. These blog posts will focus on some of the issues Pharmacies are facing and what the OCR is commonly finding during their investigations of breaches and complaints.
The topic of this first article is HIPAA Training – a common area of confusion. If not already trained, Pharmacies must train employees (and other workforce members, such as interns) as soon as reasonably possible. Additionally, Pharmacies must maintain proof of training and copies of the training materials for no less than six years. A properly designed training with regular refreshers or renewal training will ensure your employees understand their responsibilities and your policies and procedures, reducing the likelihood of breaches and complaints – and therefore the chance of audits.
In addition to training your employees on your policies and procedures, your training should cover general privacy and security best practices. General privacy and security training is essential because no matter what policies, procedures, and technologies you have implemented, the end–user (your workforce) is typically the weakest link. So ensuring your employees are, for example, maintaining the privacy of their passwords, not installing unapproved programs, and not opening suspicious links, files, or emails, is critical. These processes allow you to ensure the ongoing confidentiality, availability, and integrity of your Pharmacy’s PHI.
Lastly, we need to discuss some specifics on what is considered training. We see many Education and Learning Management System (LMS) Companies providing HIPAA Training, and, in most cases, the content they are offering is excellent. However, the material would be considered “Education” rather than Training, per se. When we look at the HIPAA Standard for Training (45 C.F.R. § 164.530(b)) we find that it states, “A covered entity must train all members of its workforce on the policies and procedures . . .” Therefore, the HIPAA Training needs to be on your Pharmacy’s specific Policies and Procedures. What these Education and LMS companies are providing is informative; however, unless they are also providing you with the Policies and Procedures you will use in practice, what you are receiving is strictly educational material – and not considered training as required by applicable federal regulations. In this case, you will not be compliant as required by the OCR.
There are several fixes to this issue, including:
- Requesting HIPAA Policies and Procedures from the Education and LMS Company
- Finding another service that provides both the Training and Policies and Procedures (HIPAATrack)
- Creating your own Policies and Procedures based on the Regulations and the Education which LMS companies provide.