HIPAA Policies and Procedures are the foundation of your Pharmacy’s overall HIPAA Compliance and employee Training.  Policies and Procedures also happen to be one of the items most often found to be missing, incomplete, or not up-to-date during investigations conducted by the Office of Civil Rights (OCR).

What does HIPAA say about Policies and Procedures?

HIPAA clearly states you need to have Policies and Procedures.  If we look at 45 C.F.R. § 164.530(i), we find that it states the following:

“covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements . . .”

The next steps are to ensure your pharmacy has the appropriate Policies and Procedures to cover the HIPAA requirements.

The Three Sections of HIPAA

When it comes to pharmacy HIPAA and Policies and Procedures, we are talking about the following three rules:

  • Privacy Rule (164.5xx)
    • Uses and Disclosures
    • Individual’s Rights
    • Administrative
  • Security Rule (164.3xx)
    • Administrative Safeguards
    • Physical Safeguards
    • Technical Safeguards
  • Breach Notification Rule (164.4xx)

These rules are further broken down into various areas that you need to ensure you have Policies and Procedures to address in your Pharmacy Practice.  The exact number of Policies and Procedures will vary based on how you set up your Program – or how your compliance vendor has set up their Program.

Who is Responsible for HIPAA Policies and Procedures?

HIPAA requires you to designate a Privacy Official (Privacy Officer) and Security Official (Security Officer) responsible for the various sections of the HIPAA Regulations – they can be the same person, and you could have multiples of each official.  These individuals should understand how the Pharmacy Operates, and they are tasked with implementing and maintaining the Pharmacy’s HIPAA Policies and Procedures.

How long do I need to maintain HIPAA Policies and Procedures?

As most of you probably know, HIPAA requires you to maintain Protected Health Information for six (6) years (if you are retaining PHI for longer than six (6) years, you must maintain the privacy and security of the PHI in compliance with HIPAA).  You are also required to maintain your Policies and Procedures for six (6) years from the date they were the last being used.  Therefore, when you update a Policy and Procedure, you will need to make sure the older version of the Policy and Procedures is available if requested as part of an audit or investigation.

Is my Notice of Privacy Practices my HIPAA Policies and Procedures?

No.  The Notice of Privacy Practices (NOPP) is simply a document that provides a general outline for the patient to understand how you may use and disclose their PHI.  The Notice of Privacy Practices is not your HIPAA Policies and Procedures and covers only a fraction of what you need to have in place.

Does an off-the-shelf HIPAA Training Program or Continuing Education (CE) Count as Training?

No.  While off-the-shelf HIPAA Training Programs and CEs can be an excellent tool for creating training, these Programs lack the HIPAA Policies and Procedures. These types of products should be considered education and not training.  Since your HIPAA Training must be based on your HIPAA Policies and Procedures, not having Policies and Procedures would make it impossible to have legal HIPAA Training.  Please refer to our blog covering HIPAA Training for more information on training.

Should I review my Policies and Procedures periodically?

Yes.  It is essential your HIPAA Policies, Procedures, and associated forms are up to date.  For Policies and Procedures to be effective and do what they are intended to do, they must reflect your actual Pharmacy practice (operations, electronic systems, PHI maintained, designated personnel, etc.).

How Can PRS Help?

PRS has been at the forefront of HIPAA Compliance for Pharmacy since the beginning of HIPAA in 2003 with a HIPAA Compliance Program developed by individuals who work in Pharmacies.

PRS’s HIPAATrack is designed to walk you through the process of implementing and maintaining your Pharmacy’s HIPAA Compliance Program. The Program provides Policies, Procedures, and Forms following the HIPAA Regulations.  The HIPAATrack program also contains online HIPAA Training that is based on the included Policies and Procedures, so there are no worries whether your employees are receiving training or just education.

For more information about PRS Pharmacy Services’ Pharmacy Compliance Offerings, click on one of the following links, HIPAATrack and COMPLIANCETrack, or call PRS at 1-800-338-3688. Join the thousands of independent pharmacies that currently enjoy the benefits of PRS’s Compliance Programs.

* Locations of Pharmacies Currently Using PRS Compliance and Credentialing Programs