Before we get into the HIPAA issues for pharmacies with regards to training, let’s just discuss HIPAA in general for a bit.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal statute that includes national standards for data privacy and security provisions concerning patients’ medical information. Although it was no doubt introduced to protect sensitive patient health data, it wasn’t the only objective. HIPAA was established to fulfill multi-fold healthcare objectives, chief among which are medical administration, prevention of healthcare fraud, elimination of waste, and of course prevention of sensitive patient information from being used or disclosed without the patient’s consent or knowledge.
Why Ensure HIPAA Compliance?
HIPAA is an area of compliance that has been around for a while now – almost 17 years. Over this long period of time, the Federal Government has continuously increased the level of scrutiny and amount of fines they have placed on covered entities (including pharmacies) for violations.
Because HIPAA has been in effect for so long, there is no excuse to be noncompliant. The first time the Office of Civil Rights (OCR; the Federal entity responsible for HIPAA enforcement) comes knocking, it is typically the result of a privacy breach or a complaint received by a consumer (or whistleblower). Depending on the circumstances of the breach or event, the OCR may conduct an investigation.
During an OCR investigation, they typically find additional areas where the covered entity was noncompliant above and beyond the breach or incident that caught their attention in the first place. To help increase awareness and knowledge of the common HIPPA issues for pharmacies, over the next few months, we will be regularly blogging about HIPAA concerns that Independent Pharmacies must be aware of. These blog posts will focus on some of the issues independent Pharmacies are facing and what the OCR is typically commonly finding during their investigations of breaches and complaints.
HIPAA Training Requirements
The topic of this first article is HIPAA Training – a common area of confusion. The requirements for training can be unclear because HIPAA offers general guidelines that are flexible and scalable enough to cater to a broad range of entities in terms of both their type and size. As a result, HIPAA training regulations offer general information rather than a single standardized training program helpful for all covered entities or specific information pertaining to the topics any HIPAA training should cover.
The ambiguity further stems from the fact that HIPAA’s Privacy Rule and Security Rule – 45 C.F.R. § 164.530(b) and 45 CFR § 164.308(a)(5) respectively – have separate training requirements. As varied as the interpretations for training requirements are, here PRS covers some valuable information about what HIPAA does specify with regards to training.
If not already trained, pharmacies must train employees (and other workforce members, such as interns) as soon as reasonably possible. Moreover HIPAA requires that all concerned employees undergo the most upgraded training whenever the regulations are updated or modified. Additionally, pharmacies must maintain proof of training and copies of the training materials for no less than six years. A properly designed training curriculum with regular refreshers or renewal training will ensure your employees understand their responsibilities and your policies and procedures, reducing the likelihood of breaches, common HIPAA issues for pharmacies, and complaints – all of which minimize the likelihood of audits.
In addition to training your employees on your policies and procedures, your training should cover general privacy and security best practices. General privacy and security training is essential because no matter what policies, procedures, and technologies you have implemented, the end–user (your workforce) is typically the weakest link. So ensuring your employees are, for example, maintaining the privacy of their passwords, not installing unapproved programs, and not opening suspicious links, files, or emails, is critical. These processes allow you to ensure the ongoing confidentiality, availability, and integrity of your pharmacy’s PHI.
Lastly, we need to discuss some specifics on what is considered training as per the regulations set by the US Department of Health and Human Services (HHS). We see many education and Learning Management System (LMS) companies providing HIPAA training, and, in most cases, the content they are offering is excellent. However, the material would be considered “education” rather than training, per se.
When we look at the HIPAA Standard for Training (45 C.F.R. § 164.530(b)) we find that it states, “A covered entity must train all members of its workforce on the policies and procedures . . .” Therefore, in order to prevent the common HIPAA issues for pharmacies, the HIPAA Training needs to related to or must cover your pharmacy’s specific policies and procedures.
What these education and LMS companies are providing is informative; however, unless they are also providing you with the policies and procedures you will use in practice, what you are receiving is strictly educational material – and not considered training as required by applicable federal regulations. In this case, you will not be compliant as required by the OCR.
There are several fixes to this issue, including:
- Requesting HIPAA policies and procedures from the education and LMS company
- Or finding another service that provides both the training and policies and procedures (HIPAATrack)
- Or creating your own policies and procedures based on both, a thorough examination of the regulations and the education which LMS companies provide.