HIPAA Compliance can take time and money, but a breach will cost you even more money through governmental fines and in repairing the reputation and trust you may have lost with your patients and community.  In some cases, you may also have to pay for identity theft monitoring, if the information exposed could be used to steal an individual’s identity – and this would be needed for each patient whose data was breached.

In July of 2020, the Office of Civil Rights (OCR) announced a settlement with Metropolitan Community Health Services (Metro) over potential HIPAA Violations.  The settlement comes after the Metro sent protected health information (PHI) of 1,263 patients to an unknown email address in 2011 – yes, this breach happened nine years ago.  The OCR identified three deficiencies during their investigation, including:

  • No Risk Analyses and Risk Management
  • No Policies and Procedures to meet the Security Rule
  • No Security Awareness and Training was performed

Conducting a Risk Analysis (§ 164.308(a)(1)(ii)(A)) and Risk Management (§ 164.308(a)(1)(ii)(B))

All HIPAA covered entities need to conduct Risk Analysis and Risk Management as part of the Security Management Process.  The Risk Analysis will help you identify the potential risks and vulnerabilities to your electronic protected health information (EPHI). Risk Management are the measures you put in place to address those risks and vulnerabilities.  The ultimate goal of Risk Analysis and Risk Management is to ensure the confidentiality, integrity, and availability of EPHI, as described below:

  1. You need to safeguard the confidentiality of EPHI to ensure it is not used or disclosed in an unauthorized manner.
  2. You need to safeguard the integrity of EPHI to ensure it is not altered or destroyed inappropriately.
  3. You need to safeguard the availability of EPHI to ensure it is available when you need it.

Now, a specific type of Risk Analysis and Risk Management is not required by HIPAA; you are required to conduct one that is effective to your overall Pharmacy operation.  Additionally, the Risk Assessment and Risk Management are “living” documents that will change with your Pharmacy as operations, technologies, risks, and vulnerabilities change.

Creating and Implementation of Policies and Procedures (§ 164.316(a) and (§ 164.316(b)(1)) to Comply with the Security Rule

Just as in the Privacy and Breach Notification Rules, you need to have policies and procedures to comply with the Security Rule.  In general, your policies will explain what and why you are doing something, and your procedures will describe how you are doing it, pretty simple and straightforward.

Implement Security Awareness and Training (§ 164.308(a)(5))

Your employees are your last line of defense when it comes to securing the confidentiality, integrity, and availability of EPHI.  Employees can also be one of your weakest links in the chain of security.  Therefore, they need to understand their role and be given the information and training they need to be effective.  When it comes to Security Awareness, the following four areas need to be addressed:

  • Security Reminders – Setup a system to remind and update your employees on security issues. Security Reminders could be part of Annual Training, periodic memos, notices, and posters.
  • Protection from Malicious Software – Ensure your employees are trained on preventing malicious software (virus, spyware, ransomware, etc.) from infecting your Network. Protections from Malicious Software should be included in your Security Reminders.
  • Login Monitoring – Your employees need to be instructed to monitor their computer systems for failed login attempts, as available. Failed login attempts are something that should be routinely monitored and audited during your compliance with Audit Controls ( 164.312(b)).
  • Password Management – Your employees should understand the process and criteria for creating and maintaining the privacy of all passwords. Employees need to understand that their password should not be written down or shared.

Sending an email with PHI

An email sent to an unknown address prompted this investigation.  The process to send an email containing PHI must follow the general guidance below when it is not going to the patient:

  • Verify the email address
  • Verify the use or disclosure is permissible under HIPAA
  • Encrypt the PHI in the email
  • Ensure you have a Business Associate Agreement with the entity (if applicable)


Again, we see a breach leading to a monetary settlement after an OCR investigation.  In this case, the settlement is “low.” However, the OCR took into account that Metro is providing discounted medical services to an underserved rural population in North Carolina.

The key to compliance is making sure you have policies and procedures, training, and have conducted all of the activities (risk analysis, risk management, disaster recovery, contingency planning, etc.) required by the HIPAA Regulations.

The OCR has some excellent information on its Security Rule Guidance Material Web Page covering all of the above and more when it comes to the Security Rule.

For those of you with HIPAATrack, the PRS HIPAA Compliance Program, you are good to go, provided you have implemented the Program and trained your employees.

Why Use PRS for Your Pharmacy Compliance Requirements

PRS Pharmacy Service’s Compliance Programs are the most endorsed, complete and cost efficient on the market. Naturally, we are biased. Thus, talk to some of the thousands of pharmacies to whom we currently provide compliance programs and see what they say. Give us a call and we will put you in touch. Better yet, call NCPA or the Federation of Pharmacy Networks, representing over 15,000 independents and ask who they recommend for pharmacy compliance. The answer will be PRS Pharmacy Services.

 Ask your insurance auditors what they think about PRS Compliance Programs. We have had many, many pharmacy owners tell us when the auditor asks about compliance and finds out PRS is their provider; the compliance part of audit was pretty much over. Actual Auditor quote “if you are using PRS, I know you are compliant and I don’t need to review your programs. PRS is in many other pharmacies I audit and never found an issue.” Many other auditors have made similar comments.

Oh, one more thing, after providing multiple compliance programs to thousands of pharmacies, not one single pharmacy has ever been fined while using PRS’s Compliance Programs. As a pharmacy owner myself, that’s real peace of mind. Furthermore, PRS guarantees that if you are ever fined while following our HIPAA and FWA Programs, we will pay the fine. 

For more information about PRS Pharmacy Services’ Pharmacy Compliance Offerings, click on one of the following links, HIPAATrack and COMPLIANCETrack, or call PRS at 1-800-338-3688.