PRS still receives many questions from non HIPAATrack Members about whether written (or electronic) Policies and Procedures are required for their Pharmacy business. These questions have typically come from Pharmacies that have purchased a Training Program or Continuing Education, or they may have received a “free” “HIPAA Program” from their wholesaler or other entity. These Training Programs,  CEs and “free” Programs typically do not include actual Policies and Procedures to implement by the Pharmacy, making them effectively useless as far as HIPAA Regulations are concerned and thus a huge liability to these Pharmacies. HIPAA requires training on the policies and procedures implemented at a Pharmacy. General Training Programs, CEs, and many “free” Programs do not meet this requirement for compliance.

The HIPAA regulations require you to have written (or electronic) Policies and Procedures showing compliance with the HIPAA Regulations. Below are the excerpts for 164.530 of the HIPAA regulations.

“(i) (1) Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part.

(j) (1) Standard: Documentation. A covered entity must:

(i) Maintain the policies and procedures provided for in the Standard (i) [Policies and procedures] section in written or electronic form.”

The training program or continuing education is also problematic since it is not meeting the actual training requirement of HIPAA that clearly states, “a covered entity [Pharmacy] must train all members of its workforce on the policies and procedures”, also found in 164.530.

“(b) (1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

What Areas Should the HIPAA Compliance Program Cover?

Below is a Checklist of the Policies, Procedures, and Forms required for HIPAA Compliance. Your Program may have different names and combined Policies and Procedures and Forms, but your Privacy Officer and Security Officer should be able to review the below and crosswalk and compare them to your HIPAA Compliance Program to see if you comply.

Policy and Procedure (Forms are bulleted)

Compliant (Y/N)

Privacy: Administration Section

Personnel Designation

    • Form: Privacy Officer Letter of Designation
    • Form: Security Officer Letter of Designation
    • Form: Contact Person Letter of Designation
Cooperation with the Secretary
Written Policies and Procedures
Inventory of PHI

    • Form: PHI Inventory (Physical)
    • Form: PHI Inventory (Electronic)
Employee Access

    • Form: Employee Access Assessment Form
    • Form: Responsibilities of Remote Access and Loaned Devices
Safeguarding PHI

    • Form: Privacy Evaluation

    • Form: Training Acknowledgment
Employee Sanctions
Employee Exit

    • Form: Acknowledgement of Continued Responsibilities
    • Form: Letter of Access Removal

    • Form: HIPAA Complaint and Breach Investigation Form
Suspected Violations and Breaches

    • Form: HIPAA Complaint and Breach Investigation Form

    • Form: HIPAA Complaint and Breach Investigation Form
Breach Notification
Waiver of Rights
Prohibition against Retaliation

Privacy: Individual Rights Section

Notice of Privacy Practices

    • Form: The Notice of Privacy Practices
    • Form: Acknowledgement of Receipt of Privacy Practices
Additional Restrictions

    • Form: Request for Additional Restrictions
    • Form: Decision Letter (Additional Restrictions)
Confidential Communications

    • Form: Request for Confidential Communications
    • Form: Decision Letter (Confidential Communications)
Access to Records

    • Form: Request for Access to Records
    • Form: Decision Letter (Access to Records)
Amending Records

    • Form: Request to Amend Records
    • Form: Decision Letter (Amending Records)
Accounting of Disclosures

    • Form:  Request for an Accounting of Disclosures
    • Form: Accounting Extension Letter
    • Form: Accounting of Disclosure Form

Privacy: Uses and Disclosures Section

Personal Representatives
De-identification of Protected Health Information
Minimum Necessary Requirements
Limited Data Set
Business Associates

    • Form: Business Associate Agreement Template
    • Form: Business Associate Log
Uses and Disclosures to Carry out Treatment, Payment, and Health Care Operations

    • Form: Treatment Payment Health Care Operations Consent Form
Uses and Disclosures Requiring Authorization

    • Form:  HIPAA Authorization Template
Uses and Disclosures for individuals Involved in the Patient’s Care and Notification Purposes
Uses and Disclosures for Public Health Activities
Disclosures about Victims of Abuse, Neglect, or Domestic Violence
Uses and Disclosures for Health Oversight Activities
Disclosures for Judicial Administrative Proceedings
Disclosures for Law Enforcement
Uses and Disclosures about Decedents
Uses and Disclosures for Cadaveric Organ, Eye, or Tissue Donation Purposes
Uses and Disclosures for Research Purposes
Uses and Disclosures to Avert a Serious Threat to Health or Safety
Uses and Disclosures for Specialized Government Purposes
Disclosures for Workers’ Compensation
Uses and Disclosures for Fundraising

    • Form: Fundraising Opt-Out Notice
Disclosures by Employees who are a Victim of a Crime
Disclosures by Whistleblowers

Security: Administration Safeguards Section

Security Management Process

    • Form: Risk Analysis and Management Plan
Security Incident
Security Awareness and Training

    • Form: Security Awareness Program
Software, Firewall, and Router/Modem Update

    • Form: Software Updates
    • Form: Firewall and Router/Modem Updates Form
    • Form: At Risk Software Removal Log
Data Backups

    • Form: Data Loss
Disaster Recovery/Contingency Plan

    • Form: Disaster Recovery/Contingency Plan

  • Form: Evaluation

Security: Physical Safeguards Section

Facility Access

    • Form: Key/Pass Card Inventory
    • Form: Visitor Sign-in Log
Computer Use and Security
Device and Media Controls

    • Form: EPHI Destruction and Re-use Form
    • Form: Device Responsibility Form
    • Form: Accounting of Hardware and Media Log

Security: Technical Safeguards Section

Access Controls

    • Form: Emergency Access Form
Electronic PHI Integrity

    • Form: Electronic PHI Modification and Deletion Form
Remote Access
Data Encryption

    • Form: Encryption and Exception Form
Audit Controls

    • Form: System Audit Inventory Form
Transmission of Protected Health Information

How Can PRS Help?

PRS has been at the forefront of HIPAA Compliance for Pharmacy since the beginning of HIPAA in 2003.  Our HIPAATrack Program has been developed by individuals who own and have worked in Pharmacies and is trusted by thousands of pharmacies nationwide.

PRS’s HIPAATrack is designed to walk you through the process of implementing and maintaining the Pharmacy’s HIPAA Compliance Program. The Program provides Policies, Procedures, and Forms following the HIPAA Regulations.  The HIPAATrack program also contains online HIPAA Training based on the included Policies and Procedures, so there are no worries whether your employees are receiving training or just education. HIPAATrack is automatically updated when HIPAA regulations change.

For more information about PRS Pharmacy Services’ Pharmacy Compliance Offerings, click on one of the following links, HIPAATrack and COMPLIANCETrack, or call PRS at 1-800-338-3688. Join the thousands of independent pharmacies that currently enjoy the benefits of PRS’s Compliance Programs.