PRS still receives many questions from non HIPAATrack Members about whether written (or electronic) Policies and Procedures are required for their Pharmacy business. These questions have typically come from Pharmacies that have purchased a Training Program or Continuing Education, or they may have received a “free” “HIPAA Program” from their wholesaler or other entity. These Training Programs, CEs and “free” Programs typically do not include actual Policies and Procedures to implement by the Pharmacy, making them effectively useless as far as HIPAA Regulations are concerned and thus a huge liability to these Pharmacies. HIPAA requires training on the policies and procedures implemented at a Pharmacy. General Training Programs, CEs, and many “free” Programs do not meet this requirement for compliance.
The HIPAA regulations require you to have written (or electronic) Policies and Procedures showing compliance with the HIPAA Regulations. Below are the excerpts for 164.530 of the HIPAA regulations.
“(i) (1) Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part.
(j) (1) Standard: Documentation. A covered entity must:
(i) Maintain the policies and procedures provided for in the Standard (i) [Policies and procedures] section in written or electronic form.”
The training program or continuing education is also problematic since it is not meeting the actual training requirement of HIPAA that clearly states, “a covered entity [Pharmacy] must train all members of its workforce on the policies and procedures”, also found in 164.530.
“(b) (1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
What Areas Should the HIPAA Compliance Program Cover?
Below is a Checklist of the Policies, Procedures, and Forms required for HIPAA Compliance. Your Program may have different names and combined Policies and Procedures and Forms, but your Privacy Officer and Security Officer should be able to review the below and crosswalk and compare them to your HIPAA Compliance Program to see if you comply.
Policy and Procedure (Forms are bulleted)
Privacy: Administration Section
|Cooperation with the Secretary|
|Written Policies and Procedures|
|Inventory of PHI|
|Suspected Violations and Breaches|
|Waiver of Rights|
|Prohibition against Retaliation|
Privacy: Individual Rights Section
|Notice of Privacy Practices|
|Access to Records|
|Accounting of Disclosures|
Privacy: Uses and Disclosures Section
|De-identification of Protected Health Information|
|Minimum Necessary Requirements|
|Limited Data Set|
|Uses and Disclosures to Carry out Treatment, Payment, and Health Care Operations|
|Uses and Disclosures Requiring Authorization|
|Uses and Disclosures for individuals Involved in the Patient’s Care and Notification Purposes|
|Uses and Disclosures for Public Health Activities|
|Disclosures about Victims of Abuse, Neglect, or Domestic Violence|
|Uses and Disclosures for Health Oversight Activities|
|Disclosures for Judicial Administrative Proceedings|
|Disclosures for Law Enforcement|
|Uses and Disclosures about Decedents|
|Uses and Disclosures for Cadaveric Organ, Eye, or Tissue Donation Purposes|
|Uses and Disclosures for Research Purposes|
|Uses and Disclosures to Avert a Serious Threat to Health or Safety|
|Uses and Disclosures for Specialized Government Purposes|
|Disclosures for Workers’ Compensation|
|Uses and Disclosures for Fundraising|
|Disclosures by Employees who are a Victim of a Crime|
|Disclosures by Whistleblowers|
Security: Administration Safeguards Section
|Security Management Process|
|Security Awareness and Training|
|Software, Firewall, and Router/Modem Update|
|Disaster Recovery/Contingency Plan|
Security: Physical Safeguards Section
|Computer Use and Security|
|Device and Media Controls|
Security: Technical Safeguards Section
|Electronic PHI Integrity|
|Transmission of Protected Health Information|
How Can PRS Help?
PRS has been at the forefront of HIPAA Compliance for Pharmacy since the beginning of HIPAA in 2003. Our HIPAATrack Program has been developed by individuals who own and have worked in Pharmacies and is trusted by thousands of pharmacies nationwide.
PRS’s HIPAATrack is designed to walk you through the process of implementing and maintaining the Pharmacy’s HIPAA Compliance Program. The Program provides Policies, Procedures, and Forms following the HIPAA Regulations. The HIPAATrack program also contains online HIPAA Training based on the included Policies and Procedures, so there are no worries whether your employees are receiving training or just education. HIPAATrack is automatically updated when HIPAA regulations change.
For more information about PRS Pharmacy Services’ Pharmacy Compliance Offerings, click on one of the following links, HIPAATrack and COMPLIANCETrack, or call PRS at 1-800-338-3688. Join the thousands of independent pharmacies that currently enjoy the benefits of PRS’s Compliance Programs.