So, just a few months ago, I let you all know that HIPAA was back in the news with new court rulings, enforcement activities and how future HIPAA Audits would be occurring proactively (instead of reacting to breaches and complaints). Since then we have taken a long journey together to go over some of the items that need to be in place and happen on a daily basis, so that your pharmacy is HIPAA ready. We also looked at what you, as a pharmacy owner, need to do if certain things were to happen within your facility.
Let’s do a little review to sum things up.
- We learned about malware and computer viruses and how they can be a way for Protected Health Information (PHI) to get deleted or even stolen. The solution, be sure to have good anti-virus/malware software on the computer(s) where PHI is stored. It is also important that you ensure that your firewalls, routers and wireless devices are appropriately setup to protect your infrastructure.
- What do you do if a breach of PHI does happen at your pharmacy? Don’t panic, just DO A RISK ASSESSMENT to determine if there is a low probability the PHI has actually been compromised. If it is determined a breach did occur, then you must notify each patient within 60 days of breach discovery via first class mail, email if the patient has consented to electronic notices, or telephone. If there are 10 or more patients you are not able to contact, you need to notify them publicly on your website or through the media. If the breach was of 499 or less individuals, then you must report them to the HHS Secretary annually, no later than 60 days after the end of the calendar year the breach was discovered. If the breach was of 500 or more individuals, then you must report them to the HHS Secretary within 60 days of discovery.
- We discussed you as an employer may be held responsible if your employees commit a HIPAA violation. How do you avoid this? All pharmacies should have policies and procedures in place that clearly spell out the responsibility of employees not to disclose confidential or private medical or treatment information. Employees should be trained on your HIPAA Policies and Procedures and Employees should electronically acknowledge or sign a document stating that they’ve participated in your HIPAA Training. This training along with their job description should lay out the scope of duties and conduct that is inappropriate or illegal. If your Training Program, Policies and Procedures and IT Processes are clear and effective (and there are no holes), then your ultimate responsibility toward any violation could be mitigated.
- This is where it got personal for me as a business owner. We had a DISASTER here in our office – from power and IT to damage to the building we lost a lot!!! But, we instituted our Disaster Recovery Program within a few hours and were back up to normal business functions from our customers and members point of view. We used the same Disaster Recovery Program that thousands of you have, and our servers were up and running to normal levels within 48 hours. If we hadn’t had one in place, we could have never gotten back on our feet as quickly as we did.
So what are some of the key areas you need to consider when creating your Disaster Recovery Plan:
- Ensure you are performing Data Backups
- Anticipate your patients’ needs
- Ensure you have contact information for all of your vendors (hardware, software, drug wholesaler, etc.)
- Have an alternative communication system
- Ensure your employees know what will be expected of them
- TRAIN YOUR EMPLOYEES AND TEST THE PLAN
- Make sure all of your Business Associate Agreements are up-to-date with the OMNIBUS HIPAA Rules released in January of 2013.
- Make sure your Notice of Privacy Practices is compliant with the OMINIBUS HIPAA Rules and you are handing them out to all new Patients, upon request and posted on your website if you provide health care related services online, including online refills. Your patients must sign off that they have received your Notice of Privacy Practices.
- And last, but certainly not least – Be sure your HIPAA policies and procedure are a part of your daily activities, don’t just keep them on a shelf. With all of the enforcement activities and upcoming audits, you need to make sure Compliance is part of your Pharmacy’s DNA. And make sure your employees are trained on your P&Ps.
I hope that you have learned why after all these years, HIPAA is still one of the most impactful regulations to hit the pharmacy industry and that being HIPAA Ready can save your business, whether an inspector comes to your door, or (and I hope this doesn’t happen to you) a disaster happens.
Just as I was working on this post, I saw an enforcement action and fine that was issued to a Pharmacy for improperly disposing of PHI. At least that is where the investigation started, but the Office of Civil Rights also discovered the Pharmacy did not have Policies and Procedures and lacked documentation regarding HIPAA Training for their employees.
As always, for more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Please visit the Blog for additional posts on compliance issues and what you need to know as a pharmacy owner.