In my last blog post, I informed you of changes to HIPAA and how it will be enforced.
Here are some of the specific changes in the Omnibus HIPAA Final Rule and how that impacts you as a pharmacy owner:
- Security Rule—You must now make sure your business associates, anyone with whom you legally share individually identifiable PHI, are compliant with the Security Rule and have policies and procedures in place to ensure the confidentiality, integrity, and availability of electronic Protected Health Information (PHI). While you’re at it, conduct an evaluation of your own Security Compliance Program, paying close attention to your Risk Analysis, Risk Management, Disaster Recovery, and Contingency Plans. A pilot audit program found that pharmacies were often deficient in these areas.
- Breach Notification—The standard for deciding whether one must issue a Breach Notification was changed from risk of harm to the patient to risk that the PHI was compromised. If your risk analysis determines that the PHI was possibly released inappropriately, you must: 1) Notify the patient within 60 days of discovery. 2) Notify HHS within 60 days for breaches of 500 or more patients. 3) Notify HHS of all breaches within 60 days of year’s end. 4) Notify a prominent media outlet in your area for breaches of 500 or more patients.
- Privacy Rule—This is where the majority of changes were made. Your Notice of Privacy must now: 1) State that you are required to get patient authorization for certain uses and disclosures (e.g. psychotherapy notes, marketing, sale of PHI, and other uses and disclosures not described in the Notice). 2) Include an opt-out statement in your fundraising statement. 3) Notify patients that they may restrict disclosures to health plans for services paid for out of pocket. 4) State that patients will be notified of any PHI breach. Offsite records must now be provided within 30 days of patient request, rather than 60 (with a 30-day time extension provision, as before). If patients request their PHI in an electronic format that you can provide, you must provide it electronically.
Also, there are changes to disclosure rules for the PHI of deceased persons and for proof of immunization to schools. You may continue to disclose PHI to individuals who were authorized to receive it before the patient’s death, and you must protect the PHI for 50 years or until you destroy those records. Proof of immunization may be disclosed to schools with a verbal request of a patient, parent, or person acting in loco parentis; document the request and the submission.
Want more information on the changes put in place by Omnibus HIPAA?
View the PRS webinar: HIPAA 2013: Don’t Panic. Be Prepared.
Looking for an answer to Omnibus HIPAA Compliance for your pharmacy?
Please contact us at 1-800-338-3688 to speak with a Specialist or submit your questions via our contact form.