Brian McCullough, PharmD, BCPS, assistant professor at Husson University School of Pharmacy in Bangor, ME, remembers an incident from his pharmacy residency.
He was on an elevator with colleagues, when one of them said, “You should see my patient Mr. ‘Jones.’ He is huge! He must be at least 500 pounds. I’m surprised they found a bed big enough for him!”
“Our residency director called an impromptu meeting that afternoon. The resident who made the comment was already in the room; eyes puffy, tears streaming down her face.
It turns out that the other people on the elevator were Mr. Jones’s family, including his wife,” he says. “They had filed a complaint soon afterward, and our director was very clear that this behavior was not tolerated.”
Related: How to Prevent HIPAA Mistakes
Fortunately, the family allowed the complaint to stay internal to the hospital. Had they not, a large fine, a lawsuit, and possible job termination could have been the result.
The Health Portability and Accountability Act (HIPAA) was signed into law in 1996. It enacted penalties if a patient’s health information is shared with anyone not authorized to obtain this information.
While this law is more than 20 years old, it is still good for providers and pharmacies to remember that the impacts that words and actions can have on patients’ health information and that this information must be protected or penalties may be incurred.
The Name Game
Yana Paulson, PharmD, chief pharmacy officer for L.A. Care Health Plan, says a big cause for HIPAA violations in a pharmacy is filling prescriptions for two patients with the same name in a rush and dispensing the medication to the wrong person.
“Not only are the two patients getting the wrong medication, but also confidential information about the patients’ medical condition is disclosed to unauthorized individuals,” she says. “To prevent this mistake from happening, pharmacists usually have checklists in place to verify the patients’ date of birth and address.”
For example, a pharmacist once prepared and released a prescription that was for a different patient with the same name. The patient took the blood pressure medication that was not intended for them and, after three months, complained to the pharmacist of dizziness and light-headiness. The pharmacist checked the records and discovered the error.
“The pharmacist informed the patient’s doctor and directed the patient to get a check-up to ensure they were not harmed, and an incident report was filed,” Paulson says. “The other patient with the same name was also contacted and the pharmacist made sure they also had a checkup to confirm the need for the blood pressure medication and to let the doctor know that the patient has not been taking it for three months.”
Additionally, when in a rush to minimize the wait time, a pharmacist who types a prescription label can, by mistake, choose the incorrect prescriber, especially if there are multiple prescribers with the same name in the database the pharmacist is using (i.e., Dr. John Smith).
“The HIPAA violation occurs when the pharmacist or the plan decide to contact the prescriber because they need to communicate with him/her and the information is faxed to the wrong prescriber who is not authorized to see it,” Paulson says.
“To prevent this from occurring, the pharmacists usually have a checklist to remind them to verify that the address and phone number of the prescriber in the database matches with the information on the prescription,” Paulson adds.
Policies and Procedures
Jay Hodes, president of Colington Consulting, which provides HIPAA consulting services for healthcare providers and businesses, notes inadequate policies and procedures often lead to HIPAA violations, citing three noteworthy examples.
In February 2009, in a case involving CVS, media reports alleged that patient information maintained by the pharmacy chain was being disposed of in industrial trash containers outside selected stores—containers that were not secure and could be accessed by the public.
Hodes says the investigation found CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and failed to adequately train employees on how to dispose of such information properly.
“This is a common theme in the healthcare sector, not training one’s workforce in general and on organization-specific policy and procedure,” he says. “This CVS case is clearly human error and could have been prevented with comprehensive policies and procedures along with holding the workforce accountable.”
Trending: Looks Matter and Neatness Counts
In July 2010, a case involving Rite Aid stemmed from an investigation after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public.
“The investigation found Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; failed to adequately train employees on how to dispose of such information properly; and did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information,” Hodes says. “Again, the training issue along with inadequate policies and procedures caused the problem.”
In April 2015, a case involving Cornell Prescription Pharmacy a compliance review and investigation were opened after receiving notification from a local Denver news outlet regarding the disposal of unsecured documents containing the protected health information (PHI) of 1,610 patients in an unlocked open container on Cornell’s premises.
The documents were not shredded and contained identifiable information regarding specific patients.
The investigation revealed Cornell’s failure to implement any written policies and procedures as required by the HIPAA Privacy Rule. Cornell also failed to provide training on policies and procedures to its workforce as required by the rule.
“And once again, the same training issue along with inadequate policies and procedures,” Hodes says. “These cases represented two large corporate pharmacies along with what appears to be a small, independent. I see the Cornell case as sending a message that enforcement actions will happen even to small companies and just not large corporations.”
In general, any “covered entity,” which any pharmacy would be regardless of size, must have comprehensive HIPAA policies and procedures in place to address all the HIPAA Security Standards and Implementation Specifications found in the Code of Federal Regulations (CFR).
The CFR requires workforce training to cover security awareness and applicable HIPAA Privacy Rule requirements.
Continue reading on page 2...