Although pharmacists understand that all of a patient’s medical information is confidential and access to that information is protected by the Health Insurance Portability and Accountability Act (HIPPA) of 1996, some still have challenges staying 100% compliant. That is why independent pharmacy owners should establish a compliance checklist and ensure their staff does annual HIPPA training.
“Pharmacy staff need to be aware of who they are providing health information to over the phone, in person, or via mail,” said Chirag Patel, PharmD, MBA, chief operating officer and brand ambassador for Carolina Pharmacy Group in Charlotte, North Carolina “The staff also need to ensure all health information at the pharmacy—prescription vials, labels, print outs, handouts, etc—is properly disposed of. That disposal source is most often an information security company that disposes of personal health information via shred boxes.”
Arielle T. Miliambro, Esq, a partner at Pine Brook, New Jersey-based health care law firm Frier Levitt, outlined the components of HIPAA:
Each HIPPA rule may have different requirements and exceptions. Miliambro explained that the Privacy Rule contains certain limited exceptions for which PHI may be disclosed without authorization, such as to coordinate care among health care providers or to obtain reimbursement from a patient’s health insurer or payer.
For the Security Rule, covered entities such as pharmacies must regularly conduct a risk analysis, according to Miliambro. “Such an analysis must address the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the covered entity,” she said.
The Security Rule does not prescribe how the analysis must be conducted or formatted. Therefore, independent pharmacists must consider the scope and characteristics of the pharmacy’s activities and proceed accordingly in their analysis.
R. Jeffrey Hedges, president and CEO of R.J. Hedges & Associates in New Florence, Pennsylvania, which helps independent pharmacies feel at ease when it comes to compliance, noted that annual training for the entire staff is vital. If you don’t have the records to back that up, pharmacy benefit managers (PBMs) can cancel contracts.
What Needs to Be HIPAA Compliant?
A pharmacy has many systems that must be HIPAA compliant.
“Any information pertaining to a patient needs to be protected,” Patel said. “That includes pharmacy software, prescription labels and bags, prescription paperwork, telephone and internet services, and our website [and/or] app.”
Russell Dowdell is director of solutions engineering for Secure Link in Austin, Texas, which provides health care organizations with a centralized solution for managing privileged access for their third-party vendors. He noted that HIPAA compliance is less about seeking a HIPAA badge of sorts and more about implementing processes and tools in a compliant manner.
“It’s not enough to just focus on purchasing and deploying tools and systems that tout HIPAA compliance, since using those tools properly is the difference between being compliant and failing an audit,” he said. “This means deploying HIPAA-compliant configurations within your systems and applications such as encryption standards, AES-128 or higher is a good starting point, and password requirements.”
Some of these HIPAA requirements are vague: not as a means of making them easy to achieve, but in recognition that security standards are constantly evolving. Sites should adhere to the latest updates of cybersecurity frameworks, such as those of the National Institute of Standards and Technology, when setting policies. With the correct tools and policies in place, user training and compliance enforcement becomes much easier.
HIPAA violations—or worse, breaches—can come from several different places. One of the biggest, according to Dowdell, involves encryption standards.
“Failure to encrypt data or the use of outdated and insufficient encryption places data in a precarious position,” he said. “Should the data, the access to them, the device they’re on, the network they’re on, or some other component of the data security be compromised in any way, PHI without proper encryption turns into a disaster. This can mean anything from an unencrypted database that third parties access to an employee’s laptop that got stolen on the train.”
Another common violation is unauthorized or unintended access.
“Preventing all access to PHI is impossible and defeats the purpose of maintaining the information; after all, the right people need access to the right information,” Dowdell said. “The right people getting to the wrong information or more than they need is a common violation and the wrong people getting access to information at all is one of the worst violations.”
Compromised PHI based on user access can be as simple as granting your users access to all the information in a system when they only needed a single patient’s or a small data set. It can also involve bringing in a vendor and granting them network access when they only need remote access to the individual devices they maintain.
Additionally, HIPAA compliance requires staff training, and getting that rolled out effectively can be difficult and cause some violations.
“Missing portions of the staff that need it, or having a training fall on deaf ears can either be a direct violation or result in violations,” Dowdell said, “An untrained staff member might be caught discussing PHI when and where they shouldn’t because they don’t know better. Likewise, an untrained staff member might improperly use the tools they have and misplace data [digitally or physically], resulting in more violations.”
Actionable Methods for Compliance
Pharmacies can use several methods to ensure pharmacy HIPAA compliance, but continuous training is one of the most important.
For instance, at Carolina Pharmacy Group, all new hires undergo HIPAA-related training compliance courses, as do the rest of the staff annually, according to Patel.
“We also conduct audits of each of our pharmacies once or twice a year to ensure all compliance is met,” Patel said. “A newer method we have employed is having mystery shoppers call or visit our locations and attempt to obtain health information on behalf of someone else. This shows how well trained your staff is [on] both HIPAA and company policies.”
When Hedges goes into a pharmacy for an assessment, he sits in the waiting area and listens. If he hears conversations behind the counter, he knows that’s an issue and a possible violation. He suggests adding ambient noise such as music to keep other individuals from hearing what’s being said.
“You also need to post your notice of privacy practice in a public area and up on the website,” he said.
“Using a checklist to get started is a great way to start to spot gaps that you can dig a bit deeper into,” he said. “Inevitably, some detailed review of individual systems and their configurations is required.”
It’s also important for independent pharmacists to stay up to date on any changes to HIPAA compliance and ensure that the entire staff is aware of any such changes.
“It is imperative that all pharmacy owners stay on top of the ever-changing landscape of medical information, including HIPAA, and how events like COVID-19, for example, can affect HIPAA,” Patel said.
The Department of Health and Human Services is the primary source for all things HIPAA related, especially changes to HIPAA. Additionally, medical industry publications and journals often have the latest changes.
“HIPAA is complex and has many requirements,” Miliambro said. “Some of the requirements are unambiguous and apply to all covered entities [equally], like providing patients with access to their medical records or adopting and providing a Notice of Privacy Practices. However, many requirements, especially those pertaining to the security of PHI and how that PHI must be secured, will depend on a pharmacist’s activities, resources, and sophistication.”