Appointing a privacy officer, assessing a pharmacy

January 20, 2003

Second installment to Countdown to HIPAA


Countdown to HIPAA

Appointing a privacy officer, assessing a pharmacy

Editor's note: On Dec. 4, 2002, as the first HIPAA column was going to press, the Department of Health & Human Services, Office of Civil Rights (OCR), released its "Guidance Explaining Significant Aspects of the Privacy Rule." The 123-page guidance provides an excellent overview of the privacy rule and may be retrieved from the OCR Web site ( under the heading "What's New."

The Health Insurance Portability & Accountability Act requires each pharmacy to appoint a privacy officer to be responsible for carrying out activities associated with HIPAA compliance. Often asked is whether the privacy officer has to be a pharmacist. The answer is No—HIPAA does not require a pharmacist to serve as the privacy officer.

In fact, a pharmacist may not be the best person to serve as the privacy officer due to the time commitment necessary for an R.Ph. to carry out current duties. It may be more effective to appoint a nonpharmacist, such as a technician or clerk.

Consider, for example, when a patient files a complaint that the pharmacy violated HIPAA. Pharmacies should encourage patients to file complaints with the pharmacy rather than OCR. But doing this means that the privacy officer must be attentive to the complaint and the patient who filed it, which may include meeting with the patient.

Chances are a patient who files a complaint is angry, or at least upset. Now picture a pharmacist sitting down to meet with the patient to resolve the complaint and being called away every few minutes to respond to an activity in the prescription department. This may further anger the patient and lead to the patient's filing a complaint with OCR. And the follow-up to such a complaint could be extensive.

A nonpharmacist considered for privacy officer must have knowledge and experience in the pharmacy operation. Careful consideration must be given to the competency of anyone being considered for privacy officer activities, which include, but are not limited to, the following:

• Acquire extensive knowledge of the HIPAA requirements and their application to your pharmacy.

• Develop your pharmacy's compliance plan, policies, and procedures.

• Conform your pharmacy operations, such as computer software, to HIPAA requirements.

• Develop your pharmacy's written Notice of Privacy Practices and a system for its distribution and acknowledgment of receipt by patients.

• Assist patients in exercising their rights under HIPAA.

• Obtain patient authorization for use and disclosure of protected health information (PHI).

• Resolve patient complaints.

• Prepare materials and oversee a pharmacy's cooperation and assistance in response to an investigation or compliance review by OCR.

• Maintain a secure filing system for all forms, documents, and records.

• Conduct/arrange staff training.

• Assist in establishing and imposing disciplinary measures against staff violating HIPAA requirements or the pharmacy's policies.

• Meet with patients to answer questions, provide information, and otherwise assist them.

• Assist in contracting with business associates, including setting up meetings with them, as necessary.

• Conduct planned and unplanned internal compliance audits.

• Monitor for changes in HIPAA requirements and make necessary modifications.

Because of the serious nature of the activities described above, the privacy officer must be given the authority to carry out these activities and be actively engaged in assessing the pharmacy environment.

A compliance plan must be tailored to the unique environment of each pharmacy, which requires an assessment of the pharmacy's environment. The assessment is basically a process of asking questions about the pharmacy operation and how it manages PHI.

Various assessment methods can be used, including detailed observations of daily activities and tracking of Rxs from start to finish. Whatever method is used, answers to the following questions, and many more that you identify, need to be obtained and recorded.

• What are the routine and unusual uses and disclosures of PHI?

• Are there "gaps" in the pharmacy's management of PHI that present risk of improper use and disclosure of PHI?

• Is the patient counseling area sufficiently private?

• Is there space for the privacy officer to meet with patients and that can be secured for storing records?

• How is information for the patient profile acquired?

• Are phone conversations containing PHI conducted outside the Rx department?

• How are computer records, including daily backup, secured and maintained?

• Who are the business associates of the pharmacy and are any contracting activities required?

After acquiring extensive knowledge of the HIPAA requirements, the privacy officer will be able to recognize questions about the pharmacy environment that must be answered.

By Walter L. Fitzgerald Jr., R.Ph, J.D.

Walter L. Fitzgerald Jr., a pharmacist-attorney, is a professor of pharmacy at the University of Tennessee College of Pharmacy and author of the NCPA HIPAA Compliance Handbook for Independent Pharmacy.


Walter Fitzgerald. Appointing a privacy officer, assessing a pharmacy. Drug Topics 2003;2:49.