Keith Loria is a contributing writer to Medical Economics.
A look at common HIPAA mistakes in pharmacies and how to avoid them.
Brian McCullough, PharmD, BCPS, assistant professor at Husson University School of Pharmacy in Bangor, ME, remembers an incident from his pharmacy residency.
He was on an elevator with colleagues, when one of them said, “You should see my patient Mr. ‘Jones.’ He is huge! He must be at least 500 pounds. I’m surprised they found a bed big enough for him!”
“Our residency director called an impromptu meeting that afternoon. The resident who made the comment was already in the room; eyes puffy, tears streaming down her face.
It turns out that the other people on the elevator were Mr. Jones’s family, including his wife,” he says. “They had filed a complaint soon afterward, and our director was very clear that this behavior was not tolerated.”
Related: How to Prevent HIPAA Mistakes
Fortunately, the family allowed the complaint to stay internal to the hospital. Had they not, a large fine, a lawsuit, and possible job termination could have been the result.
The Health Portability and Accountability Act (HIPAA) was signed into law in 1996. It enacted penalties if a patient’s health information is shared with anyone not authorized to obtain this information.
While this law is more than 20 years old, it is still good for providers and pharmacies to remember that the impacts that words and actions can have on patients’ health information and that this information must be protected or penalties may be incurred.
The Name Game
Yana Paulson, PharmD, chief pharmacy officer for L.A. Care Health Plan, says a big cause for HIPAA violations in a pharmacy is filling prescriptions for two patients with the same name in a rush and dispensing the medication to the wrong person.
“Not only are the two patients getting the wrong medication, but also confidential information about the patients’ medical condition is disclosed to unauthorized individuals,” she says. “To prevent this mistake from happening, pharmacists usually have checklists in place to verify the patients’ date of birth and address.”
For example, a pharmacist once prepared and released a prescription that was for a different patient with the same name. The patient took the blood pressure medication that was not intended for them and, after three months, complained to the pharmacist of dizziness and light-headiness. The pharmacist checked the records and discovered the error.
“The pharmacist informed the patient’s doctor and directed the patient to get a check-up to ensure they were not harmed, and an incident report was filed,” Paulson says. “The other patient with the same name was also contacted and the pharmacist made sure they also had a checkup to confirm the need for the blood pressure medication and to let the doctor know that the patient has not been taking it for three months.”
Additionally, when in a rush to minimize the wait time, a pharmacist who types a prescription label can, by mistake, choose the incorrect prescriber, especially if there are multiple prescribers with the same name in the database the pharmacist is using (i.e., Dr. John Smith).
“The HIPAA violation occurs when the pharmacist or the plan decide to contact the prescriber because they need to communicate with him/her and the information is faxed to the wrong prescriber who is not authorized to see it,” Paulson says.
“To prevent this from occurring, the pharmacists usually have a checklist to remind them to verify that the address and phone number of the prescriber in the database matches with the information on the prescription,” Paulson adds.
Policies and Procedures
Jay Hodes, president of Colington Consulting, which provides HIPAA consulting services for healthcare providers and businesses, notes inadequate policies and procedures often lead to HIPAA violations, citing three noteworthy examples.
In February 2009, in a case involving CVS, media reports alleged that patient information maintained by the pharmacy chain was being disposed of in industrial trash containers outside selected stores-containers that were not secure and could be accessed by the public.
Hodes says the investigation found CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and failed to adequately train employees on how to dispose of such information properly.
“This is a common theme in the healthcare sector, not training one’s workforce in general and on organization-specific policy and procedure,” he says. “This CVS case is clearly human error and could have been prevented with comprehensive policies and procedures along with holding the workforce accountable.”
Trending: Looks Matter and Neatness Counts
In July 2010, a case involving Rite Aid stemmed from an investigation after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public.
“The investigation found Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; failed to adequately train employees on how to dispose of such information properly; and did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information,” Hodes says. “Again, the training issue along with inadequate policies and procedures caused the problem.”
In April 2015, a case involving Cornell Prescription Pharmacy a compliance review and investigation were opened after receiving notification from a local Denver news outlet regarding the disposal of unsecured documents containing the protected health information (PHI) of 1,610 patients in an unlocked open container on Cornell’s premises.
The documents were not shredded and contained identifiable information regarding specific patients.
The investigation revealed Cornell’s failure to implement any written policies and procedures as required by the HIPAA Privacy Rule. Cornell also failed to provide training on policies and procedures to its workforce as required by the rule.
“And once again, the same training issue along with inadequate policies and procedures,” Hodes says. “These cases represented two large corporate pharmacies along with what appears to be a small, independent. I see the Cornell case as sending a message that enforcement actions will happen even to small companies and just not large corporations.”
In general, any “covered entity,” which any pharmacy would be regardless of size, must have comprehensive HIPAA policies and procedures in place to address all the HIPAA Security Standards and Implementation Specifications found in the Code of Federal Regulations (CFR).
The CFR requires workforce training to cover security awareness and applicable HIPAA Privacy Rule requirements.
Continue reading on page 2...
Proper Information Exchange
Matt Fisher, partner at Worcester, MA-based Mirick O’Connell and chair of the firm’s health law group, says for pharmacists, HIPAA is often used, either mistakenly or intentionally, to deny the provision of information or hinder the exchange of information.
“There could be some degree of reluctance to interact with other providers or coordinate care without an authorization or consent,” he says.
“However, HIPAA allows uses and disclosures for treatment, payment, and healthcare operations, all of which pretty much enable the use of patient information for most purposes related to smooth operation of a pharmacy or other healthcare entity” he adds.
Additionally, there could be a reluctance to allow an individual’s family member, caregiver, or other person to pick up a prescription or obtain information. Unless the patient has specifically objected, another person can pick up a prescription or obtain information so long as there has been an opportunity to object.
“That could potentially be challenging to determine, but circumstances can be informative,” Fisher says. “Overall, the key is to remember that HIPAA does not prohibit common sense operations in most instances.”
HIPAA violations usually occur when the team is in a rush to complete tasks quickly so as to minimize wait time. In such situations, Paulson says, mistakes will happen.
One common violation occurs, she says, when the pharmacist consults the patient about his or her medication, and the consultation can be overheard by people standing in line. To prevent that privacy breach, pharmacies should have a consultation area away from the cash register or check out area.
“An example of a larger scale HIPAA violation can occur when a health plan or a clinic wants to send a letter to all patients who are on medication that is being recalled,” Paulson says. “If the data is pulled from the database incorrectly, all the letters could be sent to wrong addresses, causing a large-scale privacy breach. To prevent this, health plans and clinics must have quality controls in place to ensure all data is verified before it is used.”
Penalties and Warnings
In most pharmacies, the system is programmed to walk the pharmacist through multiple points to double-check all the information on a prescription before it is finalized. However, Paulson says, when these are missed and mistakes are made, the penalties can include termination from employment for repeated mistakes, or referral to the State Board of Pharmacy, which may result in discipline such as a suspension of license to practice.
“There can also be civil financial penalties to the business if a large number of patients are impacted,” he says.
Penalties for a HIPAA violation for a pharmacy can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation. The HHS Office for Civil Rights (OCR), the office that enforces the HIPAA regulations, has levied criminal charges in conjunction with the U.S. Department of Justice for HIPAA violations in the past.
As of December 2018, OCR has settled or imposed a civil money penalty in 62 cases resulting in a total dollar amount of $96,581,582.00. OCR has investigated a great deal of complaints against many different types of entities including national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.
“There are no warnings,” Hodes says. “If a breach occurs, there is a self-reporting notification requirement that is made to OCR. In some less egregious cases as part of the investigative process, OCR will issue a corrective action letter with technical guidance to the organization that had the violation. It will detail the required and necessary mitigation to resolve the noncompliance issue(s).”
The pharmacy at Atlantic Health System, headquartered in New Jersey, is responsible for verifying, dispensing, and monitoring more than three million medication doses per year.
Cliff Moore, RPh, MS, director of pharmacy services at Atlantic Health System (AHS), says AHS has implemented barcode scanning at each step of the medication dispensing process - from pharmacist verification of the prescription to loading the medication into the automated dispensing cabinet to nurses scanning the drug before administration to the patient - in an effort to curtail mistakes.
“These steps allow the pharmacy team to proactively monitor medication bar coding compliance and correct any potential errors in real-time at all of our six sites,” he says.
Read More: Serious Shingrix Side Effects Are Rare
Training is an annual requirement for pharmacists so HIPAA violations should be few.
“Whether a pharmacy purchases a HIPAA training DVD and makes the staff watch it or utilizes some type of web-based or instructor led training, the bottom line is it has to be done, completed, and most importantly, documented,” Hodes says. “Cover routine items like paper document disposal with specific procedures. If investigated for a breach, there is a good possibility documentation of training provided will be requested.”
He adds that a HIPAA compliance program will take some work and should not be considered a “one and done” scenario. Best practices include training the workforce, conducting the required security risk assessment, and making sure there are HIPAA policies and procedures to cover the HIPAA Security Standards and Implementation Specifications.
“After a reportable breach occurs, it is too late in the game to see if an organization’s HIPAA compliance program can stand up to OCR scrutiny,” he says. “OCR will always want to determine what the organization had in place prior to the breach occurring, not after it was reported.”
Paulson says pharmacists must develop a habit of following all the controls that were put in the work flow to prevent HIPAA violations, using all checklists and alerts, and ensuring that all the information is correct before dispensing the medications.