DRUGTOPICS© FOR THE HEALTH-SYSTEM PHARMACIST

Complying with HIPAA: Are you ready?

Health-system pharmacists have a long tradition of supporting patient privacy standards. However, reaction to the Department of Health & Human Services' final privacy rule has been mixed because of concerns over how the new rule might impact patient care. The final rule as required by the Health Insurance Portability & Accountability Act of 1996 (HIPAA) creates national standards designed to protect an individual's personal health information.

In addition to having patient care concerns, some pharmacists contend that complying with HIPAA privacy requirements could prove costly in some cases. Take the University of Utah Hospitals & Clinics in Salt Lake City as an example. A position of full-time HIPAA compliance officer has been created there to make sure that all information systems are HIPAA-compliant. When the pharmacy began designing an Internet prescription refill system for patients, HIPAA became an obstacle.

"We couldn't do it by e-mail because we couldn't make the system HIPAA-compliant. We'd have to have it all encrypted and coded, and that would be expensive," said James Jorgenson, director of pharmacy at University of Utah Hospitals & Clinics. "We had to set it up where the patients give us their information and then the computer automatically sends a fax to the individual pharmacy."

Jorgenson told Drug Topics that HIPAA compliance has had an impact on research, too. "There's no real clearinghouse in the hospital, other than the institutional review board [IRB] right now, to determine whether something is HIPAA- compliant or not." So, by default, everything with any kind of a question is being sent to the IRB. It's bogging the entire process down." In some instances, he said, it doubles the amount of time it takes to get something through the IRB process because there's so much extra material they're looking at to determine HIPAA compliance.

In its final privacy rule, HHS said that it plans to issue guidance on the "waiver criteria" for using patient information in medical research. Though IRBs and privacy boards may initially struggle to interpret the criteria, HHS intends to issue guidance documents to address this concern. "That would certainly be helpful," commented Jorgenson. He agrees that safeguarding patient information is a good idea. "It's just that the extent to which HIPAA has taken it is a little bit beyond what most of us have been doing. There's a happy medium someplace in there." He also noted that there are stiff financial penalties for noncompliance.

ASHP has a strong policy supporting patient privacy as long as it doesn't impede the relationship between the patient and pharmacist in terms of getting the appropriate medical information to facilitate treatment, said Gary Stein, director of federal regulatory affairs for the association. "Pharmacists in general are very aware of the need for confidentiality. I don't know what effect this [final rule] will have on the transfer of information from doctors to pharmacists. But in hospital settings, it shouldn't be much of a problem," he said.

James Stevenson, director of pharmacy services at the University of Michigan Health System in Ann Arbor, said that the major concern regarding HIPAA and pharmacy centered on transferring prescription information. HHS has dropped a requirement for pharmacists to obtain prior written consent from patients before they could deliver their services. "Initially the rules could have obstructed the flow of patient care," he said. "Now, with the final rule, there's much more balance from a pharmacy perspective."

Some pharmacy leaders contend that with the proliferation of new technology such as computerized physician order entry (CPOE) and personal digital assistants (PDAs), the accessibility and availability of information is increasing dramatically. "With HIPAA, we want to be sure that we don't put blinders on that protect confidentiality, but does it at the risk of patient safety or quality," said William Gouveia, director of pharmacy at the New England Medical Center in Boston. Patient identifiers such as physician order forms and labels can be particularly vulnerable.

"In the past, we've typically thrown them away, but, under HIPAA guidelines, they need to be shredded," said Gouveia. He observed that if you walk into the average hospital ward, there's a list that's posted on a white board that includes the patient's name and the physician. "That's private information," he said, adding that he hopes everyone will be more vigilant under the new HIPAA rules.

But it appears that, for the most part, health-system pharmacists don't expect too much trouble in the inpatient pharmacy in terms of complying with HIPAA. "It's not a big deal," said Gouveia. "It's yet another hurdle we have to face."

Anthony Vecchione

Tony Vecchione. Complying with HIPAA: Are you ready?.

Drug Topics

2002;18:HSE1.