HIPAA violations can result in financial and legal penalities, and the methods of committing a violation continue to grow.
When the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was first enacted, federal and state governments made little effort to enforce the rules. But in recent years and as related legislation has been passed, more covered entities-including pharmacies-are being held accountable for upholding the act’s requirements.
Pharmacies may be subject to an audit or investigation by the Office for Civil Rights (OCR) that could result in significant fines or corrective actions. Pharmacies that violate HIPAA and expose protected health information (PHI) could open themselves up to a costly lawsuit.
“One thing we have seen over the last three or four years is these investigations have led to multimillion dollar fines,” says Joshua Potter, director of compliance for PRS Pharmacy Services, a pharmacy consulting company. “We’ve also seen patients actually suing covered entities, pharmacies included, when there has been a breach.”
More than ever, pharmacies need to evaluate their policies and procedures, learn how to avoid potential violations, educate pharmacy staff, and implement policies that dictate a course of action if a violation occurs. “The major concern with HIPAA is, in today’s environment, health information is considered highly protected,” says Angelo J. Cifaldi, RPh, an attorney at Wilentz, Goldman and Spitzer P.A., a law firm based in Woodbridge, NJ. “In light of HIPPA and all the responsibilities pharmacists have, they have to be cognizant of everything they do to make sure they are protecting that information.”
OCR has received more than 186,453 HIPPA complaints since 2003. The office has investigated and resolved 26,152 cases that required corrective actions or changes to privacy practices, and has settled or imposed fines for violations in 55 cases, totaling more than $78 million.
In 2010, Rite Aid Corporation and its 40 affiliated entities agreed to pay $1 million to settle potential HIPAA violations after a joint investigation by the OCR and the Federal Trade Commission found it had been improperly disposing of pill bottle labels that contained health information about patients.
If a suspected violation occurs in a pharmacy, Cifaldi says HHS issues a complaint that the pharmacy must respond to. “The agency is very concerned when they get a complaint, and they exercise it through, so pharmacies better have good policies in place for HIPAA,” he says.
Pharmacies can also be sued if patients believe their health information has been breached. In 2014, an Indiana Court of Appeals upheld a $1.4 million verdict against Walgreens after a pharmacist admitted to viewing the prescription records of her husband’s ex-girlfriend.
Cifaldi says most malpractice insurance policies for pharmacies don’t cover such lawsuits, which means pharmacies often could have to cover the legal expenses themselves.
Many pharmacies may incorrectly believe that simply having a notice of privacy practices (NPP) is sufficient, Potter says. “The notice of privacy practices is really just a document to let the patient know we have things in place to help ensure the privacy of protected health information,” he says. “There needs to be policies and procedures behind that, so just having that notice of privacy practices is not enough.”
For guidance on what the NPP should include, and how it should be provided to patients, visit here.
As pharmacies work toward creating effective policies and procedures to protect patient health information, including electronic records, they must first understand when the most common potential violations occur and what they can do to avoid them.
Continue reading on page 2...
Subpoenas or Other Requests for Information
When a pharmacy gets a subpoena from a law enforcement agency or court, it can be intimidating, and often a pharmacy owner may be tempted to just hand over their records rather than appear in court, but Cifaldi recommends pharmacies first consult with an attorney.
“When pharmacists just respond to these things on their own and don’t consult their legal counsel, they end up sending more [information] than is required, which always creates an issue,” he says. Before providing information, pharmacies must first make sure the subpoena is enforceable and then determine if they need to seek consent before they release the information.
Potter says most subpoena requests will come from a state court, which means individual state laws determine what a valid subpoena is in that state.
Pharmacists also need to be aware of rules regarding requests for information, such as how quickly they need to provide it. Under federal law, Potter says, if a patient requests their own information, pharmacies have 30 days to provide records and can get an additional 30-day extension if necessary. However, these requests are often also subject to state laws which may have shorter time frames. “There’s all kinds of things that the states also have in place that make HIPAA a little more strict,” he says.
Information to Spouses
Allowing spouses to pick up medications for their significant other is a common practice, but in certain situations it can lead to sticky situations. For example, Erica Lindsay, PharmD, MBA, a practicing healthcare attorney in Chicago, had a client whose wife was picking up her prescription at a grocery pharmacy when she was asked if she wanted to pick up her husband’s prescription, too. The woman was unaware her husband had a prescription for Viagra.
Lindsay believes this example was a violation of HIPAA but says it could also be argued that it falls under one of the law’s exemptions.
According to Cifaldi, under the HIPAA rules a spouse has authority to pick up a prescription, unless the patient has given specific instructions that the spouse is not to do so. Pharmacies need to have clear mechanisms in place to track such requests to ensure prescriptions aren’t erroneously handed out.
Lindsay says pharmacies need to be equally aware of potential HIPAA violations they make while they speak, whether it’s counseling a patient about a sensitive medication within hearing of other patients, a technician loudly announcing the patient’s name and medication name while they ring up the prescription, or providing automatic counseling to a patient who doesn’t want it.
While Lindsay says some attorneys may argue these aren’t true HIPAA violations, they are inappropriate and could open a pharmacy to a potential complaint. Because of potential privacy breaches, she believes a pharmacist should always ask a patient if it’s all right to counsel them before they begin.
“Under HIPAA, if the patient refuses to allow the practitioner to reveal her PHI, that practitioner must stop-not should, must,” Lindsay says.
Using silent methods to communicate information, such as pointing to the drug name on a computer screen or a printout, may improve patient privacy. Other strategies include giving patients a number rather than calling their last name when a prescription is ready.
Experts agree pharmacies also need to engage in regular training and education for employees who come in contact with patient data.
Continue reading on page 3...
Electronic PHI, or EPHI, isn’t always something that is stressed as frequently at HIPAA trainings and conference sessions, but it’s equally important and could expose a pharmacy to a potential violation, says Cifaldi.
Potter recommends that pharmacies conduct a risk assessment to identify potential vulnerabilities that may exist in a pharmacy’s technology infrastructure. This includes making sure computers use updated antivirus software and making sure operating systems are current and secure.
Pharmacies need to think about who has access to electronic data and install policies and procedures that dictate its safe use, Potter says. These policies include making sure security software is current-to prevent unwanted data breaches from hackers-and instituting policies that prevent employees from removing electronic devices from the pharmacy.
In one case in New York, Cifaldi says someone took a laptop home from a hospital and lost it. Although the laptop was eventually recovered, it exposed the hospital to unnecessary risk.
Disposing of Records
Pharmacies must also consider how they dispose of patient information. For example, computer hard drives and other electronic equipment shouldn’t just be tossed in the trash. They need to be destroyed and the drives erased before they are disposed of. This extends to paperwork and labels that may have patient data, which need to be shredded or destroyed before being placed in the garbage.
Reporting a Breach
Even with preventative steps, it’s possible a data breach can occur. If a breach does occur, Cifaldi says pharmacies should first contact an attorney.
“I would highly recommend they consult with a lawyer who has knowledge, because there may be an obligation to report, but how you report could lead to a whole host of problems if you don’t report properly.”