Don’t Get Caught Up With a HIPAA Violation

Credit: R.J. Hedges & Associates

Jeff Hedges, CDME, president and CEO of R. J. Hedges & Associates of New Florence, Pennsylvania, gave the presentation “Legal Compliance for the Pharmacy Staff” at DiversifyRx Pharmacy Profit Summit 2023 in Dallas, Texas, to answer specific questions regarding the legal upkeep within a pharmacy.¹

Over the past few years, the Health Insurance Portability and Accountability Act (HIPAA) has been a hot topic in public discourse—even if the general public doesn’t understand the specifics of the act or what a “HIPAA violation” truly is. Hedges, the self-proclaimed “HIPAA guy,” said that HIPAA breaches can occur “any time the pharmacy loses control of PHI [Protected Health Information].” The 2 types of breaches, he explained, are reportable and non-reportable. A reportable breach means that PHI was unrecovered and there was exposure, while a non-reportable breach means PHI was recovered and no exposure took place.

“You don’t want to get caught with a reportable breach…. Normally, reportable breaches happen with a hack, with someone getting into your system,” he said.

In 2022, the health care world saw some massive repercussions due to HIPAA attacks and breaches. OneTouchPoint—a mailing and printing vendor—was breached, affecting over 2 million individuals. According to HIPAA Journal, ”OneTouchPoint said it discovered the attack on April 28, 2022, when files on its systems were encrypted. A forensic investigation was launched to determine the nature and scope of the security breach, which revealed its servers were compromised on April 27, 2022, and certain files containing sensitive data were accessed.” Personal employee and customer information was part of the breach.²

But not all HIPAA violations are a devised plan carried out by hackers or professionals, Hedges explained. HIPAA breaches can start from something as simple as an overheard conversation or supplies and medications being delivered to the wrong address. Thus, Hedges says to make sure pharmacies are intentional about who can receive patient’s information and keeping a close eye on exactly when shipments are to be delivered. Regardless of how the breach starts, it can end in catastrophe.

Often, the act that may lead to a HIPAA breach has harmless intent. According to HIPAA Journal, “Improper disposal of prescription labels or medication information, such as discarding them in regular trash bins instead of utilizing secure disposal methods, could expose patient data to unauthorized individuals.”

Advocate Aurora Health inadvertently exposed the information of 3 million patients due to tracking technologies. “Advocate Aurora explained in a statement on its website that through the use of internet tracking technologies certain interactions on the provider’s website were leaked. The technologies from companies like Google and Facebook’s parent company Meta put pieces of code, called pixels, on certain websites and applications,” according to Fierce Healthcare.³

Thus, lack of attentiveness is not the sole reason of HIPAA violations, and neither is nefarious activities from outside organizations. There is no one way that HIPAA can be violated, so being conscientious whenever patient information is involved in something your pharmacy does is paramount to avoiding disaster.

References

1. Hedges, Jeff. Legal Compliance for the Pharmacy Staff. DiversifyRx Pharmacy Profit Summit, August 4-5, 2023. Dallas, Texas.

2. OneTouchPoint Ransomware Victim Count Increases to 2.65 Million. The HIPAA Journal. September 1, 2022. Accessed August 21, 2023. https://www.hipaajournal.com/onetouchpoint-ransomware-victim-count-increases-to-2-65-million/

3. Advocate Aurora says 3M patients' health data possibly exposed through tracking technologies. Fierce Healthcare. Published October 20, 2022. Accessed August 21, 2023. https://www.fiercehealthcare.com/health-tech/advocate-aurora-health-data-breach-revealed-pixels-protected-health-information-3