COVER STORY

FINAL COUNTDOWN?

Remember the White Rabbit in Alice in Wonderland who scurries around consulting his pocket watch and proclaiming, "I'm late. I'm late. For a very important date"? Pharmacists may be feeling a little like that harried hare. They, too, have a very important date on April 14, the deadline for compliance with Uncle Sam's sweeping new patient privacy regulations.

With only six months to go, pharmacy, like the rest of the healthcare industry, has to be ready to hit the ground running to implement the sweeping Health Insurance Portability and Accountability Act (HIPAA) privacy regulations that were only finalized on Aug. 14.

There are many aspects of the mandate that must be addressed all at once: Pharmacies have to analyze how they currently handle privacy and then create and adopt their own privacy policies to meet HIPAA's requirements; devise, implement, and document a workforce-training program based on the pharmacy's privacy policy; scrutinize and sign contracts with business associates; assess the need for privacy safeguards to prevent others from overhearing conversations with patients; and decide how patient signatures will be obtained and stored. All of this, and more, must be completed by April 14.

"Pharmacies have so many things to do it's hard to know where to start," said Don Bell, associate general counsel, National Association of Chain Drug Stores. "It can be paralyzing and confusing if you have so much to do. My impression is that pharmacists are very aware of compliance difficulties, and chains and independents are working very hard on this issue."

But it's not yet time to panic, cautioned Douglas Hoey, v.p. of practice affairs, National Community Pharmacists Association. "I think just not knowing what to do is probably the worst part because it's so unclear and there have been so many iterations; it's been a moving target," he said. "It's a big deal and a hassle, but you do have time to plan and develop a strategy to comply."

Finally, a final rule

HIPAA has been in the works since 1996, but it wasn't until Aug. 14 that the Department of Health & Human Services published the final rule on patient privacy. And pharmacy let out a sigh of relief because the bureaucrats apparently listened to warnings that the original mandate would paralyze pharmacies. HHS dropped the mandate for written prior patient approval before protected health information (PHI) could be used or disclosed.

Now pharmacies have regulatory permission to use or disclose PHI in the course of providing treatment, collecting payment, and conducting healthcare operations. "Pharmacists would not have been able to fill a prescription, search for potential drug interactions, determine eligibility, or verify coverage before the individual arrived at the pharmacy to pick up the script if the individual had not already provided consent under the Privacy Rule," HHS noted in its explanation of the rule change making prior consent optional.

However, having honed red tape weaving to an art form, HHS bureaucrats substituted another requirement. Pharmacies now have to try to obtain each patient's written acknowledgment of receipt of the pharmacy's notice of its privacy policies and patients' rights. But pharmacies can dispense Rxs or otherwise use PHI before an acknowledgment is obtained. If the pharmacy doesn't obtain the acknowledgment, it must document a "good faith effort" to get it and the reason why it could not be obtained.

Pharmacies have to collect a signed patient acknowledgment only once, but that signed acknowledgment must be kept on file. "It'll be a little easier to get the acknowledgment, but the bottom line is that pharmacies still have to make an effort to get a signed document from every single patient," said Bell. "If someone refuses to sign, you can still provide healthcare services."

The notice of privacy policy and procedures is an opportunity for pharmacists to do a little risk management, said Walter Fitzgerald, pharmacist-attorney and professor of pharmacy at the University of Tennessee College of Pharmacy. For example, when patients sign an acknowledgment, they can't later claim they didn't know the pharmacy's policy on providing year-end dispensing records for tax purposes.

Pharmacists should also bear in mind that patients can access their records and request that changes be made, said Fitzgerald, who has just completed a HIPAA handbook for NCPA. They also have a right to ask for an accounting of every disclosure of their PHI made that is not related to treatment, payment, or healthcare operations or not specifically excluded by HIPAA. That means pharmacies need to create a new database for disclosure accounting purposes, and it has to be maintained for six years.

"The accounting also raises the issue of what kind of comments pharmacists have been putting in those records," said Fitzgerald. "Say a pharmacist puts in a note that a suspected doctor shopper is a drug addict. The patient is not going to be real happy about that."

Pharmacies can have patients sign the third-party Rx logbook to acknowledge receipt of the notice of privacy policy as long as that's stated on the log, said Bell. They cannot, however, combine the acknowledgment and a waiver of consultation on the same form. So signatures must be obtained in two separate places.

Pharmacies should be able to keep logs even though they list other patient names, Bell said. The agency "didn't specifically say prescription logs used can sit on the counter for everyone to see," he said, but he noted sign-in sheets in physicians' offices did receive HHS' blessing.

Pharmacies should adopt electronic signature capture to sidestep the logbook question altogether, said Fitzgerald, who added, "It's not that expensive, and it would eliminate the privacy problem. It also takes care of getting the acknowledgment signatures of cash customers."

One area HHS' final rule clarified is just what is considered to be pharmacy treatment, said Patrick Gavin, senior v.p. of pharmacy relations and chief privacy officer with ateb Inc., a software firm in Raleigh, N.C. "Before the final rule, normal treatment activities, such as refill reminders and disease state management, were considered to be marketing," he said. "Now, basically everything traditionally done by a pharmacy is included under treatment, so it doesn't require any additional patient authorization."

Marketing has been a HIPAA flash point between patient privacy advocates and companies wanting to market their products. Before the final rule was issued, companies could market health-related services and functions to a patient as long as the patient was allowed to opt out of receiving any future marketing information, Gavin explained. The final rule killed the opt-out loophole. Instead, marketing is permitted only if the patient agrees beforehand to receive it.

"If a pharmacy sells a mailing list to a drug company wanting to contact patients, that would be marketing and would require the patient's prior permission," said Gavin. "The most common example is a drug switch. That would require the patient's authorization before you could send him or her any type of material suggesting the switch."

The marketing rule sets up a catch-22, because a pharmacy or company cannot send solicitation letters to patients asking for permission to send them marketing materials. However, pharmacists can ask patients for such permission face-to-face. The patient must then sign an authorization, Gavin added.

"When you're collecting PHI, if it's going to be for anything other than treatment, payment, or healthcare operations, you'll be required to have patient consent," Gavin said. "For example, if you mail ads to people based on addresses taken from the patient profile, that's clearly marketing and requires patient opt-in."

Training day

Two of the biggest, interrelated challenges facing pharmacies are defining their privacy policy and then training personnel about that policy. "This is where pharmacies really look at what they're doing relative to PHI," said Gavin. "That includes things such as how the prescription is handed out or what the policy is when a patient comes in to pick up the prescription. It all has to be spelled out."

Once the policy is figured out, HHS said pharmacies have to train all members of their workforce based on their functions. The pharmacy workforce includes pharmacists, technicians, clerks, custodians, and anyone else with access to patients or patient information. But the training regulation doesn't stop there; it also covers volunteers, trainees, and temporary workers, even if they are not paid directly by the pharmacy. The rule also appears to require training for pharmacy students and high school students who help out behind the counter as part of a job-training program or career day.

It's not yet clear whether all pharmacy employees have to be trained or just those with access to patients or PHI. "The question is, 'Do pharmacies have to train other employees even though they don't have access?'" said Bell, who added that NACDS has developed a customizable training program. "The good news is that pharmacies can be hybrid entities and carve out the front end where the rules wouldn't apply. The bad news is that you have to build an information firewall between the pharmacy and the front end. If you send patients with scripts to the front end, then you probably need to make sure all the privacy rules apply there."

States' rights

Although HIPAA is a sweeping change, the privacy rule does not necessarily preempt state regulations that are more stringent. The federal rule is the minimum, but states are free to beef up their own approach to privacy.

Discovering and tracking the privacy laws in all the states in which chains operate is a huge, expensive proposition. And the non-preemption rule applies not just to a state's laws but also its regulations and court decisions.

"It's a nightmare," said NACDS' Bell. "It's not enough to just get a pile of a state's privacy statutes. You've got to go through this analysis, and say, 'All right, what is not preempted by HIPAA?' There are actually more than a dozen categories of state law that are not preempted. Then you have to go through each state in which you operate; collect all the privacy laws, regulations, and court cases; and then do the analysis to determine which ones are preempted by HIPAA. Of course, you've also got to update that analysis because of new laws, regulations, and court cases."

Recognizing the dilemma facing its members, NACDS is mulling over whether to conduct a HIPAA preemption analysis of all the states, Bell said. The database would be a resource for pharmacies to see which state laws are not preempted by HIPAA. "We can't promise it will happen," he said. "We've actually gone to law firms for estimates of the cost. The formal estimates were over $1 million. If we don't do the analysis, each chain will have to reinvent that wheel. We're trying to work something out."

Standard time

HIPAA is more than privacy regs; there are also rules for electronic claims transactions and security. Pharmacies had until Oct. 16 to apply for a one-year extension of the deadline to begin using the 5.1 transaction standard developed by the National Council for Prescription Drug Programs.

Uncle Sam's rules aside, third-party payers don't have to honor the one-year extension, said Rich Muller, industry analyst manager, QS/1 Data Systems. He said, however, that AdvancePCS and Express Scripts will continue to process claims using version 3.2 until Oct. 16, 2003, for pharmacies that filed for the extension, and he questioned whether Medco HealthSolutions will stick to its mid-November deadline for using 5.1.

"If pharmacies know they have the right version of software to support 5.1, they should start sending claims to someone as soon as they can," said Muller. "Why wait until it's required when you could be dealing with any potential problems before the huge gridlock when everybody else starts on the same day?"

When HHS adopted 5.1 in August 2000, it set the stage for a bitter impasse between community pharmacy and pharmacy benefit managers because 5.l has many optional fields that PBMs want for the transmission of additional information, such as patient names. Four months later, the HIPAA privacy regulations came out, restricting transmission to only the minimum information necessary to file a claim.

The contradiction hooked community pharmacy on the horns of a dilemma. On one hand, HHS adopted a standard that lets PBMs force pharmacies to supply patient information they want in the optional fields. On the other hand, pharmacies now have a mandate to transmit only the minimum necessary information.

Community pharmacy quickly realized optional fields exposed them to legal liability. Attempts were made to sit down with PBMs to revise 5.1, but the sessions ended in a stalemate. So community pharmacy came up with its own implementation guide to replace 5.1 before it becomes a playground for lawyers and patients eager to sue their local pharmacy.

"It's bound to happen that some of this patient information is going to be used inappropriately," said Roy Bussewitz, v.p. of managed care-telecommunications, NACDS. "Breaches of patient privacy could happen in transmission, at the switch, or at the PBM, but, being the source of that information, community pharmacy is the one the patients initially blame. We're saying that we don't want chain drugstores to be sued and we don't want their names on the front page of the New York Times."

Facing the stonewall of PBM opposition to revision, the American Pharmaceutical Association, the American Society for Automation in Pharmacy, NACDS, and NCPA developed a competing implementation guide without 5.1's offending optional fields. Aware of the conflict, HHS officials have indicated the problem will be solved through rule making. But community pharmacy leaders are afraid that process will not be done by April 14, the deadline to implement the HIPAA regs. In a Sept. 26 letter, the coalition urged HHS secretary Tommy Thompson to move quickly to approve the alternative standard.

"Our hope is that the secretary will say, 'Your standard is better than NCPDP's because you've eliminated those optional fields,'" said Bussewitz, who added that it's been estimated that 5.1 has more than 100 optional fields.

HHS issued the proposed electronic security rule in 1998 but has yet to finalize it. While officialdom keeps saying it's imminent, some observers question whether that rule will ever be etched in stone because the privacy rule already addresses many security issues, Muller said.

D Day looms

April 14 is pharmacy's D Day, as in Deadline Day, when Uncle Sam expects the healthcare industry to be in compliance with the HIPAA mandate. But with only six months to complete a daunting to-do list, some question whether it's possible to turn the healthcare ship around in time.

Community pharmacies should not assume their software vendors will once again come to the rescue, warned Muller of QS/1. "I worry that there are pharmacies saying that it really isn't a big deal, the pharmacy system is going to handle it," he said. "They're required to document their own procedures and polices. No pharmacy system can document that for them. They're going to be fine on April 14 because legal questions won't come up that day. It might be a month or a year, but, at some point, if someone hasn't done all the background they need to do beyond getting the right pharmacy software version, they're going to get hit, and the fines are stiff."

Given the enormity of the changes and complexity of the regulations, Bell said NACDS has suggested that HHS give people time to get more familiar with the rules and not rush out on April 14, 2003, and start fining people. HSS has made no promises, he said. "No one should sit around thinking they're not going to implement the rules because HHS is going to change them," he cautioned.

Of course, that's supposing Alice's friend, the Mad Hatter, doesn't make a guest appearance to cause more HIPAA havoc in the guise of those folks who permanently live in Wonderland—the U.S. Congress.

Carol Ukens

Pharmacy's HIPAA to-do list

Since it's late in the HIPAA game, experts recommend that pharmacy owners:

• Quickly get up to speed as fast as possible. The National Association of Chain Drug Stores and National Community Pharmacists Association have developed handbooks on the Health Insurance Portability and Accountability Act for their members.

• Conduct a gap analysis to figure out how current privacy policies stack up against HIPAA requirements. Base the analysis in the real world of what actually goes on in the pharmacy, not just the stated policy. For example, personnel may be revealing patient information over the telephone even though it's prohibited by your policy.

• Appoint a privacy officer. HIPAA requires that every covered entity, including drugstore chains and independent pharmacies, designate a person to oversee privacy initiatives and compliance.

• Begin drafting a privacy policy about how protected health information will be handled. The policy will also have to be outlined in the notice of privacy practices provided to patients.

• In the months ahead, jot down all requests for protected patient information to identify types of disclosures that need to be included in the privacy policy.

• Check your physical environment to see whether you need to make changes to prevent others from overhearing protected health information. HIPAA requires providers to make "reasonable efforts" but not to remodel.

• Gear up to train personnel about the pharmacy's privacy policy. That includes R.Ph.s, techs, clerks, interns, janitors, temps, or anyone else with access to patients or patient information. Such training must be specific to the pharmacy. Decide how you'll document that training.

• Decide whether your pharmacy will be a hybrid entity, which excludes the front end from HIPAA but requires firewalls to keep protected health information in the Rx department.

• Check with vendors to make sure your pharmacy dispensing system is HIPAA compliant.

• Review contracts with business associates to determine whether changes are necessary.

• Consider other situations on which HIPAA may impact. For example, do you participate in phone trees that may be giving out protected health information? Will it be necessary to change how year-end tax statements are handed out?

On-line HIPAA resources

Helpful Web sites offering information include:

• www.hipaadvisory.com

• http://aspe.os.dhhs.gov/admnsimp

• www.nacds.org

• www.hhs.gov/ocr/hipaa

• www.cms.gov/hipaa

• www.ncpdp.org

• www.hipaa.org

HIPAA tidbits

Here are some facts about the Health Insurance Portability and Accountability Act that you may not know:

• Prescription benefit managers are not directly subject to HIPAA.

• Unlike the Omnibus Budget Reconciliation Act of 1990, sanctions for HIPAA violations apply to individual employees, not just practice sites.

• The maximum penalty for criminal violations of HIPAA rules is a $250,000 fine and 10 years in prison.

• HIPAA's civil penalty is $25,000 per rule violation.

• It will cost the healthcare industry an estimated $17.5 billion to implement HIPAA, according to Health & Human Services. Others think it will be more.

• The 39 drugstore chains in a recent National Association of Chain Drug Stores survey estimated that they will have to train a combined total of more than 300,000 employees. That averages out to about 21.5 trainees for each of the nearly 14,000 pharmacies operated by those chains.

• The drugstore chains in the survey estimated that HIPAA-mandated training will cost an average of $67.49 per employee. The estimated combined total for those 39 chains to train their personnel exceeds $20 million.

Carol Ukens. HIPAA: FINAL COUNTDOWN?. Drug Topics 2002;20:30.