GOVERNMENT and LAW

What every independent R.Ph. should know about HIPAA

If you think you had a lot to learn to comply with the Omnibus Budget Reconciliation Act, wait till you get a load of the Health Insurance Portability & Accountability Act. The extent of the knowledge you have to acquire for HIPAA far exceeds that of OBRA, warned Walter Fitzgerald Jr., a pharmacist-lawyer with the University of Tennessee, College of Pharmacy.

To hear what Fitzgerald had to say about this new law, more than 1,000 pharmacists flocked to his presentation at the recent National Community Pharmacists Association annual meeting in Nashville. So many R.Ph.s showed up that extra stacks of chairs had to be delivered to the room to accommodate the sell-out crowd.

According to Fitzgerald, there are many things pharmacists must do by April 15, 2003, when HIPAA goes into effect. They range from appointing a privacy officer, to sending out privacy notices to patients, to setting up a complaints department for patients to file their beefs. With all these steps to be taken, there's no way to avoid spending money to comply with HIPAA, he said flatly.

A resource that pharmacists can turn to for hand-holding is a soon-to-be-released HIPAA manual from NCPA, said Fitzgerald, who is one of its coauthors. It provides not only a good summary of the law, for those who don't want to slog through the Federal Register, but also user-friendly templates pharmacists can use to create customized notices of their privacy practices and other forms, he said. The price of this handbook: $225 for members.

Another aid to HIPAA compliance is systems that capture electronic signatures. It's time pharmacies did away with manual signatures and moved to these systems, which are already common in department stores, Fitzgerald said. Wouldn't it be nice if pharmacists could call up their patient profiles to see if they have patients' e-signatures on file, acknowledging receipt of their privacy notices? Pharmacists should work with their software vendors to put these programs into place, he suggested.

The pharmacy professor offered attendees a time line for building a HIPAA compliance plan. From now through December, he said, they should bone up on HIPAA, designate someone to serve as their privacy officer, and review their contracts with their business associates to ensure that patients' health information is protected. In January 2003, they should complete their compliance plan by preparing their pharmacy's policies and procedures, privacy notice, and other forms. In February, it would be a good idea to pilot-test their compliance plan and prepare staff training materials. In March, they can modify their compliance plan based on their pilot-test results, begin staff training, and complete contracting with their business associates. Then from April 1 to 14, they should verify that their operations and files are ready, their staff is trained, and all business associate contracts are finalized. Finally, on April 15, or "D day," they should begin distributing their privacy notices to their patients, obtain their written acknowledgment that they have received the document, and initiate monitoring of their compliance plan.

Not all health providers must meet HIPAA's requirements—only those who have a direct treatment relationship with patients. Thus, Fitzgerald believes that nuclear pharmacists, whose products are dispensed to hospital radiology departments or cardiology clinics, rather than to patients directly, may be able to get away with not following this law. "We'll see if they apply for an exemption," he said.

As onerous as HIPAA appears to be to most health providers, it carries a couple of "silver linings," Fitzgerald told the audience. For one thing, if patients come in asking for health information relating to a relative, pharmacists now have a solid excuse not to share it with them, since the law prohibits the practice. Another nice feature about the new law is that patients have a right to see their pharmacy records and request that they be amended. To Fitzgerald, this is good risk management, since patients could make sure, say, that all their allergies are listed in their profile.

To underscore that HIPAA means business, Fitzgerald noted that violators are subject to civil and/or criminal penalties, with the highest punishment being 10 years in prison and a $250,000 fine.

Closing his presentation with a joke, Fitzgerald suggested that pharmacists could name their privacy officer "Helen Waite." So if patients "have a request or want to file a complaint, go to Helen Waite," he deadpanned.

Judy Chi

Judy Chi. What every independent R.Ph. should know about HIPAA.

Drug Topics

2002;22:49.