Pharmacies & HIPAA Compliance

HIPAA is federal legislation that establishes the acceptable uses and disclosures of protected health information (PHI), implements standards for the secure storage and transmission of PHI, and gives patients the right to receive copies of their PHI. HIPAA compliance for pharmacies is a requirement. The fines for failing to adhere with HIPAA can be significant.

Key Factors of HIPAA Compliance for Pharmacies

The combined text of HIPAA Rules released by the Department of Health and Human Services’ Office for Civil Rights (OCR) is 115 pages, so covering all aspects of HIPAA compliance for pharmacies is beyond the range of this post; however, some of the key aspects of HIPAA compliance for pharmacies have been outlined below.

Complete risk analyses – A thorough, group wide risk analysis must be conducted to identify all risks to the confidentiality, integrity, and availability of ePHI. Any risks discovered must be subjected to a HIPAA-compliant risk management process. A risk analysis is not a onetime checkbox duty. Risk analyses must be conducted constantly, such as when there is a change to business practices or new technology is implemented.

Secure PHI at all times – One of the most crucial aspects of HIPAA compliance for pharmacies is ensuring security measures are implemented to ensure the confidentiality, integrity, and availability of physical and electronic PHI. Pharmacies can decide on the best measures to implement with decisions guided by the results of the risk analysis.

Hire a privacy officer – A privacy officer must be hired. Any member of staff act as your designated privacy officer. That person’s responsibility is to ensure policies and processes are followed, documentation and filing is performed properly, and patient requests for PHI are responded to in a timely fashion. The privacy officer must also monitor for amendments to HIPAA regulations and work with the owner or manager to ensure ongoing compliance.

Obtain permissions – HIPAA allows the use of PHI for treatment purposes, asking for or receiving payment, or pharmacy operations. Any other use or sharing of PHI must be authorized by the patient in writing before PHI being used or disclosed.

Receive business associate agreements – A third party that requires access to PHI or copies of PHI to perform a service on behalf of the pharmacy is classified as a business associate and is also required to adhere with HIPAA Rules. A business associate must supply reasonable assurances to the covered group, by means of a business associate agreement, that the requirements of HIPAA have been understood and that HIPAA Rules will be followed.

Ensure PHI is not impermissibly disclosed – Accidentally or deliberately disclosing PHI for reasons not permitted by the Privacy Rule can cause considerable damage to patients. Policies and procedures must be developed and put in place to lessen the risk of impermissible disclosures. Care must be taken not to share more than the ‘minimum necessary’ PHI.

Supply patients with copies of their PHI – The HIPAA Privacy Rule allocates patients the right to obtain copies of their PHI on request. While that right is usually exercised with healthcare providers, pharmacies must also provide copies of pharmacy records related to an individual if sought.

Terminate PHI correctly – PHI such as prescription labels and documents must be terminated in a manner that stops the PHI from being viewed or reconstructed. Paperwork such as labels should be shredded, pulverized, pulped, or burnt. ePHI on electronic devices must be permanently deleted before disposal.

Supply training to staff – All pharmacy workers are required to comply with HIPAA Rules, as well as volunteers and interns that are required to deal with PHI. All staff must be trained and made aware of HIPAA Rules that are applicable o them and what constitutes PHI.  HIPAA training should be given as soon as possible with refresher training provided regularly. Pharmacies must also provide security awareness training to workers.

Advise patients of privacy practices – All HIPAA covered groups must record their privacy practices and share that information with patients. Signatures should be obtained from patients confirming they have been given the notice of privacy practices.

Alert patients/OCR of a privacy breach – Patients must be advised when their PHI has been exposed or stolen and OCR must also be alerted. Warnings must be sent to patients and OCR within 60 days of the discovery of a breach. OCR can be alerted of a breach affecting fewer than 500 people no later than 60 days from the end of the calendar year in which the breach happened.

Since HIPAA compliance for pharmacies can be complicated and the penalties for noncompliance severe, we suggest getting in touch with a compliance specialist who will be able to walk you through the steps you need to take to adhere with all aspects of HIPAA Rules. Otherwise, if you are unsure about any aspect of HIPAA compliance for pharmacies, get in touch with a healthcare attorney.

Fines for HIPAA Breaches by Pharmacies

It is not relevant how large or small your company is, HIPAA compliance for pharmacies is not optional. There have been many penalties for HIPAA violations by pharmacies over the past few years. Not only can HIPAA violations result in a significant fine, they can also seriously harm the reputation of your pharmacy.

The HHS’ Office for Civil Rights has increased enforcement activity in the past two years and fines and settlements over HIPAA breaches are now far more common. State attorneys general are also taking action in relation to privacy breaches and are pursuing financial settlements when PHI is exposed or impermissibly shared. State attorneys general can apply fines up to $250,000 for breaches of the same type that are experienced in a just one year. The HHS’ Office for Civil Rights can issue fines up to $1.5 million per violation category, per year.