Pharmacies & HIPAA Compliance

HIPAA is federal legislation that set in place the acceptable uses and disclosures of protected health information (PHI), sets requirements for the secure storage and transmission of PHI, and gives patients the power to obtain copies of their PHI. HIPAA compliance for pharmacies is not an option. The fines and sanctions for failing to adhere with HIPAA can be severe.

Key Principles of HIPAA Compliance for Pharmacies

The combined text of HIPAA Rules released by the Department of Health and Human Services’ Office for Civil Rights (OCR) is 115 pages, so covering all parts of HIPAA compliance for pharmacies is beyond the range of this post; however, some of the key principles of HIPAA compliance for pharmacies have been described below.

Carry out risk analyses – A thorough, organizational wide risk analysis must be carried out to discover all risks to the confidentiality, integrity, and availability of ePHI. Any risks discovered must be subjected to a HIPAA-compliant risk management process. A risk analysis is not a onetime checkbox element. Risk analyses must be carried out constantly, such as when there is a change to business practices or new technology is created.

Secure PHI constantly – One of the most important parts of HIPAA compliance for pharmacies is ensuring security measure are in place to ensure the confidentiality, integrity, and availability of physical and digital PHI. Pharmacies can decide on the best safeguards to adapt with decisions guided by the findings of the risk analysis.

Hire a privacy officer – A privacy officer must be hired. Any employee can be your designated privacy officer. That person is charged with ensuring policies and procedures are followed, documentation and filing is performed properly, and patient requests for PHI are answered in a timely fashion. The privacy officer must also watch for changes to HIPAA regulations and work with the owner or manager to ensure ongoing compliance.

Receive authorizations – HIPAA allows the use of PHI for treatment reasons, requesting or receiving payment, or pharmacy operations. Any other use or disclosure of PHI must be authorized by the patient in writing before the PHI being used or shared.

Receive business associate agreements – A third party that requires access to PHI or duplicates of PHI to perform a service on behalf of the pharmacy is classed as a business associate and is also required to comply with HIPAA Rules. A business associate must provide reasonable guarantees to the covered entity, by means of a business associate agreement, that the requirements of HIPAA have been understood and that HIPAA Rules will be adhered to.

Ensure PHI is not impermissibly released – Accidentally or deliberately releasing PHI for reasons not allowed by the Privacy Rule can cause considerable damage to patients. Policies and procedures must be developed and implemented to minimize the chances of impermissible disclosures. Care must be taken not to share more than the ‘minimum necessary’ PHI.

Supply patients with duplicates of their PHI – The HIPAA Privacy Rule allocates patients the right to obtain copies of their PHI when they wish to do so. While that right is usually exercised with healthcare providers, pharmacies must also provide duplicates of pharmacy records related to an individual if requested.

Destroy PHI correctly – PHI such as prescription labels and documents must be destroyed of in a manner that prevents the PHI from being seen or reconstructed. Paperwork like labels should be shredded, pulverized, pulped, or burnt. ePHI on electronic devices must be permanently deleted before disposal.

Give training to staff – All pharmacy staff are required to comply with HIPAA Rules, as well as volunteers and interns that are required to access with PHI. All staff must be made aware of HIPAA Rules that apply to them and what PHI is.  HIPAA training should be conducted as soon as possible with refresher training conducted regularly. Pharmacies must also provide security awareness training to employees.

Advise patients of privacy practices – All HIPAA covered bodies must record their privacy practices and share that data with patients. Signatures should be received from patients confirming they have received the notice of privacy practices.

Alert patients/OCR of a privacy breach – Patients must be advised when their PHI has been exposed or stolen and OCR must also be informed. Alerts must be shared with patients and OCR within 60 days of the discovery of a breach. OCR can be notified of a breach that affects less than 500 individuals no later than 60 days from the end of the calendar year in which the breach happened.

Since HIPAA compliance for pharmacies can be complicated and the financial penalties for noncompliance are debilitating, we suggest contacting a compliance specialist who will be able to walk you through the steps you need to take to comply with all elements of HIPAA Rules. Otherwise, if you are unsure about any aspect of HIPAA compliance for pharmacies, contact a healthcare lawyer.

Financial Penalties for Pharmacy HIPAA Breaches

It is not relevant how large or small your company is, HIPAA compliance for pharmacies is not optional. There have been many fines and sanctions for HIPAA violations by pharmacies over the past few years. Not only can HIPAA violations result in a massive fine, they can also seriously hurt the reputation of your pharmacy.

The HHS’ Office for Civil Rights (OCR) has lead to a rise in enforcement activity in the past two years and fines and settlements over HIPAA violations are now far more widespread. State attorneys general are also taking action over privacy violations and are pursuing financial settlements when PHI is exposed or impermissibly shared. State attorneys general can issue fines up to $250,000 for violations of the same sort that are experienced in a single year. The HHS’ Office for Civil Rights can issue fines up to $1.5 million per violation category, per year.