Wednesday, May 03, 2006
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) took effect on April 14, 2003. This law is the first comprehensive federal regulation designed to safeguard the privacy and security of protected health information.1 As a result, virtually every pharmacy that conducts certain financial and administrative transactions electronically, such as billing and fund transfers, must be in compliance.
A pharmacist is permitted to have customers acknowledge receipt of the notice by signing or initialing the logbook they currently sign when they pick up prescriptions, provided that the patient is clearly informed of the logbook and of what is being acknowledged. This acknowledgment may not be used as a waiver or permission for something else that also appears on the logbook (such as a waiver to consult with the pharmacist). The HIPAA Privacy Rule allows a pharmacy the discretion in designing an acknowledgment process that best works for its business. It is not necessary to provide notice to every family member; notice to the named insured of a policy under which coverage is provided is satisfactory. Therefore, children younger than 18 are not required to receive the notice.
Should a pharmacy change its policy regarding PHI, it would not be required to obtain new acknowledgments from patients. In addition, HIPAA does not require the pharmacy to mail revised notices or to otherwise notify patients by mail of changes to the notice.
Conclusion
The Health Insurance Portability and Accountability Act is a federal law intended to protect the privacy and security of patient health care information. All pharmacies that electronically transmit patient information must comply with the Act, which went into effect on April 14, 2003. The Act gives patients certain rights regarding their health information and places responsibilities on pharmacies to guard that information. Unapproved dissemination of patient information can result in both civil and criminal penalties. Pharmacies must take immediate action to meet the requirements of the Act to avoid patient and/or government scrutiny and prosecution. 
HIPAA: Practical Application of the Federal Patient Privacy Act
Alan R. Spies, R.Ph., J.D., Ph.D. Cand.
Virgil Van Dusen, R.Ph., J.D.
Alan R. Spies, R.Ph., J.D., Ph.D. Cand.
Virgil Van Dusen, R.Ph., J.D.
The Health Insurance Portability and Accountability Act (HIPAA) took effect on April 14, 2003. This law is the first comprehensive federal regulation designed to safeguard the privacy and security of protected health information.1 As a result, virtually every pharmacy that conducts certain financial and administrative transactions electronically, such as billing and fund transfers, must be in compliance.
Confidentiality has always been an important aspect of the practice of pharmacy. To further encourage such professional behavior, ethical codes combined with some state statutes and regulations promote a high professional standard. The new HIPAA rules do not replace state regulations or other laws that may grant individuals even greater privacy protections. Furthermore, pharmacies are free to retain or adopt protective polices or practices more stringent than HIPAA if desired.
HIPAA is one of the most significant pieces of federal legislation to affect pharmacy practice since OBRA '90. HIPAA describes the framework for the use and disclosure of health information for treatment, payment, or health care operations at all covered entities, including pharmacies. But HIPAA does more than restrict what a pharmacy can do with patient health information. It gives important rights to patients, such as the right to access the information, the right to seek details of the disclosure of the information, and the right to view the pharmacy's policies and procedures regarding the confidential information (TABLE 1).
Compliance Requirements: Five Key Elements
Compliance with HIPAA is not optional. Fortunately, the Privacy Rule (the Rule) of HIPAA gives needed flexibility for pharmacies to create their own privacy rules and procedures, tailored to their needs. For instance, policies and procedures of an independent pharmacy may be more limited under the Rule than might those of a large chain or health plan, based on the volume of health information maintained and the number of interactions with individuals in the health care system.
Compliance with HIPAA is not optional. Fortunately, the Privacy Rule (the Rule) of HIPAA gives needed flexibility for pharmacies to create their own privacy rules and procedures, tailored to their needs. For instance, policies and procedures of an independent pharmacy may be more limited under the Rule than might those of a large chain or health plan, based on the volume of health information maintained and the number of interactions with individuals in the health care system.
Implementation and Posting of Policies and Procedures
The Privacy Rule requires each pharmacy to take reasonable steps to limit the use or disclosure of, and requests for, protected health information (PHI). PHI is defined as individually identifiable health information transmitted or maintained in any form and via any medium. Examples of PHI are prescriptions, patient record systems, or recorded pharmacist comments relevant to patient therapy.
The Privacy Rule requires each pharmacy to take reasonable steps to limit the use or disclosure of, and requests for, protected health information (PHI). PHI is defined as individually identifiable health information transmitted or maintained in any form and via any medium. Examples of PHI are prescriptions, patient record systems, or recorded pharmacist comments relevant to patient therapy.
To achieve these steps, a pharmacy must implement reasonable policies and procedures that limit how PHI is used, disclosed, and requested for certain purposes. Policies and procedures may be standard protocols that limit the PHI or disclosed or requested information to the minimum necessary for the particular type of disclosure or request. These minimum necessary policies and procedures must reasonably limit the number of individuals within the pharmacy who have access to PHI and specify conditions of such access, based on job responsibilities and need to access such information to perform their duties. The Rule recognizes that the pharmacy itself is in the best position to determine who needs access to PHI held in its own records.2
A pharmacy is also required to post its entire Notice of Privacy Practices at the facility in a clear and prominent location and on its Web site (if one exists). The pharmacy has discretion to design the posted notice in a manner that works best for its facility. This may include simply posting a copy of the notice pages that are provided directly to individuals.
Obtaining Patient Consent
The HIPAA Privacy Rule gives individuals a fundamental right to be informed of the privacy practices of the pharmacy, as well as their privacy rights with respect to their PHI (TABLE 2). As a result, pharmacies are required to develop and distribute a notice with a clear explanation of these rights and practices (TABLE 3). This notice must be given to every individual no later than the date of the first service provided (or when the first prescription is dispensed) and requires that a good faith effort be made to obtain the patient's written acknowledgment of receipt of the notice. This receipt must be maintained by the pharmacy for six years from the date that the document was signed or the last date that a patient received a prescription, whichever is later. To satisfy the acknowledgment requirement, the pharmacy can make a good faith effort by including a tear-off sheet or other document with the notice that requests that the acknowledgment be mailed back to the pharmacy. The pharmacy is not in violation of the Rule if the individual chooses not to mail it back.
The HIPAA Privacy Rule gives individuals a fundamental right to be informed of the privacy practices of the pharmacy, as well as their privacy rights with respect to their PHI (TABLE 2). As a result, pharmacies are required to develop and distribute a notice with a clear explanation of these rights and practices (TABLE 3). This notice must be given to every individual no later than the date of the first service provided (or when the first prescription is dispensed) and requires that a good faith effort be made to obtain the patient's written acknowledgment of receipt of the notice. This receipt must be maintained by the pharmacy for six years from the date that the document was signed or the last date that a patient received a prescription, whichever is later. To satisfy the acknowledgment requirement, the pharmacy can make a good faith effort by including a tear-off sheet or other document with the notice that requests that the acknowledgment be mailed back to the pharmacy. The pharmacy is not in violation of the Rule if the individual chooses not to mail it back.
A pharmacist is permitted to have customers acknowledge receipt of the notice by signing or initialing the logbook they currently sign when they pick up prescriptions, provided that the patient is clearly informed of the logbook and of what is being acknowledged. This acknowledgment may not be used as a waiver or permission for something else that also appears on the logbook (such as a waiver to consult with the pharmacist). The HIPAA Privacy Rule allows a pharmacy the discretion in designing an acknowledgment process that best works for its business. It is not necessary to provide notice to every family member; notice to the named insured of a policy under which coverage is provided is satisfactory. Therefore, children younger than 18 are not required to receive the notice.
Should a pharmacy change its policy regarding PHI, it would not be required to obtain new acknowledgments from patients. In addition, HIPAA does not require the pharmacy to mail revised notices or to otherwise notify patients by mail of changes to the notice.
Selecting a Compliance Officer
The privacy regulations require the pharmacy to designate an individual to manage compliance with the Act, provide training, institute safeguards for the release of health information, and address patient concerns. The pharmacy manager could be assigned the duties of the "privacy officer." However, since HIPAA and its rules contain hundreds of pages of "fine print," the sensible approach of larger groups of pharmacies is to designate one person to oversee the implementation of policies, procedures, and HIPAA compliance.
The privacy regulations require the pharmacy to designate an individual to manage compliance with the Act, provide training, institute safeguards for the release of health information, and address patient concerns. The pharmacy manager could be assigned the duties of the "privacy officer." However, since HIPAA and its rules contain hundreds of pages of "fine print," the sensible approach of larger groups of pharmacies is to designate one person to oversee the implementation of policies, procedures, and HIPAA compliance.
Training Requirements
One part of the compliance requirements of HIPAA is that all employees working in a pharmacy environment in which patient-specific health information is used must have received training on the new regulations before they went into effect. The training necessarily includes pharmacists, technicians, and any others who assist in the pharmacy. Documentation for this training must be maintained by the pharmacy. New employees hired after April 14, 2003, must be trained within a reasonable period of time, and retraining of all affected employees must be conducted if changes are made to policies and procedures regarding PHI.
One part of the compliance requirements of HIPAA is that all employees working in a pharmacy environment in which patient-specific health information is used must have received training on the new regulations before they went into effect. The training necessarily includes pharmacists, technicians, and any others who assist in the pharmacy. Documentation for this training must be maintained by the pharmacy. New employees hired after April 14, 2003, must be trained within a reasonable period of time, and retraining of all affected employees must be conducted if changes are made to policies and procedures regarding PHI.
Maintaining "Business Associate" Agreements
In some situations, it will be necessary for a pharmacy to allow disclosure of PHI to a person or an organization that is known under the Act as a "business associate" (BA). A BA is defined as a person or entity that performs certain functions or activities involving the use or disclosure of PHI on behalf of, or providing services to, a pharmacy. BA functions and activities may include claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, and repricing. Other examples could include a CPA firm whose accounting services involve access to PHI or an accrediting organization.
In some situations, it will be necessary for a pharmacy to allow disclosure of PHI to a person or an organization that is known under the Act as a "business associate" (BA). A BA is defined as a person or entity that performs certain functions or activities involving the use or disclosure of PHI on behalf of, or providing services to, a pharmacy. BA functions and activities may include claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, and repricing. Other examples could include a CPA firm whose accounting services involve access to PHI or an accrediting organization.
Under HIPAA, a pharmacy is allowed to disclose PHI to a BA if the pharmacy obtains satisfactory assurances that the BA will use the information only for the purposes for which it was engaged by the pharmacy, that it will safeguard all such information from misuse, and that it will assist the pharmacy in complying with the required duties under the Privacy Rule. A pharmacy contract or other written arrangement with a BA must:
Describe the permitted use and required use of the PHI by the BA.
Provide that the BA will not use or further disclose the PHI other than as permitted or required by the contract or as required by law.
Require the BA to use appropriate safeguards to prevent a use or disclosure of the PHI other than as provided for by the contract.
Provide that the BA will not use or further disclose the PHI other than as permitted or required by the contract or as required by law.
Require the BA to use appropriate safeguards to prevent a use or disclosure of the PHI other than as provided for by the contract.
Permitted/Incidental Disclosure of PHI
Many health care providers and professionals have long made it a practice to ensure reasonable safeguards for individuals' health information. Discreet professional discussions, locked file cabinets, and computer passwords are examples of these safeguards.
Many health care providers and professionals have long made it a practice to ensure reasonable safeguards for individuals' health information. Discreet professional discussions, locked file cabinets, and computer passwords are examples of these safeguards.
The Privacy Rule recognizes that oral communication often must occur freely and quickly in settings such as a pharmacy. The Rule also recognizes that overheard communications in these settings may be unavoidable and, as such, the Rule allows for these incidental disclosures. It is not expected that a pharmacy's safeguard guarantee the privacy of PHI from any and all potential risks in order to satisfy HIPAA standards. Some risks of incidental disclosure will always be present.
Pharmacist/Health Professional Disclosures: Health care professionals may engage in confidential conversations with other providers, even if there is the possibility they could be overheard. There is no prohibition of pharmacists' discussing patient issues with the physician over the phone. In these circumstances, reasonable precautions could include lowering one's voice or positioning oneself out of public earshot when sharing PHI.
Pharmacist/Patient Disclosures: Likewise, a pharmacist may discuss a prescription with a patient from the pharmacy counter or on the phone. Patients can request certain privacy protection, such as requesting that the pharmacist call only at the office, rather than at home. The pharmacy is obligated to accommodate such a request when it is made. Furthermore, a pharmacist or pharmacist technician may call out the patient's name over the public announcement system in the pharmacy when a prescription is ready, so long as the information disclosed is appropriately limited. These types of disclosures do not require documentation under HIPAA.
A pharmacist may leave a message at a patient's home, either on an answering machine or with a family member, stating that the prescription is ready. HIPAA permits pharmacists to communicate with patients at their homes, whether by mail, phone, or e-mail. However, the pharmacy should take care to limit the amount of information disclosed on an answering machine. When leaving a message with a family member, the pharmacist should use professional judgment to ensure that such disclosures are in the best interest of the individual.
A patient can have a friend or family member pick up the prescription. However, a pharmacist should use professional judgment in making reasonable inferences in the patient's best interest. The fact that a relative or friend will pick up a prescription for a patient verifies that the person is involved in the patient's care, and the HIPAA Privacy Rule allows the pharmacist to give the filled prescription to the person. The patient does not need to provide the pharmacist with the names of such persons in advance. Mailing refill reminders to patients is permitted under the Privacy Rule, even if the pharmacy contracts with a mail house to do so and a third party provider pays for the mailing costs.
Pharmacist/Personal Representative: The Privacy Rule requires pharmacies to treat a patient's personal representative as the patient, with respect to the use and disclosure of the PHI, as well as the patient's rights under the Rule. State regulations or other laws should be consulted to determine the authority of the personal representative to receive or access the patient's PHI. If the personal representative is authorized to make health care decisions, then generally the personal representative can be granted access to the patient's PHI. In most cases under the Rule, the parent is the personal representative of a minor and can exercise the minor's rights with respect to PHI, because the parent usually has the authority to make health care decisions about the minor child.
Pharmacist/Public Health Activities: The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to PHI to carry out their public health mission. An example of a public health authority is the FDA. It is permissible for a pharmacy to disclose PHI for public health purposes related to quality, safety, or effectiveness of an FDA-regulated product. Such purposes might include reporting adverse drug events, product defects (including problems regarding use or labeling), enabling product recalls, or conducting postmarket surveillance. In these situations, the pharmacy is permitted to disclose the minimum amount of PHI that is reasonable to assist the FDA in dealing with the problem.
Prohibited Disclosures
Generally, disclosure of PHI beyond use for treatment, payment, or health care operations requires a signed patient authorization. Unless authorized by the patient, conveying PHI to a telemarketer, using PHI in employment determinations, selling PHI to marketing agencies, or transferring names of patients with certain diseases to a pharmaceutical manufacturer are prohibited. Before a pharmacy transfers any information about a patient to a third party, it would be wise to ask, "Will such a transfer violate a patient's rights under HIPAA?"
Generally, disclosure of PHI beyond use for treatment, payment, or health care operations requires a signed patient authorization. Unless authorized by the patient, conveying PHI to a telemarketer, using PHI in employment determinations, selling PHI to marketing agencies, or transferring names of patients with certain diseases to a pharmaceutical manufacturer are prohibited. Before a pharmacy transfers any information about a patient to a third party, it would be wise to ask, "Will such a transfer violate a patient's rights under HIPAA?"
Security
Security of protected health information is an important component of the Act. HIPAA security standards involve taking actions that a prudent person would agree were necessary to ensure the security of the protected information. A number of steps can be taken to ensure such security. First, the policy should reasonably limit access to the pharmacy area, especially to nonemployees. Second, adequate supervision of the pharmacy area should be made a priority. Third, software products and programs used by pharmacists should be reviewed to ensure security. Another step might include placing the prescriptions in bins outside of public view, rather than having health information about patients visible to anyone. These simple measures can prevent HIPAA security breaches.
Security of protected health information is an important component of the Act. HIPAA security standards involve taking actions that a prudent person would agree were necessary to ensure the security of the protected information. A number of steps can be taken to ensure such security. First, the policy should reasonably limit access to the pharmacy area, especially to nonemployees. Second, adequate supervision of the pharmacy area should be made a priority. Third, software products and programs used by pharmacists should be reviewed to ensure security. Another step might include placing the prescriptions in bins outside of public view, rather than having health information about patients visible to anyone. These simple measures can prevent HIPAA security breaches.
Enforcement
The Department of Health and Human Services' Office of Civil Rights (OCR) is charged with enforcing the HIPAA privacy standards. Compliance is a top priority. Failure to timely implement these standards may lead to civil or criminal penalties. Violation of HIPAA regulations may lead to civil prosecution with penalties of $100 per incident to as much as $25,000 per year. Criminal acts set fines of $50,000 per violation or one year of imprisonment or both for wrongful disclosure, $100,000 per incident or five years of imprisonment or both for wrongful disclosure under false pretenses, and $250,000 or 10 years of imprisonment or both for wrongful disclosure with malicious intent.
The Department of Health and Human Services' Office of Civil Rights (OCR) is charged with enforcing the HIPAA privacy standards. Compliance is a top priority. Failure to timely implement these standards may lead to civil or criminal penalties. Violation of HIPAA regulations may lead to civil prosecution with penalties of $100 per incident to as much as $25,000 per year. Criminal acts set fines of $50,000 per violation or one year of imprisonment or both for wrongful disclosure, $100,000 per incident or five years of imprisonment or both for wrongful disclosure under false pretenses, and $250,000 or 10 years of imprisonment or both for wrongful disclosure with malicious intent.
Additional Information
The OCR is providing assistance to help pharmacies and other covered entities in complying with the Rule. For example, the OCR maintains a Web site with informative categories/sections, such as Guidance, Frequently Asked Questions, sample BA contract provisions, reference documents, and technical assistance. The National Association of Chain Drug Stores and the National Community Pharmacists Association have published compliance manuals for pharmacies, and numerous Web sites are also available to field questions (TABLE 4).
The OCR is providing assistance to help pharmacies and other covered entities in complying with the Rule. For example, the OCR maintains a Web site with informative categories/sections, such as Guidance, Frequently Asked Questions, sample BA contract provisions, reference documents, and technical assistance. The National Association of Chain Drug Stores and the National Community Pharmacists Association have published compliance manuals for pharmacies, and numerous Web sites are also available to field questions (TABLE 4).
Conclusion
The Health Insurance Portability and Accountability Act is a federal law intended to protect the privacy and security of patient health care information. All pharmacies that electronically transmit patient information must comply with the Act, which went into effect on April 14, 2003. The Act gives patients certain rights regarding their health information and places responsibilities on pharmacies to guard that information. Unapproved dissemination of patient information can result in both civil and criminal penalties. Pharmacies must take immediate action to meet the requirements of the Act to avoid patient and/or government scrutiny and prosecution.
REFERENCES
1. Standards for privacy of individually identifiable health information, 67. Federal Register. 53182 (2002) (codified at 45 CFR §160, 164).
2. Bishop SK, Winckler SC. Implementing HIPAA privacy regulations in pharmacy practice. J Am Pharm Assoc. APhA, Washington, DC: 2002;42:836-846.
¶ 7:22 PM 1. Standards for privacy of individually identifiable health information, 67. Federal Register. 53182 (2002) (codified at 45 CFR §160, 164).
2. Bishop SK, Winckler SC. Implementing HIPAA privacy regulations in pharmacy practice. J Am Pharm Assoc. APhA, Washington, DC: 2002;42:836-846.
