HIPAA Phase 2 Compliance Audits

Most know that the HIPAA Phase 2 audits regarding onsite inspections for compliance have been delayed and on hold for quite a while now. Last year a total of over 200 "desk top" audits were conducted by the Department of Health and Human Services' Office for Civil Rights (OCR). Yet the actual onsite compliance audits have continuously been postponed and delayed over the past eighteen months.  Back in February of this year the OCR stated that they intended to initiate the audits by the last quarter of this year, but that they may "slip" into 2018. Now all indications point to the Phase 2 HIPAA audits being fast tracked for fourth quarter of 2017.

MHS $5.5million & Walgreens $1.4million Settlements

The impetus for the fast tracking of the HIPAA Phase 2 audits may stem from the 5.5 million dollar settlement paid by MHS (Memorial Health Care Systems) earlier this year. Many people remember that MHS ran 6 hospitals, a nursing home, plus an urgent care center and several other ancillary health care facilities in South Florida. Additionally, MHS was affiliated with multiple doctor's offices using an Organized Health Care Arrangement (OHCA). According to OCR, well over 100,000 patients had their HIPAA rights violated by employees of MHS. MHS did have policies and procedures in place, however the fines centered around it's employees NOT following the procedures and the fact that MHS not providing review documentation as the HIPAA rules required. Additionally, MHS failed to regularly review records of information system activity even after identifying that the problem existed from multiple risk analyses conducted between 2007 to 2012.It has been two years now since the $1.4million verdict against Walgreens was upheld by the Indiana Court of Appeals. The court had ruled against Walgreens Pharmacy and one of its pharmacists who shared confidential medical information regarding a patient. The court based the award on the fact that they had violated HIPAA restrictions and broken the patient's rights to privacy and confidentiality, thus resulting in harm to the individual and his family. That ruling was the initial decision by a State Court holding a healthcare company or provider liable for an employee violating the Health Insurance Portability and Accountability Act, but there have since been others. Many Pharmacists still remember back in 2009 when the CVS drug chain agreed to pay $2.25million to settle for HIPAA violations regarding the inappropriate disposal of prescription bottles and receipts that was considered a violation of HIPAA standards and rules.It must also be pointed out that legally patients own their medical records. More and more patients and consumers are aware of this right and requesting their medical records from their doctors, hospitals and pharmacies. Previously, in the "paper age", obtaining them was a costly, time consuming process. However, in this age of electronic medical records (and digital data storage and retrieval), obtaining one's medical records is easily accomplished. A recent survey reported that over 97 percent of hospitals and over 82 percent of physicians utilize electronic records for their patients. So the public's expectation is that they are "quickly" entitled to this information, plus it should be provided without hesitation and inexpensively (as compared to just a decade ago). In a previous article in The Peoples Pharmacy, patients are encouraged to obtain their medical records and can even download and print a free "drug safety questionnaire" to take to their Pharmacists and physicians to fill out.

Pharmacy Operations and HIPAA

HIPAA's Privacy Rule basically was put in place to safeguard a patient’s protected healthcare information (PHI). Additionally it mandates that a patient has access to their own medical records and their own health information. These HIPAA Privacy Rules apply to everyone who "manages health care transactions", and the point to be noted is that this includes Pharmacies, Pharmacists and the entire Pharmacy staff.

The Rules

Suffice it to say that the rules are complex regarding a patient’s protected healthcare information (PHI). The basis of HIPAA and the HIPAA Privacy Rules simply stated is that Pharmacies must get signed authorization from patients prior to service that allows the Pharmacy to use their PHI during their care, plus allows the patient to access said PHI. Yet there are exceptions, exclusions, provisions from other acts (such as the Clinical Laboratory Improvement Act) that have turned the good intentions of HIPAA into a legal "quagmire" for the Pharmacy and Pharmacist. Just a few that were noted in some recent articles (including an excellent post in Pharmacy Times):-  Exclusions to a patient's PHI (when it could harm the individual or others) include psychotherapy notes, legal documents, or laboratory results prohibited under the Clinical Laboratory Improvement Act (CLIA).- Another exclusion is if the patient is not able or unavailable to agree or object in instances where disclosure is required by law, public health oversight, or child abuse or neglect.-  PHI must be disclosed regardless of patient’s authorization to the U.S. Department of Health and Human Services (HHS) during an investigation.- Additionally there are situations when a Pharmacy or Pharmacist may disclose a patient’s PHI without consent under certain treatment, payment or operations "instances".

What Should You Do Regarding Being HIPAA Compliant?

The answer is simple: Develop good Policies and Procedures. Then educate your staff on how to implement and follow them. Train yourself and your staff on the law and do not tolerate violations of your Policies and Procedures. Plus, it is clear that documentation and review are imperative! Simply having a policy and procedure by its self is not sufficient (as the settlements by Memorial Health Systems and Walgreens clearly show).In the past, it was common practice for a Pharmacist or Pharmacy staff member to share the personal prescription records of patient with the patient's family members or even friends out of concern or in an attempt to help. Yet now such actions are violations of laws and can result in lawsuits, fines and negative publicity for your Pharmacy business.As always, please contact us here at HCC if you have any questions regarding development of policies and procedures related to HIPAA Compliance. If you already have HIPAA policies and procedures in place, perhaps a review by an objective (and experienced) third party is a good idea? With over 28 years in the Pharmacy Consulting business, HCC can assist with expert advice in any area of your pharmacy business or practice. We urge you to contact us today to see how our Pharmacy Consulting services can help. With a full-time staff of in-house Pharmacy Consultant specialists, HCC can answer any questions that you may have in all Pharmacy settings. Contact us online or call us today at 800-642-1652 for a free consultation.