Do you have Pharmacy HIPAA compliance policies and procedures at your pharmacy? Are your employees HIPAA certified? HIPAA (Health Insurance Portability and Accountability Act) is always a topic of discussion when patients start asking their pharmacists and physicians for the receipts of their medical expenditures for tax purposes. This usually starts happening in late November and December, plus continues all the way to April 15th. These receipts are considered to be a part of a patient’s medical records and their release (what information and to whom it is released) should be covered in your pharmacy’s policies and procedures manual. Additionally, it is wise to get your staff training on dealing with patient confidentiality and even have them become HIPAA certified. Now is the time to make sure that your employees understand exactly what HIPAA compliance really is, plus gives you the time to update your P & P manual and get your staff properly trained and certified in regards to your pharmacy operation being HIPAA compliant.
Verdict Against Walgreens Upheld by the Indiana Court of Appeals
It has been almost three years now since the $1.4 million dollar verdict against Walgreens was upheld by the Indiana Court of Appeals. The court had ruled against Walgreens Pharmacy and one of its pharmacists who shared confidential medical information regarding a patient. The court based the award on the fact that they had violated HIPAA restrictions and broken the patient’s rights to privacy and confidentiality, thus resulting in harm to the individual and his family. That ruling was the initial decision handed down by an Indiana State Court holding a healthcare company or provider liable for an employee violating the Health Insurance Portability and Accountability Act, but there have since been others. Many Pharmacists still remember back in 2009 when the CVS drug chain agreed to pay $2.25 million to settle for HIPAA violations regarding the inappropriate disposal of prescription bottles and receipts that were considered to be violations of HIPAA standards and rules.
Patients Own Their Medical Records
It must also be pointed out that legally patients own their medical records. More and more patients and consumers are aware of this right and requesting their medical records from their doctors, hospitals and pharmacies. Previously, in the “paper age”, obtaining them was a costly, time consuming process. However, in this age of electronic medical records (and digital data storage and retrieval), obtaining one’s medical records is easily accomplished. A recent survey reported that over 97 percent of hospitals and over 82 percent of physicians utilize electronic records for their patients. So the public’s expectation is that they are “quickly” entitled to this information, plus it should be provided without hesitation and inexpensively (as compared to just a decade ago). In a good article in The Peoples Pharmacy, patients are encouraged to obtain their medical records and can even download and print a free “drug safety questionnaire” to take to their pharmacists and physicians to fill out.
Pharmacy Operations and HIPAA
HIPAA’s Privacy Rule basically was put in place to safeguard a patient’s protected healthcare information (PHI). Additionally it mandates that a patient has access to their own medical records and that patients have the right of ownership regarding their own healthcare information. These HIPAA Privacy Rules apply to everyone who “manages health care transactions”, and the point to be noted is that this includes pharmacies, pharmacists and the entire pharmacy staff.
Suffice it to say that the rules are complex regarding a patient’s protected healthcare information (PHI). The basis of HIPAA and the HIPAA Privacy Rules simply stated is that pharmacies must get signed authorization from patients prior to service that allows the pharmacy to use their PHI during their care, plus allows the patient to access their PHI. Yet there are exceptions, exclusions, provisions from other acts (such as the Clinical Laboratory Improvement Act) that have turned the good intentions of HIPAA into a legal “quagmire” for the pharmacy and pharmacist. Just a few that were noted in some excellent articles (including a well explained discussion in Pharmacy Times):
– Exclusions to a patient’s PHI (when it could harm the individual or others) include psychotherapy notes, legal documents, or laboratory results prohibited under the Clinical Laboratory Improvement Act (CLIA).
– Another exclusion is if the patient is not able or unavailable to agree or object in instances where disclosure is required by law, public health oversight, or child abuse or neglect.
– PHI must be disclosed regardless of patient’s authorization to the U.S. Department of Health and Human Services (HHS) during an investigation.
– Additionally there are situations when a pharmacy or a pharmacist may disclose a patient’s PHI without the patient’s consent under certain treatment, payment or operations “instances”.
Reporting Violations and Possible Fines
HIPAA violations must be reported to the Department of Health and Human Services (HHS). If a violation affects more than 500 patients, then HHS must be notified within sixty (60) calendar days. If less than 500 patients are affected by a violation, you may notify HHS no later than sixty (60) days after the end of that calendar year. Fines range from a minimum of $100 per violation up to $1.5 million.
What Should You Do Regarding HIPAA Compliance
The answer is simple: Develop good Policies and Procedures. Don’t delay – do it now! Then educate your staff on how to implement and follow them. Train yourself and your staff on the law and do not tolerate violations of your Policies and Procedures.
In the past, it was common practice for a pharmacist or pharmacy staff member to share the personal prescription records of patient with the patient’s family members or even friends out of concern or in an attempt to help. Yet now such actions are violations of laws and can result in lawsuits, fines and negative publicity for your pharmacy business operation. Perhaps it’s time to have a comprehensive Pharmacy Business Review of your entire operation by an objective and experienced third-party pharmacy consulting firm.
About Healthcare Consultants
As always, please contact us here at HCC if you have any questions regarding development of policies and procedures related to HIPAA Compliance. If you already have HIPAA policies and procedures in place, perhaps a review by an objective (and experienced) third party is a good idea? With over 29 years in the pharmacy consulting business, HCC can assist you with expert advice in any area of your pharmacy business or practice. With a full-time staff of in-house Pharmacy Consultant specialists, HCC can answer any questions that you may have in all pharmacy settings. Contact us online or call us today at 800-642-1652 for a free consultation.