Is your pharmacy ready for the new Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rules? New privacy rules took effect in March, 2013, and enforcement begins in September.
“All of the familiar rules surrounding health information and individual patient information have changed,” said HIPAA consultant Jeff Hedges, CDME, president and CEO of RJ Hedges & Associates. “Every pharmacy in the country is subject to new requirements for protected health information, network and password security, law enforcement, patient rights and protections, policies and protocols, the handling of information breaches, new business associate agreements, and more. Enforcement begins on September 23.”
Hedges explained the new HIPAA rules during a webinar sponsored by Pharmacy Development Services.
Privacy practices posted
All pharmacies must have a new and revised Notice of Privacy Practices (NOPP) posted in a public area and on websites no later than September 23, he said. All patients must be given a copy of the new NOPP and asked to sign the new notice, although signature is not required.
All of the basic definitions used in privacy regulations have changed. So have the rules that govern access to records, restrictions on protected health information, confidential communications of protected health information, and accounting for disclosures of protected health information.
Requirements to safeguard health information have been strengthened. So have reporting requirements for breaches that compromise the security or privacy of protected health information.
“A breach is anyone getting patient information who is not authorized to get it,” Hedges said. “It doesn’t matter if the information is stolen, if your computer is hacked, or if a patient discards packaging that has their name or other protected health information on it. If there is a breach, you have a duty to notify the patients affected, the federal government, and maybe your local media.”
Report privacy breaches
Every breach must be reported directly to the patient or patients involved, he explained. The Department of Health and Human Services (DHHS) must also be notified of every breach with an action plan to prevent similar breaches in the future. Fewer than 500 breaches can be reported in a batch not later than the end of February the year after the breaches become known.
If more than 500 patients are involved, DHHS must be notified immediately as well as major local media outlets, including newspapers, radio, and television.
“It is not going to help your image to be on the six o’clock news explaining why you lost patient data,” Hedges said. “Giving the wrong script to the wrong patient is a breach. Your clerks have to be aware that they are responsible. Personally responsible.”
Many of the new HIPAA rules are designed to avoid breaches. Computer networks must be secured and protected by passwords. Every user must have an individual password, and all passwords must be changed at least every 180 days.
Wireless routers and network access points are a weak link in many networks, he added. Every router and access point must be password protected. USB devices are another potential danger because they can be used to download and store health information that should be protected. Point-of-sale electronics and credit card devices that capture and store patient names, Rx numbers, and sales data can also be the source of unintended breaches. Disgruntled or former employees can also disclose protected information.
The person who causes the breach can be held personally responsible, Hedges said. The federal government is interested primarily in what steps are taken to minimize risks. That means when a breach is reported, the pharmacy must also report steps taken to prevent future risks. If officials are satisfied, there may be no fines involved. But not acting on a breach brings a $1.5 million fine for each occurrence.
“The consequences of breaching health information are a real threat to all healthcare providers,” Hedges said. “Your liability insurance does not cover these fines, and bankruptcy does not relieve you of the debt.”