Has someone asked you if you’ve ever had a HIPAA breach? Most pharmacy owners will adamantly say, “Of course I’ve never had a breach!” … My response, “Really, never?” Have you ever had a clerk give the wrong medication to a patient? Typically, I'll hear the pharmacy owner answer, “Well, yeah.”
This is the same conversation an investigator or an inspector will have with one of your pharmacy staff members. And as soon as your staff says, “Yes,” they have just defunct your entire argument that you’ve never had a breach, risking your pharmacy for further investigation and possible fines. Breaches are more common than you know. One of the best ways to protect your pharmacy is knowing what is considered a HIPAA breach, how susceptible your pharmacy is to them, and what to do if you discover your pharmacy has had a breach.
Here are five steps to take if you discover you've had a HIPAA breach.
What is a HIPAA breach?
In simple terms, a HIPAA breach is when you have lost control of a patient’s protected health information (PHI), whether it’s printed or electronic material. The most common breach is when a clerk gives the wrong patient the wrong medication. This type of breach is a big concern to pharmacy owners and pharmacies. But just because you have a breach doesn’t mean the world is going to come to an end. The repercussions of a breach depend on how you handle it and whether you have to report it or not.
How common are HIPAA breaches within pharmacies?
There are two types of pharmacies and pharmacy owners. The first are the ones who know they have had a breach. The later are the ones who have had a breach and don’t know about it.
How can a pharmacy have a breach and not know about it?
The physical breach is when your pharmacy clerk gives the patient the wrong medication. Here’s a couple of examples of how you might not know you’ve had a breach:
- The patient goes out to the car, goes home, and then brings the prescription back into the pharmacy. This is the most common breach. A lot of times the clerk handles it and never says anything to anybody and doesn’t think that it could be a breach. However in this example, the person who got the wrong medication was a healthcare worker and reported it to the Office of Civil Rights.
- The other type of breach is if someone hacks your system, gets into your system and downloads your information. And if your security is not good enough, you don’t even know you’ve been hacked and your data is gone.
Both of these examples would cause you to have a breach without your pharmacy knowing.
What are some other examples of breaches in pharmacies?
- Thieves come in either during the day or at night to rob the pharmacy and clean out the will-call bin. The importance about the will-call bin is all the pharmacy labels and tags on the bags have PHI information on it.
- A pharmacy is robbed and they steal the server.
- Your staff pharmacist takes a laptop home and the vehicle is stolen or the home is burglarized at night and the laptop is stolen.
- The delivery driver is out delivering their medications throughout the day and while they are delivering to a residence or to a facility, the vehicle is stolen. And the vehicle is full of the day’s deliveries.
- A billing manager decides they’re going to work from home and brings their billing files on a jump drive. The billing manager loses the jump drive somewhere between the pharmacy and their home.
Those are all major issues and depending on the scope of the breach, these could all be a reportable breach or they could be a non-reportable breach. It depends on each individual incident and has to be investigated and assessed to determine what happens next.
What should I do if there’s a HIPAA breach?
- Don’t Panic & Get the Facts: Well the first thing, especially when there is a theft, is you don’t panic. The first thing you gotta do is get the facts and calm everybody down. Start documenting and get the facts.
- Complete a Breach Evaluation: Under the statute, you have to complete a breach evaluation and then a risk assessment. We have our R.J. Hedges Clients go through a Potential Breach Evaluation, the key word is potential, because just because you suspect you have a breach, until you finish the risk assessment, it is not a breach. This assessment goes through each component of the breach and assesses risk factors such as whether it’s a high probability or a low probability of a breach. When you finish that process, you’re able to determine whether that breach is reportable or non-reportable.
- Report If Required: If it’s reportable, you report the breach to the Department of Health and Human Services of the Office of Civil Rights. Depending on how big the breach is, for example if it’s over 500 people involved, you have 60 days to report it. If you have less than 500 people, you have until the end of February of the following year. For example, anybody who had a reportable breach that happened in 2016, it had to be reported by the end of February 2017.
- Document Everything: The key thing is to document everything, from the beginning all the way to the end. You want to investigate thoroughly, especially if it’s going to be a reportable breach. Investigate, document, ask questions, look at training, and look at every aspect of the situation. The important thing is even if it’s non-reportable you still have to document it. If the Office of Civil Rights (OCR) comes in, either on a blind inspection or they are looking into another breach, they want to see how you handle non-reportable breaches. If you have your documentation and OCR sees that you’re doing your non-reportable breaches correctly, you can prevent being issued fines or at least substantially lower any fines you do get issued. They want to see that you have an active HIPAA compliance program and that you take breaches seriously. This is a key component when you see these outlandish fines for insurance companies and healthcare systems that have breaches. This is because these insurance companies and healthcare systems didn’t take the breaches seriously and didn’t have any documentation for their prior breaches.
- Determine the Size of the Breach: Try to determine how far the breach went out and how much exposure there was for the patient or patients. Were you able to contact every patient? If you weren’t able to contact the patient directly, were there other means you used? If you weren’t able to contact the patients, did you have to contact the news media or newspaper? There’s a whole series of events that you have to go through when a breach happens, but it doesn’t happen every time.
Depending on the basic facts you have gathered of what occurred and the results of your Potential Breach Assessment, you can determine what steps need to be taken next. Just remember, document everything! If you don't have a HIPAA compliance program protecting your pharmacy, please schedule an appointment with one of our Compliance Strategists to find out what you can do. You can find out more about our R.J. Hedges HIPAA Compliance Program by clicking here.
If you want to hear more about HIPAA breaches as well as the new OCR audits, click here to listen to my latest PODCAST.