HIPAA Compliance for Pharmacies



If HIPAA were a child, it would be going into its senior year of High School! Even though HIPAA has been part of healthcare for over 17 years, many providers think it only includes posting a Notice of Privacy Practices (NOPP) and having patients sign a HIPAA notice.

The root of HIPAA is access to and protection of Protected Health Information (PHI). Most providers are only doing the “minimum” just to get by because no one really looks at HIPAA. Unfortunately, this is no longer true and this kind of thinking can set you up for a “minimum” fine later on. In this article, we will discuss why having a HIPAA compliance program is important, things you can do to get started, examples of people who thought they didn’t need to have all their HIPAA items in place and the issues they had, and some stress free solutions to help you become HIPAA compliant.

There are many avenues within the HIPAA law that healthcare facilities need to follow. For example, with HIPAA extending to entities outside of primary healthcare providers, you need to ask, “Who am I allowing to access my patients’ PHI?” We’re not just talking about the caregivers and family of your patients, but also the employees in your facility, law enforcement, attorneys, and especially your Business Associates. By knowing what the rules are and having detailed written Policies & Procedures, you can guarantee that you and your staff are following the law. Having up-to-date, signed Business Associate Agreements (BAA) with 1099 employees and vendors adds a layer of protection and understanding to what each party will do and be responsible for in handling PHI and in the event of a breach.

Do you know how to handle a breach where a patient is given the wrong medication, someone hacks into your software, a jump (thumb) drive is lost, or a robbery where your server is stolen?

OCR on-site inspections ask for the following four documents from the first person they meet in your facility.

  • Notice of Privacy Practices
  • Risk Analysis
  • Risk Management Plan
  • Disaster Recovery Plan

Do you have these documents? They are part of your annual training requirement.

Have you updated your Disaster Recovery Plan lately? In the past few years, we have seen wildfires, flooding, volcanic activity, and unprecedented snow falls. Now, in 2020, we are witnessing HIPAA violations in regards to COVID-19, rampant looting, protests, and destruction of businesses including many pharmacies. Philadelphia, PA has reported that more than one-third of their pharmacies have been looted.

The Disaster Recovery Plan, Risk Management Plan, and Risk Analysis help to outline what will be done to protect files and serve your patients in the event that Mother Nature turns against you, there is a fire, a burglary, or another accident rendering your facility inoperable.

You may be thinking there is too much to do, too little time in the day, and the chances of being caught are slim. I’ll agree with the first two points. However, we have seen, time after time, small practices and large entities being hit with fines for failure to have updated BAAs, not notifying patients after a breach, having a large breach, or misuse of PHI. The moral of the story, you need to have some type of HIPAA program in place. OCR has assessed over $117 million in fines for just 77 cases of HIPAA Privacy Rule violations (according to data on HHS website).

Some examples are:

  • Health Care Provider, UT. A doctor has agreed to pay $1,400,000 and write a corrective action plan after a federal investigation found the doctor failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. (Reference HHS Press Release, March 3, 2020)
  • Dental Practice, TX. A dental practice has agreed to pay $10,000 and will need to adopt a corrective action plan to settle potential violations of the HIPAA Privacy Rule after posting and disclosing a patient’s last name and the details of the health condition via social media. (Reference HHS press release, October 2, 2019)
  • Hospital Group, VA and NC. A hospital group with 12 acute care hospitals and more than 300 sites, mailed bills to patients containing other patient’s PHI and refused to report the breach and failed to have BAAs which resulted in a 2.175 million dollar fine. According to Roger Severino, OCR Director, “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.” (Reference OCR, November 27, 2019)

While the five largest fines since 2008 have been for large entities, we can hopefully learn from their omissions and failures. If you share PHI with an entity and do not have a BAA with them, you are liable if they have a breach and can incur fines in the millions of dollars.

  1. Memorial Healthcare System in Hollywood, FL, paid $5.5 million in 2017 to settle allegations that employees inappropriately disclosed 115,143 individuals' data to affiliated physician office staff.
  2. Advocate Health Care Network agreed to pay $5.5 million in 2016 after an investigation showed it had failed to protect patient data, which led to the loss of 4 million patients' information in 2013.
  3. Presbyterian Hospital and Columbia University, both based in New York City, paid a total of $4.8 million in 2014 to settle a 2010 data breach related to their shared data network.
  4. In June, the University of Texas MD Anderson Cancer Center in Houston was ordered to pay $4.3 million in civil penalties for HIPAA violations related to the organization's encryption policies.
  5. Cignet Health based in Temple Hills, MD, paid $4.3 million in 2011 to settle claims it violated 41 patients' rights by denying them access to their medical records.

(Reference Becker’s Health IT & CIO Report)

So, if you’re fretting and nervous, don’t worry. You don’t have to try to read, interpret, and write your own program. The R.J. Hedges & Associates HIPAA Program can be customized for your facility. Once prepared, you’ll even have a Project Manager to help you implement it and answer all your questions that are bound to come up. You can rest assured, knowing this HIPAA Program is designed for your abnormal days, i.e., you’ve had a robbery, the police are requesting information, an estranged parent is requesting information about their child, an adult child is requesting information on behalf of their elderly parent, or, heaven forbid, you’ve had a breach.

Our HIPAA program has over 70 Policies & Procedures and an additional 75 support documents, including the NOPP, Disaster Recovery Plan, Risk Analysis, Risk Assessment, Breach Assessment, and Workforce Classification for PHI Access.

To see how compliant your current HIPAA Program is, feel free to take our FREE HIPAA Compliance Assessment.

Becky Templeton

Becky is a Board Certified DME Specialist and Accredited Business Intermediary. Her education and training background fuels her desire to understand how things work, while trying to get the simplest answers and best methods for implementation. She is the go to woman for R.J. Hedges’ training and the voice of many of our videos.

Subscribe Here!

Recent Posts