Pharmacy HIPAA compliance consists of meeting the requirements of the HIPAA Administrative Requirements, the Privacy Rule, the Security Rule, and the Breach Notification Rule. However, some pharmacies may be subject to more stringent federal and state laws whose requirements pre-empt HIPAA, while some may not be HIPAA Covered Entities at all.
Pharmacies qualify as healthcare providers under HIPAA when they “dispense drugs, devices, and equipment in accordance with a prescription” and “are paid for health care in the normal course of business” (see §160.103). However, this does not necessarily make all pharmacies HIPAA Covered Entities because exemptions can apply. These exemptions include:
- When a pharmacy exclusively sells drugs, devices, or equipment for which no prescription is required. However, if any drugs, devices, or equipment are dispensed “in accordance with a prescription”, all transactions are “covered”, and the pharmacy is a Covered Entity.
- When a pharmacy does not transmit health information electronically in connection with a transaction for which the Department of Health & Human Services has developed standards. A list of transaction standards can be found on the CMS website.
- When a pharmacy does not transmit information classified as health information. For example, a campus pharmacy does not transmit health information because students´ medical records are part of their educational records under FERPA.
- When a pharmacy is an industrial, compounding, or regulatory pharmacy involved in development, production, or regulation of drugs. These types of pharmacies do not dispense drugs and have no access to individually identifiable health information.
Few pharmacies meet the criteria to be exempt from pharmacy HIPAA compliance, and therefore most must comply with the Administrative Requirements of HIPAA and the Privacy, Security, and Breach Notification Rules – notwithstanding that some federal legislation (i.e., the Controlled Substances Act) and some state laws (i.e., Illinois´ Biometric Information Privacy Act) include more stringent measures than HIPAA and pre-empt HIPAA.
Pharmacy HIPAA Compliance – A Breakdown
Each set of regulations and rules for pharmacy HIPAA compliance has its own section in the Administrative Simplification provisions with the exception of the Administrative Requirements which takes up Subparts D to S of the General Provisions (§162.402 – §162.1902). These Subparts refer to the general provisions for covered transactions such as the code sets and operating rules for claim status transactions, ASC X12/NCPDP eligibility, and Medicaid pharmacy subrogation.
The Privacy Rule (Part 164 – Subpart E) relates to the required and permissible uses and disclosures of Protected Health Information, uses and disclosures when an authorization is required, and the rights of individuals to request a copy of any designated record set in which Protected Health Information is maintained. The Administrative Requirements of this Subpart also covers topics such as appointing a Privacy Office, workforce training, and document retention periods.
The Security Rule (Part 164 – Subpart C) consists of the “Security Standards for the Protection of Electronic Protected Health Information” – more commonly known as the Administrative, Physical, and Technology Safeguards. Importantly, this Subpart also includes an “Organizational Requirements” section which relates to relationships between Covered Entities and Business Associates with whom all types of Protected Health Information is shared.
Finally, the Breach Notification Rule (Part 164 – Subpart D) stipulates the processes to follow when unsecured Protected Health Information is used or disclosed impermissibly. In most cases, the processes involve how to notify individuals and HHS´ Office for Civil Rights of a data breach; however, many states have their own breach notification rules – some of which (for example Texas´ Medical Records Privacy Act) have much shorter notification periods than HIPAA.
Pharmacy HIPAA Violation Examples
Whenever a pharmacy or a Business Associate providing a service on the pharmacy´s behalf fails to comply with any of the HIPAA laws, it is a HIPAA violation – regardless of whether there has been an impermissible disclosure of unsecured Protected Health Information (a data breach). Therefore, pharmacy HIPAA violation examples could include:
- The failure to provide customers with a Notice of Privacy Practices.
- The failure to provide customers with access to Protected Health Information.
- The failure to provide members of the workforce with appropriate training.
- The failure to develop back up procedures and a contingency plan.
- The failure to ensure Protected Health Information is disposed of compliantly or returned to the pharmacy on the expiration of a Business Associate Agreement.
Data breaches affecting more than 500 individuals have to be notified to HHS´ Office for Civil Rights within sixty days, and HHS maintains a Breach Report Portal which lists cases under investigation. Many of the cases under investigation relate to cybersecurity events, but it is interesting to note that in the “Archive” section, several pharmacies have reported data breaches attributable to physical theft and the mismanagement of pharmacy prescription records maintained on paper.
Most of the archived cases have been resolved with technical assistance and a Corrective Action Plan, but there are two pharmacy HIPAA examples that resulted in a financial penalty. In 2009, CVS Pharmacy Inc settled an investigation into the improper disposal of Protected Health Information for $2.25 million; and, in 2015, the much smaller Cornell Prescription Pharmacy settled an identical pharmacy HIPAA violation for $125,000 and a Corrective Action Plan.
Make Sure Your Pharmacy is HIPAA Compliant
Even though most pharmacy HIPAA violations are resolved with technical assistance and a Corrective Action Plan, there are still indirect costs associated with these outcomes. In the case of the Cornell Prescription Pharmacy, the Corrective Action Plan consisted of an overhaul of its HIPAA policies, liaising with HHS to make sure the new policies were acceptable, and then training all members of the workforce on the new policies.
The indirect costs are not only attributable to the costs of the changes the pharmacy had to make to comply with the Corrective Action Plan, but also to the disruption the business suffered during the compliance period. Consequently, it can be a good idea to make sure your pharmacy is HIPAA compliant; and, if you are not sure about your compliance obligations, a good investment to seek professional advice from a compliance advisor.